Malware Used to Plant Evidence in Bhima Koregaon Accused’s Laptop?

A US-based digital forensics firm has submitted a report to a special NIA court hearing which states that the computer of Bhima Koregaon case accused Rona Wilson was compromised by a malware attack for nearly two years preceding his arrest in June 2018.

According to the report by Arsenal Consulting,

The news of this report, which was requested from the forensics firm by Wilson’s lawyers, was broken by the Washington Post on Wednesday, 10 February, who have also posted the full report for public viewing online.

The newspaper notes that the malware was used to deposit at least 10 incriminating letters on Wilson’s computer, based on Arsenal Consulting’s examination of an electronic copy of the laptop.

Wilson was one of the first set of activists and academics to be arrested in the Bhima Koregaon case back in June 2018, and has been accused of conspiring with Maoist insurgents.

Key pieces of evidence cited by the Pune Police and (after they belatedly took over the case) the National Investigation Agency against the accused include several letters allegedly recovered from their computers. These include a letter allegedly written by Wilson in which he had talked about the guns needed by Maoist insurgents and a plot to carry out a “Rajiv Gandhi-style attack” – ie to assassinate Prime Minister Narendra Modi.

This report by the US forensic firm throws these allegations into doubt, as it agrees with an earlier analysis in 2019 by The Caravan, that certain documents appear to have been planted on WIlson’s computer using the malware.

Arsenal Consulting noted that several of these documents were created using MS Word versions from 2010 and 2013, while the latest version of Word on Wilson’s computer was installed in 2007.

Following their analysis of the NetWire malware’s impact on a computer along with NTFS file system modeling, the firm found that “The incriminating documents were delivered to a hidden folder on Mr. Wilson’s computer by NetWire and not by other means.”

According to the report, Wilson’s computer was first compromised on 13 June 2016, when he was sent emails that appeared to be from fellow accused Varavara Rao, which suggested that he click on a link to download a document. Wilson opened the document at 6:18 pm on the day, which led to the installation of the NetWire malware on his computer.

The same attacker was found to have compromised Wilson’s computer multiple times from June 2016 to 17 April 2018, when Wilson and other accused persons’ homes were raided in connection with the case.

Amnesty International had reported that several people assisting the accused including their lawyers had been targeted using the NetWire malware in 2020, and several of the accused had been targeted using the infamous Pegasus malware as well in 2019.

The Washington Post reports that Sudeep Pasbola, one of the lawyers representing Wilson, has said that the Arsenal Consulting report proves Wilson’s innocence and “destablizes” the prosecution case against the activists. Wilson’s lawyers have also reportedly added the report to their filings in a petition to the Bombay High Court to dismiss the case.

NIA spokesperson Jaya Roy told the Washington Post that their forensic analysis of Wilson’s laptop showed no evidence of malware.