Nine human rights activists including those fighting the legal battle for release of the Bhima Koregaon 11 were targeted by a spyware called NetWire between January and October 2019, says a joint report by Amnesty International and Citizen Lab.
The activists received carefully crafted and personalized emails impersonating colleagues or loved ones. The emails carried malicious PDF files, clicking on which, activated a Windows spyware on their system, allowing hackers to monitor the actions and communications of the targets remotely.
Three of the activists targeted by NetWire were also spied upon by NSO Group's Pegasus spyware in 2019. Unlike Pegasus spyware which targeted smartphones by exploiting a vulnerability in WhatsApp, which was later fixed by Facebook, in this case NetWire was used to target Windows PCs.
NetWire is a multi platform RAT (remote access trojan) and has been used for corporate espionage since it surfaced in 2012. Various researches into the spyware have found that once it infiltrates a device, it can steal credentials, record audio, log keystrokes, in addition to being used as a backdoor to a device.
It has been used by Nigerian scammers as well as Iranian cyber espionage groups. Between 2016 and 2017, it was used by Iranian cyber group APT33 as a backdoor to spy on US and Saudi Arabian organisations.
NetWire is commercially available and can be purchased on DarkWeb (part of the Internet that is not indexed by search engines) marketplaces.
According to Amnesty International, the activists targeted by NetWire included lawyers and activists Nihalsing B Rathod, Degree Prasad Chouhan, Yug Mohit Choudhary, and Ragini Ahuja. Academics Partho Sarothi Ray and PK Vijayan and Jagdalpur Legal Aid Group member Isha Khandelwal were also targeted.
Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was actively involved in the Facebook led investigation into Pegasus spyware that targeted 1400 individuals including journalists, activists and politicians worldwide. Out of these 121 were based in India.
Recently, Citizen Lab also uncovered a massive hack for hire operation called Dark Basin which targeted hundreds of institutions and thousands of individuals across the world. The targets included journalists, government officials, CEOs, lawyers and human rights activists. Citizen Lab's investigation revealed that an obscure IT firm from Delhi, BellTroX InfoTech Services, was behind the operations.