by More than a dozen activists, academics and lawyers have been imprisoned under anti-terrorism law for more than four years, accused of affiliation with a banned Maoist armed group aimed at overthrowing the government. They deny the accusations. The stringent terror law has come under criticism, in part because defendants can rarely be released on bail and the rate of convictions in cases brought under the law is low.
In 2021, The Washington Post reported that the devices of at least two defendants in the case were hijacked by hackers who left dozens of incriminating documents on the devices. This malware campaign targeted individuals beyond those facing charges in the case.
Separately, the Pegasus Project investigation by The Post and 16 other news outlets revealed that some of the defendants were included in the list of surveillance targets for spyware provided by Israeli firm NSO Group to governments or their agencies. The Indian government has neither confirmed nor denied that he is an NSO customer. In June, Wired reported links between the hacking campaign and Indian police, who did not respond to the report.
The new findings shed more light on a case that continues to baffle the nation. NGOs say this is a chilling example of the persecution of human rights defenders under Prime Minister Narendra Modi’s government.
The bespectacled and skinny Swamy defended the rights of tribal youths in central India accused of being Maoists before the police charged him with the same crime.
Arsenal’s latest report says that Swamy has been the target of an extensive malware campaign for nearly five years; This is the longest known period for any defendant until his device was seized by police in June 2019. He had full control of his computer by dumping dozens of files in a hidden folder without his knowledge.
Arsenal carried out their work at the request of the group’s defense team.
These documents – alleged letters between the defendants and the Maoist group – are cited by police as evidence against Swamy and others in what is known as the Bhima Koregaon case. International human rights groups, including United Nations experts, have previously called on the Indian government to at least release the defendants on bail because of their advanced age and health condition.
The National Investigation Agency, which was the prosecuting authority in the case, did not respond to requests for comment.
His friend, Father Joseph Xavier, said Arsenal’s findings made Swamy’s name “obvious”. He said the report proved that Swamy was “systematically targeted and accused of raising his voice for Israel.” [tribals]It is a situation that harms the interests of the state.” Based on Arsenal’s initial report, a request to drop the charges against the defendants is pending in the courts.
Two experts on malware and digital forensics reviewed the report at The Post’s request and said its conclusions were solid.
Robert Jan Mora, a digital forensics expert at Volexity, an Arsenal-based cybersecurity firm, said Arsenal’s report was “really convincing” and said there was “solid evidence” that Swamy’s computer was infected with malware and that an operator had pushed incriminating files into the system. said that. in the DC area viewing the report. He added that Arsenal should publish in more detail how the NetWire malware left behind traces that could benefit others in the field.
Alessandro Di Carlo, director of forensic science at Italian cybersecurity firm Certego, said the analysis was “extensive and comprehensive”.
The new Arsenal report says that as of October 2014, Swamy’s laptop was infected with NetWire, a commercially available malware that can upload and download files to a target’s computer, log keystrokes, and access emails and passwords.
According to Arsenal, the unidentified hacker in Swamy’s case is the same person who targeted Swamy’s other defendants, activist Rona Wilson and attorney Surendra Gadling.
According to the report, the hacker used WinSCP, a free and open-source file transfer tool for Windows, to copy more than 24,000 files and folders from Swamy’s computer and removable storage devices to the hacker’s own server.
According to Arsenal, the hacker first placed the documents on Swamy’s computer in July 2017 and continued to do so for two years. The report says the documents were never opened and Swamy never interacted with them.
“I’ve never seen so much evidence embedded before,” said Mora, who has done malware forensics in some high-profile breach investigations and security assessments for governments. “That’s incredible.”
On the night of June 11, 2019, hours before Swamy’s computer was seized by the police, the hacker carried out a thorough “cleanup” of Swamy’s activities. maliciously used folders before cleaning.
Arsenal’s president, Mark Spencer, described the activity as “highly suspicious” given that the device will soon be compromised.
In the report, Arsenal shares screenshots of raw data recovered from Swamy’s computer that revealed the hacker’s activities, including the command used to delete the folder where tens of thousands of files were stored from Swamy’s computer before they were transferred to the server.
In May last year, Swamy, who has Parkinson’s disease, sought medical bail in court, saying he had a “stable” decline in bodily functions.
India’s counter-terrorism agency denied bail, saying the medical documents it had provided were not conclusive proof of any serious illness and that the alleged fabrication of evidence was an attempt to “confuse fact with falsehood”.
His death caused a sensation in India as opposition parties, civil society groups and citizens called for accountability.
“Stan stood up for justice and paid a price for it,” said Xavier, Swamy’s friend of 20 years.
