Human security

Security researchers claim link between Pune police and hacking campaign against accused Bhima Koregaon

New Delhi: Security researchers in the United States have claimed to have discovered new evidence linking the Pune police to the hacking of the email accounts of activists Rona Wilson and Varavara Rao and Hany Babu, a professor at the University of Delhi. This is the first time that state involvement has been directly established in this case.

The three individuals are among 16 defendants arrested in the Elgar-Parishad case. Among them, 84-year-old Jharkhand tribal rights activist Father Stan Swamy died in July last year. In recent years, several digital forensic investigators have questioned the nature of evidence collected by Indian law enforcement from the defendant’s electronic devices, with one firm noting that hackers planted incriminating evidence on at least two activists who had been arrested.

Now security researchers have found links between the hacking attempts of three of the defendants and the Pune Police Department.

“There is a demonstrable link between the individuals who arrested these people and the individuals who concealed the evidence,” said Juan Andres Guerrero-Saade, security researcher at SentinelOne. Told Wired magazine.

“It’s beyond ethical compromise. It’s beyond insensitivity. So we’re trying to put forward as much data as possible in hopes of helping these victims.

SentinelOne’s new findings specifically link the Pune police to a long-running hacking campaign they call “Modified Elephant”. After pro bono researching more than 100 phishing emails received by Wilson (which came from his defense attorneys), SentinelOne discovered that the first attack against him was in 2012. The report states that the attack began in 2012 but only escalated in 2014 and continued aggressively until at least 2016.

The new SentinelOne revelations, published today in Wired magazinejust worked with an anonymous email service provider who provided them with crucial data allowing them to allege a link to the Indian law enforcement agency.

In particular, the security research organization points out that three of the victims’ email accounts (Wilson, Babu and Rao) compromised by hackers in 2018 and 2019 had a recovery email address and phone number added as backup mechanism (to allow the hacker to easily regain control of accounts if their passwords have been changed).

Who owns this recovery email ID and phone number? According to the publication, the email address “featured the full name of a Pune police officer who was closely involved in the Bhima Koregaon 16 case.”

The publication and researchers from other institutions such as internet watchdog Citizen Lab collaborated further to confirm that the recovery email id and recovery phone number belonged to a Pune police official.

“Security researcher Zeshan Aziz found the recovery email address and phone number linked to the name of the Pune police chief in the leaked database of TrueCaller, a caller ID app and call blocking, and found the phone number linked to his name in the leaked database of, an Indian job recruitment website….”, the report notes

“Scott Railton [of Citizen Lab] further found that the WhatsApp profile picture for the recovery phone number added to the hacked accounts shows a selfie photo of the police officer – a man who appears to be the same officer during police press conferences and even on a news photo taken during the arrest of Varvara Rao.

In the case of Rona Wilson, according to the email service provider security analyst who worked with SentinelOne, her email account received a phishing email in April 2018 and then appeared to be compromised by hackers. – at the same time, the email and phone number related to Pune city police have been added as recovery contacts.

Importantly, the media report notes, the recovery details could only be added through a verification process (either a confirmation link or an SMS). This suggests that the police therefore indeed checked this e-mail address and telephone number. targeted, but he was tired of seeing such things happen.

“We don’t usually tell people who targeted them, but I’m kinda tired of watching the shit burn,” the email provider’s security analyst said. Wired of their decision to reveal the identification evidence of the hacked accounts. “These guys don’t go after terrorists. They attack human rights defenders and journalists. And that’s not good.