Late Father Stan Swamy’s computer was compromised by the same attacker who hacked the computers of co-accused Rona Wilson and Surendra Gadling in the Bhima Koregaon caste violence case, U.S.-based digital forensics firm, Arsenal Consulting, has found.
Fr. Swamy, 82, a Jesuit priest and tribal rights activist, was arrested by the National Investigation Agency (NIA) from his home in Ranchi on October 8, 2020. While in judicial custody, he died at a private hospital when being treated for COVID-19, on July 5, 2021. The Chelsea-based company was engaged by Fr. Swamy’s defence team to analyse electronic evidence seized from his home by the Pune Police on June 12, 2019. On February 10, 2021, the same consultancy had found that a hacker controlled Mr. Wilson’s computer for a period of 22 months to plant documents, which led to an investigation that supposedly unraveiled a Communist Party of India (Maoist) conspiracy to eliminate Prime Minister Narendra Modi “in another Rajiv Gandhi type incident”.
According to the report released on December 11, 2022, Arsenal Consulting’s analysis showed that Fr. Stanislaus Lourduswamy’s computer was compromised from October 19, 2014 till his computer was seized by Pune police on June 12, 2019. “The attacker responsible for compromising Fr. Swamy’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery,” the report points out.
The forensic investigation has connected that the same attacker hacked the computers of Mr. Wilson, Mr. Gadling and Fr. Stan’s computers by using significant malware infrastructure which was deployed over the course of over six years. The Hindu has a copy of the report that discloses, “Fr. Swamy’s computer was first compromised by the attacker on October 19, 2014 when he opened a document weaponized with NetWire.”
NetWire is a popular multi-platform Remote Access Trojan (RAT) system. Its features include uploading and downloading files, remote shells, keylogging, proxy chaining (making the identification of attackers more difficult), “stealth” screenshots, and password “recovery”. The NetWire found that Fr. Swamy’s execution was identical to the embedded documents emailed to Mr. Wilson on November 16 and 28, 2014.
Arsenal found and decrypted NetWire logs from Fr. Swamy’s computer which covered 383 days between July 21, 2015 and June 11, 2019. NetWire logs are 12 files used for surveillance purposes and contain keystrokes and other information related to the victim. The activity captured in these logs included Fr. Swamy browsing websites, submitting passwords, composing emails, and editing documents.
The 25-page report mentions, “In the Bhima Koregaon case, the attacker used C2 servers - which is a computer system (often virtual) used by an attacker to send and receive data to and from compromised electronic devices. This was used to control malware (e.g. the DarkComet and NetWire RATs), to receive files for surveillance purposes, and to host incriminating files for deployment to victims. The attacker’s surveillance of Fr. Swamy’s removable storage devices and the secondary volume of his computer was quite extensive, involving at least 13 removable storage devices (thumb drives and external hard drives) and over 24,000 files and folders.”
“Arsenal located the incriminating documents on Fr’s computer, as they were delivered using the same 14 methodologies used by the attacker to deliver incriminating documents to Mr. Wilson and Mr. Gadling’s computers,” the report reads.