Bhima Koregaon case: Pune cop planted evidence in devices of jailed activists, says report

KOLKATA: US-based security experts have accused Pune police of planting 'false incriminating evidence' in electronic devices belonging to at least three activists arrested in connection to the Bhima Koregaon case, in a report published by the highly-reputed tech publication Wired on June 16, 2022.

According to the report, researchers at security firm SentinelOne have exposed 'a provable connection' between the broader hacking operation behind the alleged evidence fabrication and the law enforcement officials in Pune who made multiple arrests based on the same evidence.

For the unversed, the Bhima Koregaon case is named after a village in Pune where, on January 1, 2018, violence erupted between Dalit and Maratha groups leading to the death of at least one person and injuries to several others. The police claimed that inflammatory speeches made at the Elgar Parishad event, held to commemorate the two hundredth anniversary of the Battle of Bhima Koregaon, on December 31, 2017, were responsible for the January 1 violence near the Koregaon-Bhima war memorial located in the district in western Maharashtra. The annual gathering celebrates the victory of a regiment of Mahar Dalits, serving in the British Army, who had defeated the Peshwa's army in the battle on January 1, 1818.

The police arrested 16 people in connection with this incident, including activists like Varavara Rao, Rona Wilson, Hany Babu, Sudha Bharadwaj, Arun Ferreira, Arun Gonsalves, the late Father Stan Swamy, Anand Teltumbde, Gautam Navlakha, Vernon Gonsalves, and others. The probe in the case, in which more than a dozen activists and academicians have been named as accused, was later transferred to the National Investigation Agency. The NIA booked them for offences under the Unlawful Activities (Prevention) Act (UAPA) and accused them of attempts to overthrow the government. The prosecution claimed the conclave was organised by people with alleged Maoist links. The activists are accused of being active members of the CPI (Maoist) and propagating Maoist ideology and inciting violence.

SentinelOne's findings on the link between hackers and cops in Pune stem from evidence that was excavated from devices belonging to two specific defendants - Rona Wilson and Varavara Rao. Early last year, analysts at another security firm called Arsenal Consulting had already revealed that 32 files were planted into a folder on Wilson's device through a malware called NetWire. And how did the malware reach his device? According to Arsenal analysts, it was activated by an attachment sent from Varavara Rao's email account, which was also compromised by the same hackers.

FROM OUR ARCHIVES | Activist Rona Wilson targeted by two groups backed by same entity: Washington Post

Wired quoted Arsenal's president, Mark Spencer, report to the Indian court where he termed this "one of the most serious cases involving evidence-tampering that Arsenal has ever encountered."

Now, in February this year, SentinelOne analysed the hacking systems that were used in this evidence fabrication and found something even more shocking. The planting of evidence in Wilson's and Rao's devices was not an isolated incident. According to the findings that they shared with Wired, the same hackers were routinely targeting activists, lawyers, journalists and academics since 2012. They added that this "activity aligns sharply with Indian state interests".

It is in the latest set of findings that SentinelOne says they have finally ascertained the link to the Pune police. The researchers found that the hacked email addresses belonging to Wilson, Rao, and another defendant, Hany Babu, were all backed up with another email address and phone number.

A little more digging finally let the cat out of the bag --- the recovery email address and phone number, which could help access their email accounts despite a password change, contained the full name of a police officer from Pune. In fact, the analysts further stated that he was one of the cops associated with this very case.

This link was then subjected to further verification. Another security researcher, named John Scott-Railton, tallied the recovery phone number with information from publicly available databases and found that it was linked to an email address ending in pune@ic.in. For reference, this is a suffix for other email addresses used by Pune Police.

EDITORIAL | Stan Swamy and the murder of justice

This was reverified by another independent researcher through TrueCaller, a caller-ID app, and then consequently, from directories of Indian law enforcement. The police officer’s link to the Bhima Koregaon case was established when Scott-Railton tallied the face in his WhatsApp profile picture to that of a cop who was photographed by the media during Varavara Rao’s arrest. 

There were other instances that prove that the activists’ email accounts were compromised by this very hacking network. According to analysts, IP addresses that were earlier already identified as belonging to these hackers were used in April 2018 to access these email accounts, send phishing emails, and add the contact information of Pune's law enforcement officials as a backup. The malware spread from one person to another through phishing emails sent to and from these compromised accounts in the months leading up to their arrests.

"This is beyond ethically compromised. It is beyond callous. So we're trying to put as much data forward as we can in the hopes of helping these victims," Juan Andres Guerrero-Saade, a security researcher at SentinelOne, told Wired. He, along with fellow researcher Tom Hegel, are set to present their findings at the Black Hat security conference in August this year.