In India, the police hacked activists to frame them

In India, the police hacked activists to frame them

In India

Police forces around the world are increasingly using hacking tools to identify and monitor protesters, to reveal the secrets of political dissidents, and to turn activists' computers and phones into wiretapping bugs. Now, new clues related to a case in India link law enforcement to a hacking campaign that has taken the use of these tools to a disturbing new level: placing fake incriminating files on the computers of certain targets, which the same police then used it as evidence to arrest and incarcerate them.

More than a year ago, forensic analysts revealed that unidentified attackers had inserted false evidence into the computers of at least two activists arrested in the Indian city of Pune in 2018; the two are currently still in prison and must defend themselves, along with 13 other people, from terrorism charges. Researchers from security firm SentinelOne and non-profit organizations Citizen Lab and Amnesty International then linked the forged evidence to a broader hacking operation that targeted hundreds of people over nearly a decade, using e- phishing emails to infect target computers with spyware and smartphone hacking tools sold by Israeli company Nso Group. Now, however, SentinelOne researchers reveal that they have discovered links between the attackers and an Indian government agency: the same Pune police force that had arrested several activists on the basis of fabricated evidence.

"There is a demonstrable link between who arrested these people and who placed the evidence - explains Juan Andres Guerrero-Saade, security researcher at SentinelOne who in August, together with his colleague Tom Hegel, will present the Discoveries at Black Hat Cybersecurity Conference - This goes beyond ethical compromise and cruelty. We are trying to provide as much data as possible in hopes of helping victims. "

Falsified Evidence New Discoveries by SentinelOne linking Pune City Police to the long-running hacking campaign, which the company dubbed the "Modified elephant," focus on two targets of the breaches: Rona Wilson and Varvara Rao. These are two activists and human rights defenders who were jailed in 2018 because they were members of a group called Bhima Koregaon 16, named after the village where violence between Hindus and Dalits took place earlier this year. once known as "untouchables" (one of the 16 defendants, 84-year-old Jesuit priest Stan Swamy, died in prison last year after contracting Covid-19). Rao, who is 81 and ill with health problems , was released on medical bail but will expire next month. Of the other 14 defendants, only one was bailed.)

WiredLeaks, how to send us an anonymous report Early last year, Arsenal Consulting, a company that offers digital forensic services and works on behalf of defendants, analyzed the contents of the laptop of Wilson and another defendant, human rights lawyer Surendra Gadling. Arsenal analysts found that the evidence was clearly falsified on both computers. In Wilson's case, malware known as NetWire had added 32 files to a folder on his computer's hard drive, including a letter in which Wilson appeared to conspire with an illegal Maoist group to assassinate Indian Prime Minister Narendra Modi. In fact, the letter was created with a version of Microsoft Word that Wilson had never used and had never been installed on his computer. Arsenal also found that Wilson's computer was hacked to install NetWire after the activist opened an attachment sent from Varvara Rao's email account, which was itself compromised by the attackers themselves. "This is one of the most serious cases of tampering with evidence that Arsenal has ever encountered," wrote company president Mark Spencer in his report for the Indian court.

In February SentinelOne released a detailed report on Modified elephant, in which it analyzes the malware and server infrastructure used in the hacking campaign to show that the two cases of evidence manipulation analyzed by Arsenal were part of a much larger campaign: the attackers targeted hundreds of activists, journalists, academics and lawyers with phishing and malware emails since 2012. In its report, SentinelOne did not identify the individuals or organization behind Modified elephant, merely indicating that "the business clearly aligns with the interests of the Indian state."

The clues to the involvement of the police Now researchers have made progress in identifying the affiliations of the attacking group. In collaboration with a security analyst at an email provider - who spoke to US but asked that he and the company remain anonymous - SentinelOne found that three of the email accounts hacked by attackers in 2018 and in 2019, an email address and recovery phone number had been added. In these accounts - which belonged to Wilson, Rao, and Hany Babu, an activist and professor at the University of Delhi - it appears that adding a new recovery email address and phone number was a move meant to allow attackers to easily regain control of accounts if passwords are changed. Much to the researchers' surprise, the recovery email on all three accounts contained the full name of a Pune police officer closely involved in the Bhima Koregaon 16 case.

See more Choose the newsletters you want to receive and subscribe! Weekly news and commentary on conflicts in the digital world, sustainability or gender equality. The best of innovation every day. It's our new newsletters: innovation just a click away.

Arrow There are other digital clues linking the three hacked accounts - and thus the Pune police - to the largest Modified elephant hacking campaign: the e-mail provider found that the hacked accounts were reached by ip addresses that SentinelOne and Amnesty International had previously traced to Modified elephant. The email provider's security analyst reports that Wilson's email account received a phishing email in April 2018, only to be apparently hacked by attackers using those IPs. At the same time, the email and phone number linked to the Pune Municipal Police had been added as recovery contacts. The analyst reports that Wilson's email account was then used to send phishing emails to other targets as part of the Bhima Koregaon case for at least two months, before Wilson was arrested in June 2018.

"We don't generally tell people who targeted them, but I'm a little tired of that," the email provider's security analyst told US. they are hunting terrorists. They are hunting human rights defenders and journalists. And that's not fair ".

For further confirmation of the link between the hacked account recovery contacts and the police from the city of Pune, US consulted John Scott-Railton, a security researcher at the University of Toronto's Citizen Lab, who along with other Amnesty International collaborators had revealed the extent of the hacking campaign against Bhima Koregaon 16, demonstrating how Pe gasus, the Nso hacking tool, was used to compromise some of their smartphones.

Among other things, Scott-Railton found that the WhatsApp profile photo of the recovery phone number added to the hacked accounts shows a selfie of a Pune police officer, who appears to be the same officer who appears in police press conferences and even in a photo taken by a newspaper on the occasion of Varvara Rao's arrest. US has repeatedly tried to contact the Pune City Police and the agent whose Personal data was linked to the hacked accounts, without receiving any response.

The fate of activists Mihir Desai, a Mumbai lawyer representing members of Bhima Koregaon 16, says new evidence should be independently corroborated on the links between the Pune police and the hacking campaign. Desai adds that he hopes he can help his clients, such as Anand Teltumbde, who is accused of terrorism ties in part on the basis of a supposedly forged document found on Rona Wilson's computer. Desai says she is aware that some evidence has been falsified, but adds that the police could still deny any involvement. "Proving that it was the police would mean that there was a conspiracy to arrest these people. It would prove that the police acted in a cruel and deliberate way, knowing full well that it was false evidence," he explains

The The fact that the Pune police are linked to a hacking campaign that allegedly framed and imprisoned human rights activists represents a disturbing new example of the dangers of when hacking tools fall into the hands of law enforcement, even in an apparently democratic country like India. According to SentinelOne's Guerrero-Saade, the case also raises questions about the validity of any evidence extracted from a hacked computer as part of a law enforcement surveillance operation.

Beyond the more general questions, Guerrero-Saade and his colleague Tom Hegel, a SentinelOne researcher, say they are focused on the fate of the victims of the Bhima Koregaon case, who are almost all still in prison despite the evidence against them turns out to be more manipulated every year. Ultimately, the researchers hope their findings will not only prove wrongdoing by the police, but also help set jailed human rights activists and defenders free. "The real concern is for people abandoned in prison - explains Guerrero-Saade -. We hope this leads to some form of justice".

This article originally appeared on US.

Powered by Blogger.