More than a dozen activists, academics and lawyers have been imprisoned under an anti-terrorism law — some for more than four years — accused of having ties to a banned Maoist armed group that aims to overthrow the government. They deny the charges. The stringent terrorism law has drawn criticism in part because the accused can rarely secure bail and cases brought under the law have a poor conviction rate.
In 2021, The Washington Post reported that devices of at least two defendants in the case had been compromised by hackers who deposited dozens of incriminating documents in the devices. This malware campaign targeted individuals beyond those facing charges in the case.
Separately, the Pegasus Project investigation by The Post and 16 other news organizations revealed that some of the defendants were included on a list of surveillance targets for spyware supplied by the Israeli firm NSO Group to governments or their agencies. The Indian government has neither confirmed nor denied that it is an NSO client. In June, Wired reported links between the hacking campaign and Indian police, who did not respond to the report.
The new findings shed more light on a case that has continued to transfix the nation. Civil society groups say it is a chilling example of the persecution of human rights defenders under the government of Prime Minister Narendra Modi.
Swamy, bespectacled and lanky, championed the rights of tribal youths in central India accused of being Maoists — before police charged him with the same crime.
The latest report by Arsenal says Swamy was the target of an extensive malware campaign for nearly five years, the longest known for any defendant, right up until his device was seized by police in June 2019. During that period, the hacker gained full access and had complete control over his computer, dropping dozens of files into a hidden folder without his knowledge.
Arsenal has conducted its work at the request of the group’s defense team.
These documents — purported letters between defendants and the Maoist group — are cited by the police as evidence against Swamy and others in what is known as the Bhima Koregaon case. International human rights groups, including United Nations experts, have previously called on the Indian government to release the defendants, at least on bail, given their advanced ages and ill health.
The National Investigation Agency, the prosecuting authority in the case, did not respond to requests for comment.
The findings by Arsenal “clear” Swamy’s name, said his friend and fellow priest, Joseph Xavier. He said the report proves that Swamy was “systematically targeted and framed for raising his voice for the [tribals], which hurt the interests of the state.” A plea to drop the charges against the defendants based on Arsenal’s first report is pending before the courts.
Two experts on malware and digital forensics reviewed the report at the request of The Post and said its conclusions were sound.
Arsenal’s report is “really convincing,” and there is “firm evidence” that Swamy’s computer was infected with malware and that an operator was pushing incriminating files to the system, said Robert Jan Mora, a digital forensics expert at Volexity, a cybersecurity firm based in the D.C. area, who reviewed the report. He added that Arsenal should publish in more detail how NetWire malware left behind traces, which could benefit others in the field.
Alessandro Di Carlo, director of forensics at Certego, an Italian cybersecurity company, said the analysis is “thorough and comprehensive.”
Arsenal’s new report says Swamy’s laptop was infected beginning in October 2014 with NetWire, a commercially available malware that can upload and download files from a target’s computer, log keystrokes and access emails and passwords.
The unidentified hacker in Swamy’s case is the same person who targeted Swamy’s co-defendants, activist Rona Wilson and lawyer Surendra Gadling, given the use of the same command and control servers and same NetWire configurations, including the hacker’s passwords, according to Arsenal.
The hacker deployed WinSCP, a free and open-source file transfer tool for Windows, to copy more than 24,000 files and folders from Swamy’s computer and removable storage devices onto the hacker’s own server, the report says.
The hacker first planted documents on Swamy’s computer in July 2017 and continued to do so for two years, according to Arsenal. The documents were never opened and Swamy never interacted with them, the report says.
“I haven’t seen this amount of evidence being planted before,” said Mora, who has performed malware forensics in some high-profile breach investigations and security assessments for governments. “It’s unbelievable.”
On the night of June 11, 2019, hours before Swamy’s computer was seized by the police, the hacker performed an extensive “cleanup” of their activities, including getting rid of malware and surveillance data and creating distractions by copying a large number of files into folders used maliciously before the cleanup.
Mark Spencer, Arsenal’s president, termed that activity “extremely suspicious” given the imminent seizure of the device.
In the report, Arsenal shares screenshots of the raw data recovered from Swamy’s computer revealing the hacker’s activities, including the command used to delete the folder where tens of thousands of files from Swamy’s computer were stored before they were transferred to the server.
Last year in May, Swamy, who had Parkinson’s disease, appealed to the court for medical bail, saying there had been a “steady” regression of his bodily functions.
India’s anti-terrorism agency opposed his bail plea, saying that the medical documents he cited were not conclusive proof of any severe ailment and that the allegation of fabricated evidence was an attempt to “confuse truth with falsehood.”
His death sparked furor in India, with opposition parties, civil society groups and citizens calling for accountability.
Xavier, Swamy’s friend of 20 years, said: “Stan stood for justice and paid a price for it.”