India: Human Rights Defenders Targeted by a Coordinated Spyware Operation

Amnesty International
15 June 2020

Nine human rights defenders, most of whom have been fighting for the release of the Bhima Koregaon 11 through litigation, research, or activism, were unlawfully targeted with a spyware attack.

This blog post is jointly written by Amnesty International and Citizen Lab. Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy at the University of Toronto.

Summary
  • Amnesty International and the Citizen Lab have uncovered a coordinated spyware campaign targeting at least nine human rights defenders (HRDs) in India. Eight of the nine HRDs have been calling for the release of other prominent activists, popularly known as the Bhima Koregaon 11, most of whom have been imprisoned in Maharashtra, India since 2018.
  • Between January and October 2019, the HRDs were targeted with emails containing malicious links. If these links were clicked, a form of commercially-manufactured Windows spyware would have been deployed, compromising the target’s Windows computers, in order to monitor their actions and communications. This is a violation of their rights to freedom of expression and privacy.
  • At least three of the nine HRDs were also targeted with NSO Group’s Pegasus spyware in 2019.
Introduction 

Amnesty International and the Citizen Lab have uncovered a coordinated spyware campaign targeting at least nine human rights defenders (HRDs) in India. These targets include activists, lawyers, academics, and journalists.

Between January and October 2019, each of the targets were sent spearphishing emails containing malicious links that, if opened, would have installed NetWire, a commercially available spyware. A spearphishing attack is a targeted attempt to install a spyware (a malicious software) on the victim’s computer or smartphone. Spearphishing is generally performed by sending very carefully crafted and personalized emails to the target, often impersonating colleagues or loved ones.

While NetWire is known to be used in cybercrime and corporate espionage, Amnesty International and the Citizen Lab believe that in this case it was used to target the HRDs because of their human rights work.

Surveillance of people based solely on their human rights work amounts to an arbitrary and unlawful attack on their privacy and violates their right to freedom of expression and other rights that are enshrined in the International Covenant on Civil and Political Rights, to which India is a state party.
Context

The targeted HRDs have been openly speaking out about human rights violations in the country. Recently, eight called for the release of 11 prominent activists arrested two years ago in relation to the protests and violence at Bhima Koregaon in Maharashtra, a state in south-west India. One of the targets is not directly linked to this case, but has been vocal in calling for the release of GN Saibaba, a disabled academic jailed in Maharashtra.

The Bhima Koregaon Case

On 31 December 2017, activists organized a public event in Bhima Koregaon, Maharashtra. The following day, violence erupted between Dalits and Hindu nationalists. Police claim that activists at the event allegedly instigated the violence through inflammatory speeches.The police allegedly found evidence of other criminal activities as well. In 2018, the Maharashtra Police arrested nine activists including Sudha Bharadwaj, Shoma Sen, Surendra Gadling, Mahesh Raut, Arun Ferreira, Sudhir Dhawale, Rona Wilson, Vernon Gonsalves and Varavara Rao. The subsequent charge sheets filed by the police accuse the HRDs of terror-related activities. In February 2020, the National Investigation Agency (NIA) took over the case from the Maharashtra police after the newly-elected Maharashtra Government raised doubts about the police investigation and signalled a probe against the officials. In March 2020, the Supreme Court of India denied anticipatory bail applications of two other activists, Gautam Navlakha and Anand Teltumbde, who were also charged in the same case. They were both arrested on 14 April 2020. The case relies almost entirely on digital evidence obtained from the arrested activists’ devices. In a breach of due process, some materials found on their devices were also released to the media in an effort to smear the activists.

The arrest of the eleven HRDs is an egregious example of how Indian authorities are clamping down on dissent and activism. These activists have been charged under various penal provisions and the draconian Unlawful Activities (Prevention) Act (UAPA), an anti-terror law that violates several international human rights standards and circumvents fair trial guarantees. It is also routinely used to intimidate HRDs, journalists, activists and students through arbitrary arrests and prolonged detention. These 11 activists are currently imprisoned and rights groups, including Amnesty International India, have demanded their release.

The attempts at unlawful surveillance outlined in this blog are not the first time that activists and HRDs have been targeted with malware in India. In October 2019, Facebook’s WhatsApp revealed that NSO Group, a surveillance tool vendor, had exploited a zero-day vulnerability on their platform to target 1400 individuals earlier in the year. A zero-day vulnerability is a security flaw in software which is unknown to the vendor or developer. In collaboration with Citizen Lab, WhatsApp revealed that more than 100 of those targeted were HRDs, activists, journalists, across numerous countries and notified them of the breach. Subsequent reports revealed that at least 22 of the 100 were activists, lawyers, and scholars, including many HRDs who have been involved in advocating for the release of the 11 activists. NSO Group says that it sells its products only to “government intelligence and law enforcement agencies”. 

Targeted Campaign against HRDs demanding the release of the Bhima Koregaon 11

The spyware campaign revealed in this blog targeted lawyers and activists Nihalsing B Rathod, Degree Prasad Chouhan, Yug Mohit Choudhary, and Ragini Ahuja; academics Partho Sarothi Ray and PK Vijayan, a journalist who prefers to stay anonymous, and a human rights collective – Jagdalpur Legal Aid Group (JAGLAG), received malicious e-mails on the group’s official ID, which is accessed by all of its members, including lawyer Shalini Gera. Another JAGLAG member, Isha Khandelwal also received malicious emails on her personal account. All the people mentioned consented to be named in this blog.
  • Nihalsing B Rathod is a human rights lawyer based in Maharashtra. He has worked closely with the imprisoned lawyer Surendra Gadling as a junior lawyer. Crucially, he is one of the leading lawyers representing one of the 11 imprisoned HRDs in their legal proceedings.
  • Isha Khandelwal is a lawyer associated with JAGLAG, a Chattisgarh-based lawyers collective which provides legal aid to the Adivasi/indigenous and other marginalised communities. The group’s primary email, which was targeted, is also accessed by lawyer Shalini Gera. They are also involved in the legal defense of the HRDs in the same case.
  • Degree Prasad Chouhan is a Dalit HRD who has worked closely with Sudha Bharadwaj in the past. Degree has been documenting and campaigning against land dispossession and forced evictions of indigenous communities in India, which have been carried out by coal companies and governments.
  • Partho Sarothi Ray is a Kolkata-based activist and academic, who has been a vocal critic of rights violations in the country. He has also been a member of a collective called Persecuted Prisoners’ Solidarity Committee, and has spoken out openly against the imprisonment of these 11 activists.
  • Yug Mohit Chaudhry and Ragini Ahuja are criminal lawyers based in Mumbai. Their main area of work include litigating death penalty and civil liberties cases. They represent two of the 11 imprisoned activists in the legal proceedings.
  • A journalist based in Maharashtra, who wishes to remain anonymous was also targeted. The journalist has been closely reporting on the Bhima Koregaon case.
  • Finally, PK Vijayan is a Delhi-based academic. He is not directly linked to the campaign for the release of the 11 HRDs, but is known to have campaigned for the release of GN Saibaba, a disabled academic who remains imprisoned in Maharashtra. Saibaba has been convicted under the draconian UAPA.
While the spyware campaign detailed in this blog has no known links to NSO Group, three of the nine HRDs targeted - Shalini Gera (from JAGLAG), Nihal Singh Rathod, and Degree Prasad Chouhan- were targeted using NSO Group’s surveillance tools. Anand Teltumbde, who is one of the 11 charged and imprisoned in the Bhima Koregaon incident, was also targeted using NSO Group’s tools. That some of these individuals were targeted multiple times shows that there is a disturbing pattern of spyware attacks against HRDs involved in the Bhima Koregaon case.

A Campaign of Malicious Emails

During this investigation, we identified 12 spearphishing emails sent between January and October 2019 targeting the nine activists.

A spearphishing attack is an attempt to install spyware (a malicious software) on the victim’s computer or smartphone by sending very carefully crafted and personalized emails to the target, often impersonating colleagues or loved ones. In a successful attack, computers or mobile devices may, in essence, become wiretaps, revealing confidential and intimate conversations and interactions but nullifying the possibility of privacy or confidentiality. Besides this direct effect, the secretive and ubiquitous nature of these attacks means that the victims never know for certain if they are being targeted or have unwittingly downloaded some kind of spyware. The consequence is that they begin to fear that every communication poses a threat, which can be highly disruptive to trust and collaboration
 .
Spearphishing Emails

One of the spearphishing emails was sent from an email ID impersonating the name of an activist that may be known by the targets. Other spearphishing emails came from the e-mail IDs pretending to be journalists or masquerading as officials from local courts.


Comments

Popular posts from this blog

India Joins Russia in Voting Against West-Backed Move to Expand Powers of OPCW

As financial insecurity rises in urban India, so does investment in insurance

ED tracks Swiss Bank A/Cs of Agusta scamster