Hackers planted files to target Indian priest who died in custody
According to Arsenal, Swamy never touched the files himself. After his devices were seized by the Pune City Police, these files were among the digital evidence used to charge him and the other Bhima Koregaon 16 accused with terrorism, as well as inciting a riot in 2018 that led to two deaths.
All of Arsenal’s findings, the firm notes, are consistent with the previous cases of evidence fabrication, apparently carried out by the same hackers, that targeted the two defendants’ machines that Arsenal previously investigated. “Arsenal have effectively caught the striker red-handed (yet again),” the report added.
On Swamy’s computer, however, Arsenal also found something new: The hackers appear to have begun what Arsenal calls “antiforensics” — a cleanup operation — on June 11, 2019, deleting files that revealed access to Swamy’s machine in an apparent attempt to cover their tracks , just a day before the Pune police seized Swamy’s computer on June 12 that year. Arsenal describes that attempt at anti-forensics as “both unique and extremely suspicious given the computer’s impending seizure.”
In other words, the hackers wanted to plant fake evidence that could be revealed to incriminate Swamy while deleting actual evidence of their fabrications that could be discovered in legal proceedings, says Tom Hegel, a researcher for security firm Sentinel One. (Hegel and his colleague Juan Andres Guerrero-Saade published their own findings on the Bhima Koregaon hacking cases this year.) Hegel argues the timing of the deletion, which he says shows sloppy urgency, suggests the hackers somehow knew the seizure of Swamy’s devices were coming, and after five years of stealthily accessing his computer, he attempted to erase their fingerprints. “The timing and the hasty clean-up effort is, in my opinion, clear evidence of collusion between the police unit and the attackers at the time,” Hegel says.
This cleanup is one of several signs that the hackers who targeted members of the Bhima Koregaon 16 may well have been working in tandem with the Pune City Police who arrested many of the accused. Last June, Hegel and Guerrero-Saade revealed to WIRED that a Pune City Police officer appears to have added his own email address and phone number to several of the defendants’ hacked email accounts, in some cases months before they were Arrested, apparently. as a crude backup mechanism to try to maintain access to their accounts. “There is a demonstrable connection between the people who arrested these people and the people who planted the evidence,” Guerrero-Saade told WIRED at the time.
Pune City police officials declined to respond to WIRED’s request for comment, both in June and in response to the new Arsenal findings.
Of the 16 Bhima Koregaon accused, 11 remain in jail. Three have been released on bail, and one has been placed under house arrest. But the case of Stan Swamy, the oldest of the defendants and the only one to die in custody, has perhaps grabbed the biggest spotlight: Human rights organizations and the US State Department have spoken out against Swamy’s imprisonment, and he was posthumously awarded to Martin. Ennals Award, sometimes described as the Nobel Prize for human rights defenders.
But Swamy was far from unique in being targeted by the hackers who sought to target him. Based on the details of the malware and hacking infrastructure described in Arsenal’s report, Hegel says the hackers who broke into Swamy’s computer, as well as those of the other two Bhima Koregaon defendants, are part of the group Sentinel One calls “Modified Elephant. Hegel and Guerrero-Saade analyzed the group’s code and command-and-control servers in a report they published in February that linked Modified Elephant to the targeting of hundreds of activists, journalists and academics since as early as 2012.
“The links back to Modified Elephant are extremely obvious and verifiable,” says Hegel. “It is another confirmation, at least from the evidence we have so far, that the accused in the Bhima Koregaon case have been charged.” And it’s becoming harder than ever to deny that the hackers who did that framing were in cahoots with the very authorities who sentenced Stan Swamy to spend the last months of his life in a prison cell.