“Arsenal found Pegasus (spyware) indicators on the Windows volume of Mr. Rona Wilson’s computer in two iTunes backups from an iPhone 6s” which belongs to Rona Wilson, revealed computer forensics firm Arsenal Consulting in a report. These indicators carried timestamps from July 5, 2017 to April 10, 2018, the report added.
Arsenal’s report also found that Wilson’s computer was targeted with NetWire RAT (Remote Access Trojan) for purposes of both surveillance and incriminating document delivery at the same time as the Pegasus attacks on his phone. The Massachusetts-based firm used the methodology laid out by Amnesty in order to analyse and corroborate its findings.
“The indicators found by Arsenal reflect not only Pegasus attacks, but successful Pegasus infection of Mr. Wilson’s iPhone 6s.” — Arsenal Consulting report.
Wilson has been behind bars since June 6, 2018, and was one of the first to be arrested in the Elgar Parishad case which saw several other human rights activists and lawyers being accused of instigating violence at a 2018 event held to commemorate the Battle of Bhima Koregaon.
The report’s findings are likely to cast serious aspersions on the National Investigation Agency’s case and its electronic evidence against Rona Wilson. It also raises concerns about the state of surveillance and privacy in India.
‘Rona Wilson’s computer compromised two years before arrest’
Arsenal Consulting was hired by Rona Wilson’s defence to investigate and analyse electronic evidence seized from Wilson’s home by the Pune police department in 2018. The firm has released a total of four reports to date detailing the extent to which Wilson’s electronic devices was targeted by the attackers:
- The first report released by Arsenal in February this year said that malware (NetWire RAT) was installed on Rona Wilson’s computer two years before he was arrested by Pune Police.
- The investigating authorities claimed to have found 10 incriminating letters revealing an alleged plot to assassinate the Prime Minister and overthrow the government.
- The agencies arrested several activists and academics based on the evidence recovered from Wilson’s computers.
- The forensic investigation discovered that the computer had been compromised for 22 months, which meant that the attacker had “extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.
“It should be noted that this is one of the most serious cases involving evidence tampering that Arsenal has ever encountered, based on various metrics which include the vast timespan between the delivery of the first and the last incriminating documents” — Arsenal Consulting report
In the wake of the firms’ findings, Wilson moved the Bombay High Court to quash the charges against him. He sought the court’s direction to appoint a Special Investigation Team (SIT), consisting of experts in digital forensic analysis to independently verify Arsenals’ findings and probe the alleged planting of documents on his computer by using malware.
Source: Arsenal Consulting
‘Wilson did not consciously interact with the hidden files’
The second report revealed that an attacker had planted an additional set of files on Wilson’s computer. The firm said that there was no evidence that Wilson interacted with these files and documents, which are cited by the National Investigative Agency (NIA) in its charge-sheet against Wilson and others in the Elgar Parishad case. The firm did not name the attacker.
Some of the findings of this report are:
- The forensics firm identified the source of 24 additional files found on Wilson’s Computer.
- Arsenal analysed if Wilson consciously interacted with these 24 files while using this computer or if these files were just dumped and hidden from Wilson’s view or knowledge.
- 22 of the 24 files were delivered by the attacker to a hidden folder on Wilson’s computer through a NetWire trojan and not by any other means.
- Between December 2017 and March 2018, the attacker used the NetWire trojan to dump files with names like: accounts, comrades, mohila meeting, letter, ltr from prakash, letter to GN, letter to G etc.
- The attacker also renamed files and even made a mistake in one case, and went on to correct it.
- The attacker remotely changed, added, or deleted content and viewed Wilson’s computer activity.
NSO Group’s response
“Without addressing specific countries and customers, the allegations raised in this inquiry are not clear. Once a democratic country lawfully, following due process, uses tools to investigate a person suspected in an attempt to overthrow a (democratically-elected) government, this would not be considered a misuse of such tools by any means,” a spokesperson from the NSO Group told The Wire.
Purported use of Pegasus in India
An investigation conducted by a consortium of 17 news organisations revealed that more than 50,000 phone numbers were either targets or potential targets of Pegasus spyware developed by an Israeli company— NSO Group. These numbers belonged to journalists, politicians, activists, bureaucrats, heads of state, among many others. The group, however, responded that the spyware is sold only to vetted governments and its agencies to neutralize terrorists and criminals.
According to The Wire, at least nine phone numbers belonging to eight accused in the Elgar Parishad case, were listed in the database:
- Professor Hany Babu
- Activist Vernon Gonsalves
- Academic and civil liberties activist Anand Teltumbde
- (Retd.) Prof Shoma Sen
- Journalist and rights activist Gautam Navlakha
- Lawyer Arun Ferreira
- Academic and activist Sudha Bharadwaj
Also read:
- Debt-ridden NSO Group may shut down controversial Pegasus spyware unit amidst growing list of challenges
- Pegasus Probe: SC-appointed committee reaches out to targeted people with a request
- Supreme Court appoints committee to investigate Pegasus in India; “State does not get a free pass”
- UN Human Rights Council faces pressure to denounce and investigate Pegasus surveillance
Have something to add? Post your comment and gift someone a MediaNama subscription.
