Once, twice, three times—twice too often to attribute to chance—a digital security consultancy has found that NetWire malware was used to drop incriminating files on the computers of detenus in the Bhima Koregaon case. It is obviously no case because hearings have not even begun, though the first suspects were arrested in June 2018 for a nebulous conspiracy to assassinate the prime minister, who had earlier expressed nebulous anxieties about his person.
NetWire was first detected on images of the computers of Rona Wilson and Surendra Gadling by Arsenal Consulting in the US. This week, it revealed that 44 files were also dropped in a hidden directory of the Jesuit priest Father Stan Swamy’s laptop, including ‘Inheritors of Naxalbari.docx’ and ‘Persecuted Prisoners Solidarity Committee.docx’.
EDITORIAL | Stan Swamy and the murder of justice
Swamy had helped tribal youth arbitrarily accused of far-left activities. Eventually, with a little help from an anonymous NetWire-slinger, he was arrested on that very charge. Afflicted with Parkinson’s disease, he died of neglect in custody. Infamously, under jail rules, he was denied a sipper, without which he could not drink water. The human factor makes Arsenal’s findings about his laptop the most damaging so far. But damaging to whom?
Swamy’s machine was compromised from 2014, the longest period that an accused has been targeted in Arsenal’s experience, suggesting institutional hacking. The day before Swamy’s arrest, the attacker began to erase traces of his activity. After making himself home in his computer for over four years, the sudden shredding of files suggests that he knew the machine was about to be seized. Who told him?
Swamy certainly didn’t know, and in his ignorance, he compromised the operation. The attacker could not issue the final command to NetWire to erase itself from the computer because Swamy shut down Windows on the last night that he was a free man. We know so much now because of that random event. With a little diligence in India, we may even learn the hacker’s identity.
Arsenal did not just plough through gigabytes of hexadecimal in search of NetWire’s spoor (console cowboys long in the tooth would remember PC Tools, which ran from the command line; Arsenal’s output looks exactly like that, but in a GUI). But from prior experience with the malware, it knew exactly where to look in Swamy’s disk for traces of malware activity.
NetWire is a social engineering workhorse which appeared in the wild a decade ago. Its incidence spiked during Covid-19, when hackers used it to prey on desperate, frightened and depressed people, offering fake life-and-death solutions. It is ideal for targeting online activist groups where, typically, a bad actor gains admission to a trusted space and sends a communication with an attachment containing the malware, which could be a PDF or Word document with a malicious macro. The point to note is that the attacker does not know who will click on it. He is not shooting for a specific person, as in spear-phishing. He only wants someone, anyone in the group, to fall for him.
That may explain a puzzling feature of the Bhima Koregaon accused: there’s very little in common between them, apart from their broad politics. They have led diverse lives. What’s common between the revolutionary poet Varavara Rao and the student of caste Anand Teltumbde, who are now out on bail, except for their opposition to Hindutva? Teltumbde, who was accused of being the convener of the Elgaar Parishad event, was not even in town during the event. No conspiracy can be established, so the case—technically the most important in India since a PM’s life was allegedly at stake—has not been taken to trial.
However, the accused do have something more in common—they are very likely to have been on the same discussion groups and exposed to the same malware, which planted incriminating files on the disks of those who incautiously clicked on poisoned attachments. Administrators of groups to which the Bhima Koregaon accused belonged should examine their membership lists and recheck credentials very carefully. Is there someone who joined up in 2014, when the Swamy hack began, and went inactive or pulled out at the time of the arrests? Arsenal has raised technical alerts, but human intelligence in India may zero in on a person because one must not underestimate the governmental apparatus’ talent for stupidity, or its assets’ capacity for humanity, either. Someone, somewhere, maybe dying to seek absolution for killing a priest slowly.
The Bhima Koregaon case is not important because the life of a prime minister was threatened. He made absurd claims of being lethally threatened after demonetisation—an economic intervention which was actually a political jolly rogering adventure to erase the Opposition in UP—and, puzzlingly, when he was approached by his party workers waving a party flag while stuck in traffic on a Punjab flyover. Such claims need not be taken seriously.
The Bhima Koregaon case is important because it is a live demo of the ability of the State to deny liberty and even life by the valid execution of due process, with the active aid of hackers and the passive aid of a Supreme Court which has conveniently forgotten that it has the power to intervene suo motu on matters concerning life and liberty, the most fundamental rights. It is an indictment of both the party in power and the courts. The law may take its course, but it must not take its time. Certainly not to the extent that a detained person’s allotted time on Earth runs out, as it did in Swamy’s case.
Pratik Kanjilal
Editor of The India Cable
(Tweets @pratik_k)