India: Human Rights Defenders Targeted by a Coordinated Spyware Operation
Amnesty International
15 June 2020
Nine human rights defenders, most of whom have been fighting
for the release of the Bhima Koregaon 11 through litigation, research,
or activism, were unlawfully targeted with a spyware attack.
This blog post is jointly written by Amnesty International and Citizen Lab. Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy at the University of Toronto.
Summary
- Amnesty International and the Citizen Lab have uncovered a coordinated spyware campaign targeting at least nine human rights defenders (HRDs) in India. Eight of the nine HRDs have been calling for the release of other prominent activists, popularly known as the Bhima Koregaon 11, most of whom have been imprisoned in Maharashtra, India since 2018.
- Between January and October 2019, the HRDs were targeted with emails containing malicious links. If these links were clicked, a form of commercially-manufactured Windows spyware would have been deployed, compromising the target’s Windows computers, in order to monitor their actions and communications. This is a violation of their rights to freedom of expression and privacy.
- At least three of the nine HRDs were also targeted with NSO Group’s Pegasus spyware in 2019.
Introduction
Amnesty International and the Citizen Lab have uncovered a coordinated spyware campaign targeting at least nine human rights defenders (HRDs) in India. These targets include activists, lawyers, academics, and journalists.
Between January and October 2019, each of the targets were sent
spearphishing emails containing malicious links that, if opened, would
have installed NetWire, a commercially available spyware. A
spearphishing attack is a targeted attempt to install a spyware (a
malicious software) on the victim’s computer or smartphone.
Spearphishing is generally performed by sending very carefully crafted
and personalized emails to the target, often impersonating colleagues or
loved ones.
While NetWire is known to be used in cybercrime and corporate espionage,
Amnesty International and the Citizen Lab believe that in this case it
was used to target the HRDs because of their human rights work.
Surveillance of people based solely on their human rights work
amounts to an arbitrary and unlawful attack on their privacy and
violates their right to freedom of expression and other rights that are
enshrined in the International Covenant on Civil and Political Rights,
to which India is a state party.
Context
The targeted HRDs have been openly speaking out about human rights
violations in the country. Recently, eight called for the release of 11
prominent activists arrested two years ago in relation to the protests
and violence at Bhima Koregaon in Maharashtra, a state in south-west
India. One of the targets is not directly linked to this case, but has
been vocal in calling for the release of GN Saibaba, a disabled academic
jailed in Maharashtra.
The Bhima Koregaon Case
On 31 December 2017, activists organized a public event in Bhima
Koregaon, Maharashtra. The following day, violence erupted between Dalits and Hindu nationalists.
Police claim that activists at the event allegedly instigated the
violence through inflammatory speeches.The police allegedly found
evidence of other criminal activities as well. In 2018, the Maharashtra
Police arrested nine activists including Sudha Bharadwaj, Shoma Sen,
Surendra Gadling, Mahesh Raut, Arun Ferreira, Sudhir Dhawale, Rona
Wilson, Vernon Gonsalves and Varavara Rao. The subsequent charge sheets
filed by the police accuse the HRDs of terror-related activities. In
February 2020, the National Investigation Agency (NIA) took over the
case from the Maharashtra police after the newly-elected Maharashtra
Government raised doubts about the police investigation and signalled a
probe against the officials. In March 2020, the Supreme Court of India
denied anticipatory bail applications of two other activists, Gautam
Navlakha and Anand Teltumbde, who were also charged in the same case.
They were both arrested on 14 April 2020. The case relies almost
entirely on digital evidence obtained from the arrested activists’
devices. In a breach of due process, some materials found on their
devices were also released to the media in an effort to smear the activists.
|
The arrest of the eleven HRDs is an egregious example of how Indian
authorities are clamping down on dissent and activism. These activists
have been charged under various penal provisions and the draconian
Unlawful Activities (Prevention) Act (UAPA), an anti-terror law that
violates several international human rights standards and circumvents
fair trial guarantees. It is also routinely used to intimidate HRDs,
journalists, activists and students through arbitrary arrests and
prolonged detention. These 11 activists are currently imprisoned and
rights groups, including Amnesty International India, have demanded their release.
The attempts at unlawful surveillance outlined in this blog are not
the first time that activists and HRDs have been targeted with malware
in India. In October 2019, Facebook’s WhatsApp revealed
that NSO Group, a surveillance tool vendor, had exploited a zero-day
vulnerability on their platform to target 1400 individuals earlier in
the year. A zero-day vulnerability is a security flaw in software which
is unknown to the vendor or developer. In collaboration with Citizen
Lab, WhatsApp revealed
that more than 100 of those targeted were HRDs, activists, journalists,
across numerous countries and notified them of the breach. Subsequent reports revealed
that at least 22 of the 100 were activists, lawyers, and scholars,
including many HRDs who have been involved in advocating for the release
of the 11 activists. NSO Group says that it sells its products only to “government intelligence and law enforcement agencies”.
Targeted Campaign against HRDs demanding the release of the Bhima Koregaon 11
The spyware campaign revealed in this blog targeted lawyers and activists Nihalsing B Rathod, Degree Prasad Chouhan, Yug Mohit Choudhary, and Ragini Ahuja; academics Partho Sarothi Ray and PK Vijayan, a journalist who prefers to stay anonymous, and a human rights collective – Jagdalpur Legal Aid Group (JAGLAG), received malicious e-mails on the group’s official ID, which is accessed by all of its members, including lawyer Shalini Gera. Another JAGLAG member, Isha Khandelwal also received malicious emails on her personal account. All the people mentioned consented to be named in this blog.
- Nihalsing B Rathod is a human rights lawyer based in Maharashtra. He has worked closely with the imprisoned lawyer Surendra Gadling as a junior lawyer. Crucially, he is one of the leading lawyers representing one of the 11 imprisoned HRDs in their legal proceedings.
- Isha Khandelwal is a lawyer associated with JAGLAG, a Chattisgarh-based lawyers collective which provides legal aid to the Adivasi/indigenous and other marginalised communities. The group’s primary email, which was targeted, is also accessed by lawyer Shalini Gera. They are also involved in the legal defense of the HRDs in the same case.
- Degree Prasad Chouhan is a Dalit HRD who has worked closely with Sudha Bharadwaj in the past. Degree has been documenting and campaigning against land dispossession and forced evictions of indigenous communities in India, which have been carried out by coal companies and governments.
- Partho Sarothi Ray is a Kolkata-based activist and academic, who has been a vocal critic of rights violations in the country. He has also been a member of a collective called Persecuted Prisoners’ Solidarity Committee, and has spoken out openly against the imprisonment of these 11 activists.
- Yug Mohit Chaudhry and Ragini Ahuja are criminal lawyers based in Mumbai. Their main area of work include litigating death penalty and civil liberties cases. They represent two of the 11 imprisoned activists in the legal proceedings.
- A journalist based in Maharashtra, who wishes to remain anonymous was also targeted. The journalist has been closely reporting on the Bhima Koregaon case.
- Finally, PK Vijayan is a Delhi-based academic. He is not directly linked to the campaign for the release of the 11 HRDs, but is known to have campaigned for the release of GN Saibaba, a disabled academic who remains imprisoned in Maharashtra. Saibaba has been convicted under the draconian UAPA.
While the spyware campaign detailed in this blog has no known links
to NSO Group, three of the nine HRDs targeted - Shalini Gera (from
JAGLAG), Nihal Singh Rathod, and Degree Prasad Chouhan- were targeted
using NSO Group’s surveillance tools. Anand Teltumbde, who is one of
the 11 charged and imprisoned in the Bhima Koregaon incident, was also targeted
using NSO Group’s tools. That some of these individuals were targeted
multiple times shows that there is a disturbing pattern of spyware
attacks against HRDs involved in the Bhima Koregaon case.
A Campaign of Malicious Emails
During this investigation, we identified 12 spearphishing emails sent
between January and October 2019 targeting the nine activists.
A spearphishing attack is an attempt to install spyware (a malicious
software) on the victim’s computer or smartphone by sending very
carefully crafted and personalized emails to the target, often
impersonating colleagues or loved ones. In a successful attack,
computers or mobile devices may, in essence, become wiretaps, revealing
confidential and intimate conversations and interactions but nullifying
the possibility of privacy or confidentiality. Besides this direct
effect, the secretive and ubiquitous nature of these attacks means that
the victims never know for certain if they are being targeted or have
unwittingly downloaded some kind of spyware. The consequence is that
they begin to fear that every communication poses a threat, which can be
highly disruptive to trust and collaboration
.
Spearphishing Emails
One of the spearphishing emails was sent from an email ID
impersonating the name of an activist that may be known by the targets.
Other spearphishing emails came from the e-mail IDs pretending to be
journalists or masquerading as officials from local courts.
Comments
Post a Comment