Police linked to hacking campaign to frame Indian activists

Police forces around the world are using hacking tools to identify and track protesters, expose political dissidents' secrets, and turn activists' computers and phones into eavesdroppers. A hacking campaign that used those tools to go an appalling step further, planting false incriminating files on targets' computers, is connected to a case in India.

More than a year ago, forensic analysts revealed that hacker made up evidence on the computers of at least two activists arrested in India last year and are currently in jail. The evidence fabrication was linked to a larger hacking operation that targeted hundreds of individuals over the course of a decade, using a variety of hacking tools, including NSO Group's hacking tools. The same Indian police agency that arrested multiple activists based on fabricated evidence is the same one that has ties to the hackers.

"There's a provable connection between the individuals who arrested these folks and the individuals who planted the evidence," says Juan Andres Guerrero-Saade, a security researcher at SentinelOne who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security conference in August. "This is beyond ethically compromised. It is beyond callous. So we're trying to put as much data forward as we can in the hopes of helping these victims." Advertisement

Two of the targets of the long-running hacking campaign are Rona Wilson and Varvara Rao, which is why the company has called it the modified elephant. Both men are activists and human rights defenders who were jailed in India last year as part of a group that was named after the village where violence between Hindus and Dalits broke out. An 84-year-old Jesuit priest, Stan Swamy, died in jail last year after contracting Covid-19. An 81-year-old man who is in poor health has been freed on medical bail. Only one of the others has been granted bail.

The contents of Wilson's laptop were analyzed by a digital forensics firm for the defendants. Evidence had been fabricated on both machines. In Wilson's case, NetWire added 32 files to a folder of the computer's hard drive, including a letter in which Wilson appeared to be conspiring with a banned Maoist group to assassinate Modi. The letter was created with a version of Microsoft Word that Wilson had never used. Wilson's computer was hacked to install NetWire after he opened an attachment from Varvara Rao's email account, which had itself been compromised by the same hackers. Mark Spencer wrote in his report to the Indian court that the case was one of the most serious he had ever seen.