Bhima Koregaon: Forensic Report Finds Malware Use to Plant Evidence Against Jailed Activists

New Delhi: In a damning new report, a US-based digital forensics firm has found that “incriminating” evidence using malware was planted in a laptop of activist Rona Wilson by the police probing the Bhima Koregaon case. Wilson is among a group of 15 activists, lawyers and academics, who have been jailed in Maharashtra after being accused of having ‘Maoist’ links, following the violence that took place on January 1, 2018 and an alleged plot to assassinate prime minister Narendra Modi.

Citing the report by Arsenal Consulting, the Washington Post said the US forensic firm “found that an attacker used malware to infiltrate a laptop belonging to activist Rona Wilson before his arrest and deposited at least 10 incriminating letters on his computer,” reports Scroll-in.

It is these letters that the Pune Police used as its primary evidence in the chargesheet they filed in the Bhima Koregaon case.

Incidentally, the Bhima Koregaon case,  was taken over from the Pune Police and handed over to the central National Investigation Agency or NIA in January last year after the Bharatiya Janata Party  (BJP) lost the Maharashtra Assembly polls. BJP is ruling the central government and the NIA falls under the Ministry of Home Affairs, headed by minister Amit Shah.

 Read Also: Centre-State Fireworks in Offing After NIA Takes Over Bhima Koregaon Case

“The report also found that among these 10 letters was one that the police claimed Wilson had written to a Maoist militant, discussing the need for guns and ammunition as part of an intricate Maoist conspiracy, and even urging the banned group to assassinate Prime Minister Narendra Modi. The report found the letters had been planted in a hidden folder on Wilson’s laptop,” said the Scroll report.

After the US firm’s report was made public by the Washington Post,  Wilson’s lawyer Sudeep Pasbola filed a petition in the Bombay High Court on Wednesday seeking dismissal of the case against him, according to an ANI report.

Pasbola has attached the report by Massachusetts-based forensic firm Arsenal Digital, which was approached by him to examine the electronic copy of his client's laptop, said ANI.

However, the forensic report did not identify the perpetrator of the hacker, but noted that Wilson was not the only victim.

“The same attacker deployed some of the same servers and IP addresses to target other accused in the case over a period of four years, it stated. The accused in other “high-profile Indian cases” were also targeted, the report said.

Modus Operandi

Raising serious questions over the “fairness” of the probe, the US forensic report also mentions that Wilson’s laptop was compromised “for just over 22 months”, adding that the hackers’ primary goals were “surveillance and incriminating document delivery”.

“This is one of the most serious cases involving evidence tampering that Arsenal has ever encountered,” the report said, citing the vast time span between the time the laptop was first compromised and the moment the attacker planted the last incriminating document, reports Scroll.in.

According to the Arsenal report, Wilson’s laptop was compromised in June 2016, after a series of suspicious emails from someone using 80-year-old poet-activist and co-accused Varavara Rao’s account.

“During the course of the conversation, the person using Rao’s account made multiple attempts to get Wilson to open a particular document, which was a link to download a statement from a civil liberties group,” said the report.

When Wilson complied, the link deployed NetWire, a commercially available form of malware that allowed a hacker to access Wilson’s device, the report said.

NetWire malware can easily be procured for $10 and the Netherlands-based company also provides an easy guide to use the malware, said the report.

According to the Washington Post, Arsenal discovered records of the malware logging Wilson’s keystrokes, passwords and browsing activity, and also recovered file system information showing the attacker creating the hidden folder to which at least 10 incriminating letters were planted.

These letters were created using a newer version of Microsoft Word that did not exist on Wilson’s computer, the forensic report said.

Arsenal report said it also found no evidence that the documents or the hidden folder were ever opened.

Commenting on the Bhima Koregaon report, Mark Spencer, the Arsenal President, tweeted: “My team has worked relentlessly on the massive volume of electronic data provided to us in the Bhima Koregaon case, and I believe we have set an extremely high bar for the practice of digital forensics in the future...”

A brief statement from Arsenal President Mark Spencer regarding Report I in the Bhima Koregaon case. #DFIR pic.twitter.com/UHiSK2YYXm

— Arsenal Consulting (@ArsenalArmed) February 10, 2021

As per a report in TheWire, Spencer said they had been approached by Wilson’s defence team to the examine the electronic evidence on July 31, 2020.

 “The attacker responsible for compromising Wilson’s laptop had extensive resources including time and it is obvious that their primary goals were surveillance and incriminating document delivery,” the report concludes.

Government sources, however, denied the Washington Post report that evidence was “planted”.

An NIA official told Times of India that the report of Arsenal Consulting was as “attempt to tarnish the investigation and the evidence collected.” He stated that there was nothing to suggest in the Pune FSL report that evidence was planted or the accused Rona Wilson’s device was “compromised.”

Read Also:Bhima Koregaon: NIA Files Charge-Sheet Against Eight Including Stan Swamy, Gautam Navlakha

The Bhima Koregaon case, as per NIA, relates to the accused “inciting people and giving provocative speeches” during an Elgar Parishad event organised by the Kabir Kala Manch at Shaniwarwada in Pune on December 31, 2017, which the NIA claims “promoted enmity between various caste groups and led to violence resulting in loss of life and property and state-wide agitation in Maharashtra”.

Among the activists arrested, jailed and denied bail are lawyer Sudha Bharadwaj, poet-activist Varavara Rao, Sudhir Dhawale, Rona Wilson, Surendra Gadling, Shoma Sen, Mahesh Raut, Arun Fereira, Vernon Gonsalves, Hany Babu, Stan Swamy, Anand Teltumbde, Gautam Navlakha.