Hackers Planted Files to Frame Indian Priest Who Died in Custody

According to Arsenal, Swamy never touched the files himself. After his devices were seized by Pune City Police, those files were among the digital evidence used to charge him and the other Bhima Koregaon 16 defendants with terrorism as well as inciting a riot in 2018 that led to two deaths.

All of Arsenal’s findings, the firm notes, match the earlier cases of evidence fabrication, seemingly carried out by the same hackers, that targeted the two defendants’ machines that Arsenal examined earlier. “Arsenal has effectively caught the attacker red-handed (yet again),” the report adds.

On Swamy’s computer, however, Arsenal also found something new: The hackers seem to have begun what Arsenal calls “antiforensics”—a clean-up operation–on June 11, 2019, deleting files that revealed its access to Swamy’s machine in an apparent attempt to cover their tracks, just a day before Pune Police seized Swamy’s computer on June 12 of that year. Arsenal describes that attempt at anti-forensics as “both unique and extremely suspicious given the computer’s imminent seizure.”

In other words, the hackers wanted to plant fake evidence that could be revealed to incriminate Swamy while also deleting actual evidence of their fabrications that might be discovered in legal proceedings, says Tom Hegel, a researcher for security firm Sentinel One. (Hegel and his colleague Juan Andres Guerrero‑Saade published their own findings on the Bhima Koregaon hacking cases this year.) Hegel argues the timing of that deletion, which he says displays a sloppy urgency, suggests the hackers somehow knew the seizure of Swamy’s devices was coming, and after five years of stealthy access to his computer, scrambled to erase their fingerprints. “The timing and the rushed cleanup effort is, in my opinion, clear evidence of collusion between the police unit and the attackers at that point,” Hegel says.

That cleanup is one of several signs that the hackers who targeted members of the Bhima Koregaon 16 may well have been working in league with the Pune City Police who arrested many of the defendants. Last June, Hegel and Guerrero‑Saade revealed to WIRED that an official in the Pune City Police appears to have added his own email address and phone number to several of the defendants’ hacked email accounts, in some cases months before they were arrested, seemingly as a crude backup mechanism to try to maintain access to their accounts. “There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” Guerrero‑Saade told WIRED at the time.

Pune City Police officials declined to respond to WIRED’s request for comment, both in June and in response to the new findings from Arsenal.

Of the 16 Bhima Koregaon defendants, 11 remain in jail. Three have been released on bail, and one has been confined to house arrest. But the case of Stan Swamy, the oldest of the defendants and the only one to die in detention, has taken perhaps the biggest spotlight: Human rights organizations and the US State Department have spoken out against Swamy’s imprisonment, and he was posthumously awarded the Martin Ennals Award, sometimes described as the Nobel Prize for human rights defenders.

But Swamy was far from unique in being targeted by the hackers who sought to frame him. Based on the details of the malware and hacking infrastructure described in Arsenal’s report, Hegel says that the hackers who broke into Swamy’s computer, as well as those of the two other Bhima Koregaon defendants, are part of the group Sentinel One calls “Modified Elephant.” Hegel and Guerrero‑Saade analyzed the group’s code and command-and-control servers in a report they published in February that tied Modified Elephant to the targeting of hundreds of activists, journalists, and academics since as early as 2012.

“The links back to Modified Elephant are extremely obvious and verifiable,” says Hegel. “It’s another confirmation, at least from the evidence we have so far, that the defendants in the Bhima Koregaon case have been framed.” And it’s becoming harder than ever to deny that the hackers who did that framing were in league with the very authorities who condemned Stan Swamy to spend the last months of his life in a jail cell.