Indian Cops in Cahoots With Hackers Who Planted Evidence on Arrested Activists’ Computers, Researchers Say

Indian Cops in Cahoots With Hackers Who Planted Evidence on Arrested Activists’ Computers, Researchers Say
Photo: DIBYANGSHU SARKAR / AFP, Getty Images

A police unit in Pune, India has its fingerprints all over a hacking campaign that planted fabricated documents on political activists’ computers, then used the forged evidence as a justification to arrest them and charge them with crimes, according to cybersecurity research set to be presented in August and first reported by Wired.

The bizarre episode revolves around the “Bhima Koregaon 16” — a group of leftist activists in India who were arrested by Pune police in 2018 and charged with conspiring to overthrow the national government. Police said that the “16″ had been responsible for inciting violence at an annual celebration of the Battle of Bhima Koregaon, a historical episode commemorated each year in the nation’s Maharashtra region. That year, a violent brawl at the gathering killed two people and injured 35. Among the 16 who were arrested and charged in connection to the violence was Rona Wilson, an activist and academic, who was taken into custody and charged under an anti-terrorism law.

“We’ve known things have been planted, but the police could have always said, ‘we are not involved in all this,’” Mihir Desai, the attorney for several of the accused men, told Wired. “By showing the police did this, it would mean there was a conspiracy to arrest these people. It would show the police have acted in a vicious and deliberate manner knowing fully well this was false evidence.” Desai said he would have to independently corroborate the findings against the police, but called the newly presented evidence “very damning.”

Authorities alleged that Wilson and his colleagues hadn’t just been responsible for riling up the crowd, but had also been planning to engage in seditious activities, including the assassination of India’s prime minister, Narendra Modi. To back up these claims, the Pune cops furnished supposed digital evidence that had been extricated from Wilson’s laptop. The evidence included a Word document that seemed to detail the assassination plot, along with other documents that tied the activists to supposed terrorist activities.

There was just one problem, however: analysis conducted by Arsenal Consulting, a digital forensics firm based in Denver, concluded that the document was a fake. Indeed, researchers said that Wilson and his so-called co-conspirators had all been the target of a sophisticated hacking campaign. The document that seemed to detail the assassination plot was one of 32 files that had actually been planted on Wilson’s laptop using a malware known as Netwire, the analysis showed. One of the researchers’ most concrete findings was that the file that the plot was written on was made by a version of Microsoft Word that had never even been installed on Wilson’s computer.

Additional analysis provided by cybersecurity firm SentinelOne showed that the digital intrusion that put the phony documents on Wilson’s computer was the work of a hacker group dubbed “Modified Elephant.” The collective had not only targeted Wilson and other members of the 16 but had also spent nearly a decade hacking into a broad variety of people’s computers, occasionally planting evidence of criminal activity on their hardware, SentinelOne concluded. Analysis by Arsenal supported the finding.

According to Wired’s new report, the very police unit that arrested Wilson and his fellow activists, the Pune City Police, is strongly linked to the hacking campaign that put the fabricated documents on his laptop. New analysis conducted by researchers from a number of organisations, including SentinelOne and Citizen Lab, a cybersecurity research unit at the University of Toronto, have found digital traces that link the police agency to the hacking campaign. Among the clues that have been found, researchers discovered that in at least three of the hacking cases — including the one involving Wilson — the cybercriminal added a new recovery email and phone number to the victim’s hacked email account, apparently as a mechanism to gain control of the account if the password were ever changed. Inspection of those backup emails reportedly found that they all included the full name of a Pune police official who played a large role in the Bhima Koregaon 16 case.

If the idea of police agencies using cybercrime to frame and ensnare innocent people doesn’t freak you out, it definitely should. We’ve all heard of “dirty” cops planting drugs or weapons on suspects to justify arrests. The fact that this can now apparently be replicated in cyberspace puts us in bold, creepy new territory.

We reached out to the Pune City Police via direct message and will update this story if they respond.