For the best experience, open
on your mobile browser or Download our App.
You are reading an older article which was published on
Dec 17, 2021

Rona Wilson's iPhone Infected With Pegasus Spyware, Says New Forensic Report

Arsenal Consulting was engaged by Wilson’s defence lawyers to study the electronic evidence submitted against him in the Elgar Parishad case.

Mumbai: Rona Wilson, a prisoners’ rights activist and academic based in Delhi, was a victim of both surveillance and incriminating document delivery for close to a year before his arrest on June 6, 2018, according to a new digital forensics report.

Wilson, originally from Kerala and who continued with his social activism work in Delhi, was one of the first persons to be arrested in the Elgar Parishad case.

A recent report released by a Massachusetts-based digital forensics firm, Arsenal Consulting, concludes that Wilson’s phone, an Apple make, was not just selected for surveillance by a client of Israel’s NSO Group but was also successfully compromised on many occasions.

The NSO Group has reiterated on multiple occasions that it sells Pegasus only to “vetted governments”.

In July this year, as a part of the Pegasus Project, The Wire had reported that Wilson was one of the first targets – attacked as early as mid-2017 – of the highly intrusive Pegasus spyware. This investigation, done in collaboration with the France-based media non-profit Forbidden Stories and Amnesty International’s Security Lab, had confirmed that Wilson’s number was among the many rights activists from India to have become a potential target of the spyware. But since Wilson has been in jail since mid-2018 and his phone and laptop are in the National Investigation Agency (NIA)’s custody, no forensic check could be performed.

Arsenal Consulting, which was engaged by Wilson’s defence lawyers to study the electronic evidence submitted against him in the Elgar Parishad case, says it has found Pegasus indicators on the Windows volume of Wilson’s computer in two iTunes backups from an iPhone 6S.

Timestamps associated with these indicators span from July 5, 2017, to April 10, 2018, the report has stated.

The American firm is using the methodology laid out by Amnesty to analyse its findings. “According to the Amnesty International article ‘Forensic Methodology Report: How to catch NSO Group’s Pegasus’, the indicators found by Arsenal reflect not only Pegasus attacks, but successful Pegasus 3 infection of Mr. Wilson’s iPhone 6s,” Arsenal Consulting’s report says.

An NSO Group’s spokesperson said on the findings, “Without addressing specific countries and customers, the allegations raised in this inquiry are not clear. Once a democratic country lawfully, following due process, uses tools to investigate a person suspected in an attempt to overthrow a (democratically-elected) government, this would not be considered a misuse of such tools by any means.”

Etienne Maynier, technologist at Amnesty International’s Security Lab confirmed the findings by Arsenal Consulting.  “We have reviewed data from Rona Wilson iPhone backups shared by his defense team with Arsenal Consulting and can confirm Arsenal Consulting analysis. Rona Wilson’s iPhone was compromised by NSO Group’s Pegasus in July 2017 and again in February and March 2018. In between these two periods, he was targeted by 15 SMS with a link that on click would have compromised his phone,” Maynier told The Wire.

Arsenal, in February this year, had released its first report with damning evidence, showing clear traces of cyber attack and planting of at least 10 incriminating letters on his computer. These letters are all a part of the chargesheet filed against Wilson and 15 others accused of spreading the banned “Maoist ideology” in the country. The chargesheet has termed the accused persons – all rights activists and lawyers from across different parts of the country – as “Urban Naxals”. The investigation, first handled by the Pune police of Maharashtra, was handed over to the NIA in January 2020.

Also read: ‘Surveillance on Rona Wilson Aggressive, Long Time Period Very Unusual’: Forensics Firm Head

The entire case is based on the letters that the investigating agency has claimed to have found on Wilson’s computer. Discrediting these letters is crucial for Wilson and also other activists who have suffered long years of incarceration in this case. The trial in the case is yet to commence. One accused person, 84-year-old Jharkhand-based tribal rights activist and Jesuit priest Father Stan Swamy, who was arrested in October last year, died on July 5 at a hospital in Mumbai, awaiting bail on medical grounds.

Arsenal Consulting’s director Mark Spencer had termed the attack on Wilson’s computer as a case of “aggressive surveillance”. Talking to The Wire, Spencer had said in February, “Targeting an individual over a long period of time (Wilson’s computer was targeted for over 22 months) is not necessarily unusual in terms of surveillance, but delivering incriminating documents (and other files) to an individual over a long period of time is very unusual. We have never seen or even heard of this before.”

An earlier report by Arsenal has pointed to the use of the NetWire RAT (Remote Access Trojan) on Wilson’s computer for purposes of both surveillance and incriminating document delivery. The latest report by the organisation reflects “not only Pegasus attacks, but successful Pegasus infection of Mr. Wilson’s iPhone 6s”.

The brief report has pointed to the overlap of the timeline of both NetWire and Pegasus infections. “It is important to note that during this entire time span of Pegasus attacks and infection of Mr. Wilson’s iPhone 6s, the attacker identified in Arsenal Reports I, II, and III was using the NetWire RAT (Remote Access Trojan) on Mr. Wilson’s computer for purposes of both surveillance and incriminating document delivery,” the report stated. The Arsenal Reports I, II and III are extensive studies conducted of Wilson and his co-accused and lawyer Surendra Gadling’s computer.

Wilson, the study has found, was sent tailor-made SMSes, which the sender was sure would catch his attention. “JNU Chronicles: Real-life tales of love jihad from JNU, the citadel of Indian Marxism. Read details here: [link]” read one of the messages sent on January 31, 2018. “19 Indian Nazi Tweets that will turn you into a hardliner Right Winger right now. Read here: [link],” read another.

Also read: Can Apple Take Down the World’s Most Notorious Spyware Company?

Wilson, a rights activist, lived in New Delhi. He was interested in university politics and the changing pattern of discrimination against students belonging to Bahujan and minority communities. To attract his attention, a message: “Missing Najeeb, seat cuts to dictate JNUSU elections. Read more at [link]”, was sent to him on August 31, 2017. It was close to a year since Najeeb Ahmed, a first-year MSc Biotechnology student at Jawaharlal Nehru University (JNU) in Delhi had gone missing from campus.

Within four days, another message seeking justice for the victims of the cow vigilante attack of Una in Gujarat was sent to his phone. “Justice to Dalit victims of Una-Gujarat. Ban Cow protection groups in India. Express solidarity & sign: [link],” the message read.

Wilson, who was a core part of the 17- member Committee for Defence and Release of G. N. Saibaba, also received a message which said “Free Dr Saibaba and Oppose the suppression of Dissent in India. Please sign the petition here clicking [link]” on October 8, 2017.

Saibaba, a Delhi University professor, was sentenced to life imprisonment under several sections of the Unlawful Activities (Prevention) Act (UAPA) for his alleged links with a banned Maoist organisation. With over 90% physical disability, Saibaba has faced severe hardships in jail but has been denied bail multiple times both by the lower and higher judiciary.

Maynier noted that while many SMS-es were used to target Wilson’s phone, it is not clear what led to the infection of his phone. “There is no evidence that he clicked on the links in the SMS but we have only a partial view of the activity of his phone from backup data,” Maynier said.

The forensic study of Wilson’s phone shows a striking similarity with the Pegasus attack launched on his close friend Syed Abdul Rahman Geelani’s iPhone. Geelani, former Delhi University professor, had received a barrage of SMSes on his mobile phone around the same time as Wilson. Since Geelani is a Kashmiri, the messages sent to him spoke of issues relating to Kashmir. “United Nations launches online portal for the independence of Kashmir,” read one. Another message, a few days later, claimed: “Another incident showing Indian army beating librandu Kashmiri youth mercilessly to chant Pakistan Murdabad.”

The15 SMS sent to Wilson are similar to the one that targeted Geelani in 2018, Maynier confirmed to The Wire. “Until 2019, attacks using SMS to infect phones with Pegasus were common. We have seen it used against activists and journalists in many countries like Mexico or Morocco,” Maynier observed.

Geelani died in October 2019 following a massive cardiac arrest. His son, Sayed Atif Geelani, a Delhi-based lawyer who had preserved the phone even after his father’s death, had told The Wire in July that going by the onslaught of digital attacks, his father too would have been arrested in the Elgar Parishad case were he still alive.

Make a contribution to Independent Journalism
facebook twitter