More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom have languished in jail and, along with 13 others, face terrorism charges.
Researchers at security firm SentinelOne and nonprofits Citizen Lab and Amnesty International have since linked that evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group.
Only now have SentinelOne's researchers revealed ties between the hackers and the Indian police agency in the city of Pune that arrested multiple activists based on the fabricated evidence.
Juan Andres Guerrero-Saade, a security researcher at SentinelOne who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security conference in August.
Guerrero-Saade said: "This is beyond ethically compromised. It is beyond callous. So we're trying to put as much data forward as we can in the hopes of helping these victims." SentinelOne's new findings that link the Pune City Police to the long-running hacking campaign, which the company has called Modified Elephant, center on two particular targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018 as part of a group called the Bhima Koregaon 16, named for the village where violence between Hindus and Dalits -- the group once known as "untouchables" -- broke out earlier that year. (One of those 16 defendants, 84-year-old Jesuit priest Stan Swamy, died in jail last year after contracting Covid-19. Rao, who is 81 years old and in poor health, has been released on medical bail, which expires next month. Of the other 14, only one has been granted bail.)