Bhima Koregaon case: Prison-rights activist Rona Wilson’s hard disk contained malware that allowed remote access

On 17 April 2018, the Pune Police raided the Delhi home of Rona Wilson, a noted prison-rights activist, and arrested him for his alleged role in the violence at the Bhima Koregaon memorial in January that year. A few months later, the police claimed that it had found a letter on the hard disk of Wilson’s computer that contained details of a “naxal” plot to assassinate Prime Minister Narendra Modi and “overthrow the government.” The Caravan conducted a cyber-forensic examination of the contents of Wilson’s hard disk, a copy of the disk that was presented in court by the Pune Police and supplied to all the accused. Our investigation revealed that the disk contained malware that can be used to remotely access the computer and plant files. We also found several other discrepancies, pointing towards manipulation of evidence in the case. 

The Pune Police used letters it found on the disk, as well as on a hard disk seized from the human-rights lawyer Surendra Gadling, who was arrested in June, as its primary evidence in the charge sheet it filed in the Bhima Koregaon case. It has arrested nine prominent activists and scholars so far, including Wilson and Gadling, who are alleged to have either written these letters or been mentioned in them. On 14 December 2019, we reported several discrepancies found during a similar examination of Gadling’s disk, which also indicated that the letters could have been planted. While in the case of Wilson, the police provided the court with a true clone of his hard disk, in Gadling’s case, it only submitted the incriminating files found on his disk. Until the police provides a clone of Gadling’s hard disk, it is impossible to tell whether it had also been compromised by a malware.

While examining the contents of Wilson’s disk, we found an executable file infected with Win32:Trojan-Gen, malware that can allow stealing of information such as usernames and passwords and, more importantly, allow remote access to the computer, which can then be used to plant files on a system. The executable file, we found, launches itself as soon as the computer is switched on, leaving no room to doubt that the malware was functioning on Wilson’s computer before the Pune Police seized it. There are several ways the malware can be planted, including if the recipient clicks on malicious links sent through emails or instant messages.