The story so far: On Wednesday, activist Rona Wilson , who has been imprisoned since June 2018 in connection with the Bhima Koregaon violence case, filed a petition in the Bombay High Court seeking a stay on proceedings against him and others who are co-accused. His petition referred to a report brought out by Arsenal Consulting, a digital forensics consulting company based in Massachusetts, which was hired by Mr. Wilson’s defence team. The Arsenal Consulting report states that for 22 months, Mr. Wilson’s computer was controlled by an attacker whose goal was to deliver incriminating documents onto his computer, which formed the basis of the case against him.
What was Arsenal Consulting’s analysis based on?
Arsenal Consulting says its analysis was based “largely on a forensic image obtained from the Toshiba hard drive within Mr. Wilson’s Hewlett-Packard Pavilion dv5 Notebook computer and a thumb drive which has been attached to the computer”. A forensic image is often described as a bit-by-bit copy of any electronic device that can store memory. Such an image will include even deleted data or data that were inaccessible to the user. It is considered an important part of digital evidence-gathering during investigations.
How was the computer infiltrated?
What is being conveyed by the report is that Mr. Wilson’s computer got infiltrated by a malware that enabled his system to be remote-controlled. Over the course of 22 months, it says, the attacker not only created a hidden folder in his system, but also created incriminating documents inside that folder. These, it says, were never opened but ended up being used in the case against him and others.
The report says his computer got compromised on June 13, 2016 after a series of “suspicious mails” from “someone using Varavara Rao ’s email account”. Mr. Rao is a co-accused in the case. This person is said to have made repeated attempts to get Mr. Wilson to open a document, which he finally did. This was a bait, and it triggered the installation of the NetWire remote access trojan on his computer. The bait was delivered via an RAR file, which usually contains one or many files in a compressed format. The report says while “Mr. Wilson thought he was opening a link to Dropbox” in the email sent to him, he was actually opening a link to “a malicious command and control server”.
Before we come to Netwire and command and control server, why were the mails from Mr. Rao’s accounts considered suspicious? How was his computer compromised?
The first part is not clear from the report. But in its footnotes, Arsenal Consulting says the suspicious mails were recovered from Mr. Wilson’s computer. It also says, “Our understanding of how Varavara Rao was compromised will improve once we have access to Varavara Rao’s electronic devices and the contents of his online accounts.”
What is NetWire?
NetWire, which first surfaced in 2012, is a well-known malware. It is also one of the most active ones around. It is a remote access trojan, or RAT, which gives control of the infected system to an attacker. Such malware can log keystrokes and compromise passwords.
Malware, according to cybersecurity experts, essentially do two things. One is data exfiltration, which means stealing data. Most anti-virus software are equipped to prevent this. The other involves infiltrating a system, and this has proven to be far more challenging for anti-virus software. NetWire is described as an off-the-shelf malware, while something like Pegasus, which used a bug in WhatsApp to infiltrate users’ phones in 2019, is custom-made and sold to nations.
What is a command and control server?
The commands emerging from this server is what the infected system will carry out.
How did Arsenal Consulting figure out that the incriminating documents were never opened on Mr. Wilson’s computer?
Arsenal Consulting says it reviewed the NTFS file system, which can be found on any Windows system. This is a system of storing and organising files. It keeps a log of the files — whether they are created, modified, or deleted. Object identifiers are assigned to files when they are either created or first opened. Arsenal Consulting says none of the “top ten documents” have any such identifiers.
Also, it says, it studied the Windows Registry to check the version of Word program that Mr. Wilson had. It found that he had a 2007 version, but the incriminating documents were saved from the 2010 or 2013 version of Word. It also says that Mr. Wilson’s pen drive was also synchronised with the command and control server.