Last week, US-based digital forensics firm Arsenal Consulting released the results of its investigation into the computer of Rona Wilson — one of 16 people facing trial in the Bhima Koregaon case. The evidence assembled by prosecutors against the accused include letters containing, among other things plans to buy assault weapons from Nepal, and a plot assassinate Prime Minister Narendra Modi. The analysis raises questions about not just the authenticity of those documents, but also the possible manipulation of Wilson’s computer by still-unidentified hackers.
Indian courts haven’t developed an extensive jurisprudence on digital evidence. It’s also relatively rare — unlike in the United States or United Kingdom — for independent experts to challenge government forensic examiners. Even leaving aside the specifics of the Bhima Koregaon case, therefore, its course will be of considerable interest.
1. How was Wilson’s computer hacked?
In March, 2016, Wilson received an e-mail from the revolutionary poet and activist Varavara Rao — or, to be more exact, from someone with access to Rao’s e-mail account, who might or might not be the poet and activist. The mail contained what appeared to be a link to a file in Dropbox, with a subject header indicating that it had something to do with “Kobad”. “Kobad” is, most likely, the Doon School-educated Maoist leader Kobad Gandhy, who was arrested in in 2009.
When Wilson opened the document, a copy of the e-mail recovered from his hard disk show, all he could see was the letterhead of an alleged Maoist front-organisation — followed by gibberish. The link didn’t connect to a file on Dropbox at all, but to a server which then uploaded malware on to Wilson’s computer.
The timing of the malware attack raises interesting questions. The Pune Police seized Wilson’s computer on 17 April, 2018. Did a police force, or the intelligence services, conduct a 22-month surveillance operation against Wilson? If so, why was this done, and what did it find? Were others also targeted? Arsenal’s analysis doesn’t cast any light on these questions, though future investigation might do so.
2. What did the malware on Wilson’s computer actually do?
NetWire, the malware planted on Wilson’s computer, gave the remote operator full control over it. Three features are of significance. First, NetWire created a hidden folder on the computer’s hard disk. This folder was used to copy any files of interest to the remote operator, from where they could be discreetly uploaded to a server — discreetly, of course, to avoid the attention of the anti-virus software on the computer.
The second key activity the malware allowed for was to be for files to be copied to Wilson’s computer by the remote operator.
Finally, the malware recorded every single keystroke Wilson made, and stored them in an encrypted file for upload. In essence, this allowed the remote operator to read every single thing Wilson did on his computer. This keystroke capture function makes malware like NetWire attractive to criminals, who can use it to capture passwords or credit card details. For the same reason, malware is useful to law-enforcement and intelligence services.
Arsenal discovered that there were five attempts to infect Wilson’s computer. Two of these seem to have been detected and quarantined by his QuickHeal anti-virus software. From the report, it’s not clear why one got through; it is possible it had several layers of obfuscation to evade the anti-virus, or that Wilson hadn’t updated QuickHeal.
The multiple attempts to hack Wilson’s computer raises many interesting questions. Was more than one team of attackers involved in targeting Wilson’s computers? Was the same malware repeatedly sold, with different packaging-wrappers, as it were, to the attackers? Was an entity retained to execute the operation, to be paid only if it succeeded? For now, we don’t know.
3. Who was the attacker?
We simply don’t know — but Arsenal’s analysis strongly suggests they’re not the stuff of a future Netflix series. Even though there has been some media commentary linking the compromise of Wilson’s computer to darker, and infinitely more sophisticated world of tools like Pegasus, NetWire is almost ancient. First noticed in the wild around 2012, NetWire’s since been used by everyone from Nigerian hackers to online criminal syndicates. Malware researchers know it very well, which is why Arsenal could so easily decrypt the keystroke log it left behind on Wilson’s disk.
Whoever attacked Wilson’s computer left their paw-prints all over the his computer: Parts of NetWire’s encrypted keystroke log; the e-mail with the link to the malware; entries in the operating system’s own logs, which recorded the story over time.
Even the command-and-control host names to which the data harvested from Wilson’s computer was uploaded — http://atlaswebportal.zapto.org — was the default setting in NetWire, and not a custom host name that could have provided the attackers greater cover. Some of these servers were, incredibly, online until last week.
Sophisticated hackers, often plant what’s called a shell-code on the target computer, which given them access to the command line interpreter to interact with the victim’s computer directly. Whoever hacked Wilson used a far-cruder instrument, sending a link which would download the malware in one go.
By way of contrast, consider the case of the North Korean hackers discovered to have been stealing Indian nuclear secrets in 2019. Those hackers targeted laptops held by former Bhabha Atomic Research Centre chief Anil Kakodkar and former Atomic Energy Regulatory Board head SA Bhardwaj.
The North Korean team conducted digital surveillance which determined only these two laptops had access to both the internet and to highly-guarded internal systems. They used a plausible scientific paper to hide the sophisticated D-Track malware (developed exclusively by Lazarus group, a State-level actor). After jumping into the nuclear plant’s administrative network, all traces were cleaned from the victims’ laptops.
We don’t know, yet again, who the Wilson hack’s crude perpetrators might be — but it’s a safe guess their clients were people with neither the cash nor knowledge to hire the best expertise on offer.
4. What was the intention of the attack?
Like library index cards, the log file in Windows is essentially an index. It tells the operating system where on the disk to find files, and records, as it were, who they’re issued to and when they’ve come back. Arsenal’s investigation reconfirms an weird feature of the allegedly-incriminating files files on Wilson’s thumb drive: Although it isn’t clear who created them, or when, they weren’t read, edited or saved on his computer. Instead, the files seem to have been downloaded from the control server to the hidden folder on the hard disk, and then transferred to the thumb drive.
The timing of these events is intriguing. The files were pasted to the hard disk folder in February 2018, and then transferred to the thumb drive on 14 March, 2018. The violence at Bhima Koregaon took place on 1 January, 2018. Lawyers for the defence argue that the timing shows these files were planted to create evidence against the sixteen accused individuals.
For this to be true, someone would have had to have decided to frame Wilson within weeks of the Bhima Koregaon violence — but no-one has yet offered a robust explanation for why that might be.
In other circumstances, the fact NetWire was found on Wilson’s computer might amount to little. Hundreds of thousands of people have been attacked, after all, with similar, crude tools by criminals seeking their card details or account passwords. The unusual behaviour of the incriminating files, suggests something darker was at play.
5. How credible is Arsenal’s analysis?
There’s one especially strange feature of the entire case: We don’t know if what the Forensic Science Laboratory in Pune studied is actually a faithful copy of whatever was on Wilson’s computer. Every computer file or collection of files can generate a unique hash-value. For example, a file with the text “Firstpost” might generate the hash-value 12345. In the event that the text is altered, say to simply “First”, the hash value will change, say, to 123. If the exact, original text is restored, the hash value will change back to 12345. The hash-value is asymmetric; there is no way to deduce that 12345 means “Firstpost”.
For obvious reasons, the hash-value of a disk is crucial for proving that digital information has not been tampered with after it has been seized by law-enforcement. Globally as well as in India, police protocols mandate not even to turn on a computer after seizing it, since that would change the contents of the disk, and allow defence lawyers to claim it had been manipulated.
Instead, the disks seized by law-enforcement are removed by forensic experts, and exact images made of them using tools installed on specialised gigs. The hash value of the originally-seized disks— which takes a few minutes to generate — and these mirror-images must be identical. The images — not the original — are then analysed using software which does not modify the files by opening them. Even if an error is committed during analysis, only the image is affected, not the original.
For reasons that have yet to become clear, the Pune Police never provided the hash value of the disk recovered from Wilson. The hash value, defence lawyers say, has still to be made available.
Arsenal is a serious firm, with a long list of top corporate clients — and a history of involvement in high-profile litigation. Its findings will, obviously, be contested by the police’s Forensic Science Laboratory; that is the normal back-and-forth of any criminal trial.