Allegations of planted evidence raise questions about hacking ecosystem in India

Outsiders allegedly planted malware on an activist's computer.
(Flickr/ <a href="">Vijay Chennupati</a>/CC-BY-2.0)

Recent allegations that planted evidence may have been used to frame an activist in a terrorism case are raising new questions about the surveillance and hacking ecosystem in India.

The human rights activist in question, Rona Wilson, is one of several people accused of plotting to overthrow the Indian government in connection with a violent demonstration in Bhima Koregaon, India in 2017. Wilson is among the several activists accused of instigating violence at the demonstration. Cases against the defendants have largely relied on digitally-collected evidence, according to Amnesty International. He has been incarcerated for nearly three years.

A new forensic analysis of Wilson’s computer, conducted by Boston-based Arsenal Consulting, is now raising questions about the viability of the evidence, who put it there and the extent to which hacking in India is used to further the government’s prosecutions. Details about the ecosystem of surveillance and cyber mercenary groups in India targeting activists, companies and journalists have been emerging for years now. But the Arsenal Consulting report could shed new light on just how far attackers will go to silence activists, researchers and digital rights activists say.

“What this case shows is that as authoritarianism increases, invariably digital threats against civil society increase as well,” John Scott-Railton, a senior researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy, told CyberScoop.


Arsenal Consulting, which has previously conducted digital forensic analysis on the Boston Marathon bombing case, found evidence on Wilson’s computer that an outsider targeted the device with malware and planted at least 10 documents meant to incriminate him, according to a copy of the report viewed by CyberScoop.

Wilson is accused of being a member of the banned Maoist party, plotting to use its funds to undermine the government and plotting to kill the prime minister.

The documents in question were made in a version of Microsoft Word that Wilson’s computer didn’t have, according to the report. Wilson has long maintained that he did not participate in the demonstration and that he never engaged with the documents in question. The documents allegedly incriminate Wilson, though exactly how was not immediately clear.

The perpetrators first targeted Wilson with malware through an apparent phishing email, which imitated one of Wilson’s acquaintances in 2016, containing a spammy decoy document, according to the analysis. But when Wilson clicked through the malware, a remote access trojan called NetWire was then able to monitor Wilson’s keystrokes, passwords and browsing, according to the report.

Arsenal concluded that Wilson’s computer was compromised for more than 22 months, according to the report.


Wilson’s lawyer, Sudeep Pasbola, told The Washington Post, which first reported on the Arsenal analysis of Wilson’s computer, that the planted documentation “destabilizes” the prosecution and proves his client’s innocence.

In response to the Arsenal report, the government entity overseeing the case claimed in a statement shared with the Post there was “substantial documentary and oral evidence” against the individuals charged.

The latest information about the apparent targeting of Wilson’s computer is a sign of a deeply entrenched surveillance problem in India, according to Danna Ingleton, the acting co-director of Amnesty Tech.

“These new reports indicating that activist Rona Wilson’s devices were compromised in order to plant incriminating evidence are deeply concerning,” Ingleton told CyberScoop. “Amnesty International is calling on authorities in India to conduct an independent, impartial, and transparent investigation into the unlawful targeted surveillance of human rights defenders, including determining whether there are links between these spyware campaigns and any specific government agencies.”

Other Bhima Koregaon activists also have been targeted with what Amnesty and Citizen Lab, have described as a coordinated surveillance campaign.


“Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to not only attack and compromise Mr. Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well,” the report states.

Several activists are also alleged to have been targeted by surveillance software developed by Israeli surveillance firm NSO Group.

Pro-government and commercial overlaps

While it may be unclear who exactly is responsible for the reportedly manipulated evidence against Wilson at this time, the possible links between pro-India hacking operations and the global commercial sector of surveillance software have begun to emerge in recent research.

One pro-India hacking group, known as Confucius, appears to have code overlaps with commercial surveillance products, suggesting possible links according to research published in February by the security firm Lookout. The group also appears to have historical connections with Bahamut, a hack-for-hire group that has gone after a number of targets in India, as well as in other countries.


The possible reason there may be overlaps between some of these groups are numerous. The hacking operations could be explicitly linked or run by the same individuals or groups, or cybersecurity professionals could be working for multiple hacking shops and carrying over knowledge and expertise from former jobs. Cyber mercenaries could also be purchasing tools from one centralized hub.

Adding to the puzzle of who may be using the malware used to target Wilson is the fact that NetWire malware can be purchased from World Wired Labs, a company whose remote access tools have historically been used by criminals and nation-state hackers alike.

The Bhima Koregaon digital evidence case is the latest to emerge from India suggesting that India’s hack-for-hire and surveillance ecosystem is far more developed than what has publicly come to light so far, and that it is likely growing behind the scenes. An India-based security firm, BellTroX, has been working as a cyber mercenary group for a number of clients interested in hacking global targets, such as activists and corporate IT firms, according to Citizen Lab research revealed last June.

Appin, another Indian company, has also allegedly provided offensive cyber capabilities on a contractual basis, researchers say. Yet another, called CostaRicto, has been targeting a number of South Asian targets, including those in India, with a custom backdoor.

Ground truth


Security researchers note that the burgeoning use of hack-for-hire groups and surveillance software globally offers would-be attackers a cloak of secrecy and deniability in running operations against activists and dissidents. It’s the kind of growing industry that could chill free speech and hamper investigations into alleged human rights abuses, activists say.

But beyond attribution dilemmas, Wilson’s case represents a concerning shift in the health and trustworthiness of the information environment that activists, dissidents and journalists may need to confront in the future, according to Scott-Railton.

“What’s particularly troubling about this case is that it raises pretty fundamental questions about whether a case right now is really based on evidence that’s unimpeachable,” Scott-Railton, who has reviewed the Arsenal analysis, told CyberScoop.

There has been at least one other publicly known instance where evidence was reportedly digitally planted against a defendant in a case in Turkey. In that case, a Turkish journalist was sent to jail for alleged connections with a group accused of terrorism in the country, but an investigation Arsenal Consulting conducted found he had been digitally framed and targeted with malware in 2011.

The journalist has since been acquitted.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts