How Hackers Framed a Priest for Terrorism | Hacking Documentary

00:00

In the midst of racial and political division in the eastern state of jharkhand india

00:06

citizens were shocked to find out that on October 8, 2020 - that Stan swamy

00:12

a prominent priest and human rights activist - - had been arrested

00:16

under India's anti-terror law on the basis of 50 files found on his computer

00:21

incriminating documents that linked Swamy with the maoist insurgency,

00:26

which sought to establish communist rule in India through violent revolution.

00:31

Swamy denied the allegations and claimed he was innocent, and he was innocent.

00:37

But who would have the motive to frame an elderly human rights activist for terrorism?

00:43

Swamy would never find out, Because despite his old age and poor health, he was denied bail and would die after spending less than a year in confinement on July 5th 2021.

00:55

But it wouldn't be until late December of 2022 when the truth was uncovered and his innocence was proven.

01:03

An american digital forensics firm: arsenal consulting discovered that hackers had gained control of his computer and were part of a much larger conspiracy

01:12

with their actions aligning sharply with state interests.

01:16

The timeline of activity indicated that extensive time, resources, and infrastructure had been dedicated to his surveillance.

01:24

The hackers that compromised Swamy’s computer planted evidence that led to his arrest with several others

01:31

and covered their tracks by deleting files that revealed their access to his machine.

01:36

the Arsenal report stating "It should be noted that this is one of the most serious cases involving evidence tampering that we’ve ever encountered,"

01:44

the Arsenal report stating "It should be noted that this is one of the most serious cases involving evidence tampering that we’ve ever encountered,"

01:56

Stan Swamy, was a Catholic priest, and a human rights activist for several decades.

02:02

He advocated for the rights of a group of people known as the Dalits, previously called the untouchables

02:08

they were the lowest of the caste system in india. Swamy fought against the displacement of these communities

02:15

and worked to protect the rights of Dalits - along with other marginalized groups in India.

02:20

Swamy suggested his arrest was linked to his activism work, as it involved dissent against government policies.

02:27

He said “What is happening to me is not something unique happening to me alone. It is a broader process that is taking place all over the country.

02:35

We are all aware how prominent intellectuals, lawyers writers, poets, activists, students, leaders, they are all put into jail because they have expressed their dissent or raised questions about the ruling powers of India.“

02:48

But little did Swamy know the extent he was surveilled - he was the target of an extensive malware campaign that stretched close to 5 years.

02:58

It all started when Swamy had received an email from someone posing to be part of the same activist group as Swamy.

03:04

In reality, this email was sent by a hacker, and attached to the email was a pdf file that looked like any other, but actually contained malware which silently infected Swamys computer when he downloaded it.

03:19

This is known as a spear phishing attack, where hackers portray themselves as trusted people - with the intention of stealing private information - or in this case downloading malware.

03:30

There were two pieces of malware that was hidden in the pdf file: NetWire and Dark Comet - these are remote access trojans - or RATs for short.

03:41

this is a type of malware a hacker can use to gain full admin privileges and remote control of a victim's computer.

03:49

The malware installed allowed hackers to transfer a series of files to a hidden folder on Swamy's computer,

03:55

including one that listed weapons possessed by various units of a militant rebel group and another that seemed to suggest kidnapping members of India's ruling party, the BJP.

04:06

but Arsenal also found something else on Swamy's computer: The hackers seem to have begun what Arsenal calls "antiforensics"

04:14

where they deleted files that revealed access to Swamy's machine in an apparent attempt to cover their tracks, just a day before Puna Police seized Swamy's computer.

04:25

In other words, the hackers wanted to plant fake evidence that could be revealed to incriminate Swamy

04:31

while also deleting actual evidence of their fabrications that might be discovered in legal proceedings

04:38

Based on artifacts in the computer's memory and disk storage, it was found that Swamy never touched the files himself.

04:46

After his devices were seized by Puna City Police, the files planted by the hackers was the digital evidence used to frame him and charge him with terrorism

04:56

as well as inciting a riot in 2018 that led to two deaths.

05:01

This riot in 2018 was the result of Long-Standing racial and political tensions when critics of the government clashed with pro-government supporters near Bhima Koregaon.

05:12

The event led to subsequent protests, resulting in more violence, leaving more people dead.

05:18

In the following months, police linked the cause of the violence to the banned Maoist Communist party of India.

05:24

But Arsenal's findings, match earlier cases of evidence fabrication, seemingly carried out by the same hackers, that targeted two defendants' machines that Arsenal had previously examined.

05:36

pegasus spyware was also found on the Swamys cell phone, pegasus is a commercial product only sold to governments.

05:44

and can be secretly installed on cell phones running most popular operating systems.

05:49

Pegasus is able to use a zero-click exploit. This type of exploit doesn’t require any interaction with the person using the device.

05:57

Pegasus is capable of reading texts, tracking calls, collecting passwords, location tracking, and can access a phones microphone and camera,

06:07

After the public release of the arsenal report, security researchers around the world collaborated to try to uncover the identities of the hackers

06:16

and their findings were so shocking - that they had the potential to cause widespread revolt in india.

06:22

A security analyst who chose to remain anonymous — learned that three of the victim email accounts compromised by hackers had a recovery email and phone number added as a backup.

06:34

This was intended to allow the hacker to easily regain control of the accounts in case the passwords were changed.

06:41

That recovery email on all three accounts included the full name of a police official in Puna who was closely involved in the Bhima Koregaon riot.

06:50

John Scott-Railton, a security researcher at the University of Toronto's Lab, confirmed the link between the the Puna City Police and the recovery email and number .

07:02

John dug up entries in open source databases of Indian numbers and emails, looking for the recovery number that linked it to an email address ending in [email protected].

07:14

a suffix for other email addresses used by police in Pune.

07:19

phone calls and multiple emails were sent to the Puna City Police and their police official whose personal details were linked to the hacked accounts, but they received no reply.

07:30

There was now undeniable evidence the Puna police were tied to a hacking campaign that had framed and jailed swamy

07:38

a dying old man - due to his activist work and for exercising his right to peaceful dissent.

07:46

But Swamy was far from unique in being targeted by the officials who sought to frame him. Based on the details of the malware and hacking infrastructure described in Arsenal's report,

07:56

its clear that hundreds of activists, journalists, and academics have been targeted since as early as 2012.

08:04

Given how recent these events were, only time will tell whether we see an impartial investigation into the unlawful targeted surveillance and falsified evidence against human rights activists in india.