Analysis

New forensic report confirms Pegasus spyware attack for over a year on phone of Rona Wilson, in detention for over three years in the Bhima Koregaon case

Dr. V. Suresh

The latest revelations by forensic investigation firm Arsenal Consulting that the phone of Bhima Koregaon accused Rona Wilson was under attack by the Pegasus spyware for about a year indicates the urgent need to develop new evidentiary principles and approach for electronic forensic investigatory reports, writes DR V. SURESH.

————-

IN a detailed report released yesterday, December 17, Arsenal Consulting, a Boston-based forensic investigation firm assisting the defense lawyers in the Bhima Koregaon case and Amnesty Tech Security Lab, have confirmed that the iPhone of activist and researcher Rona Wilson, one of the accused in the case who has been in custody since June 2018, was attacked multiple times by the Pegasus spyware.

The report identifies 49 different instances of Pegasus attack, and sometimes of successful infection, on Wilson's iPhone, between July 5, 2017 and April 10, 2018. This is striking given that Arsenal's previous reports had already shown that Wilson's computer had been hacked by the NetWire Remote Access Trojan (RAT) between June 13, 2016 and April 17, 2018 – covering the same period – in order to plant incriminating files on his computer. The same had been done to the computer of another accused in the Bhima Koregaon case, the lawyer Surendra Gadling. Arsenal also confirmed that neither Wilson nor Gadling had ever opened the incriminating files in question.

Thus, in 2017 and 2018, Wilson was being subjected to both surveillance through Pegasus and evidence planting through the NetWire RAT.

The report identifies 49 different instances of Pegasus attack, and sometimes of successful infection, on Wilson's iPhone between July 2017 and April 2018. Arsenal's previous reports had already shown that Wilson's computer had been hacked by the NetWire Remote Access Trojan between June 2016 and April 2018 – covering the same period – in order to plant incriminating files on his computer. The same had been done to the computer of another accused in the Bhima Koregaon case, Surendra Gadling.

In the Bhima Koregaon case, sixteen leading human rights defenders, lawyers, scholars, and artists have been jailed without trial for periods ranging between over one to over three years under the draconian Unlawful Activities (Prevention) Act (UAPA). Two of the accused, the poet Varavara Rao and lawyer-activist Sudha Bharadwaj, are currently out on bail, while one other, the Jesuit priest and tribal activist Father Stan Swamy, passed away due to health reasons while in custody earlier this year. His health had grievously deteriorated during the course of his incarceration from October 2020 onwards.

Speaking for the defense team, advocate Mihir Desai said that "the dual attack on Mr. Wilson's computer and phone over a period of two years is not just alarming, but something that should remind every democratic institution that illegal cyber – attacks can turn innocent citizens into alleged criminals who can then be jailed indefinitely."

Key takeaways

The publication of this report raises three extremely critical and troubling questions:

Firstly, it is now over 300 days since the first report revealing the NetWire attack and evidence-planting, and nearly 150 days since the reports on the Pegasus attacks. Together this is the single best-documented case of a cybercrime compromising India's criminal justice system and the rights of its citizens. Yet the government remains silent. Why?

Secondly, simple due diligence after these reports should have compelled the National Investigation Agency (NIA) to re-examine the devices of those it has accused of terrible crimes and publish its findings. Ordinary anti-virus software can detect NetWire malware, and Amnesty International Security Lab has documented how to identify Pegasus attacks and infections. If the NIA does not even care to investigate these aspects, how can it claim its actions are legitimate?

Thirdly, the first Pegasus attack on Wilson's iPhone took place on the second day of Prime Minister Narendra Modi's visit to Israel where the NSO group company that manufactures Pegasus, is headquartered. Was this just a coincidence? NSO has repeatedly stated that it sells Pegasus only to governments, and all its sales are subject to approval by the Israeli government. Were there members of the PM's team who could have been authorized to act on behalf of the government to contract the services of the NSO group and/or authorize attacks on Indian citizens? Or were there any private cyber-security actors, including cyber-security firms with whom the government contracts, who were part of the delegation? Why has the government maintained a studied silence on these questions?

Background

On July 20 of this year, The Wire and the Washington Post had revealed that eight of the Bhima Koregaon accused, including Wilson, as well as several members of their families and friends, had potentially been attacked by the Pegasus spywar. However as the device in question − Wilson's iPhone − is in the possession of the NIA, this could not be confirmed. Arsenal's subsequent investigation instead examined the iTunes backups of his phone on Wilson's hard drive and found that his phone had indeed been attacked. Arsenal's results were verified by Amnesty International Security Lab, which had developed the primary techniques to identify Pegasus attacks and infections.

This is the single best-documented case of a cybercrime compromising India's criminal justice system and the rights of its citizens. Yet the government remains silent. 

Given that we now have compelling evidence that there are citizens who have been attacked by both Netwire and Pegasus, it is crucial that the committee appointed by the Supreme Court investigate any connections between the two attacks and the implications for the Bhima Koregaon case. The four reports from Arsenal taken together leave little doubt that the Bhima Koregaon case has no evidentiary basis.

At the minimum, all the accused must be granted bail immediately. It is hoped that the judiciary will take note of the fact that electronic evidence can be falsified and tampered with, and that there is need to develop new evidentiary principles and approach to deal with electronic forensic investigatory reports like the Arsenal Report.

Click here to read Arsenal's report.

(Dr. V. Suresh is National General Secretary, People's Union for Civil Liberties. The views expressed are personal.)