GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET
The digital forensics research showed Pehlivan’s PC was tampered with days before his arrest.
Barış Pehlivan, the Turkish investigative journalist who spent 19 months in jail, was framed by hackers, claims a new report. He was accused of terrorism based on documents that were recovered from his work PC. Pehlivan was jailed in February 2011, along with six other colleagues from Turkish channel OdaTV, after the documents seized connected them to Ergenekon, an extremist armed group in Turkey.
Arsenal Consulting which carried out the digital forensics tests said the files put in Pehlivan’s computer were loaded by someone else who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive. The attackers also infected the system using malicious email attachments and thumb drives.
Among these trojans was an extremely rare trojan called Ahtapot, which was installed on Pehlivan’s computer on February 11, 2011 evening, a Friday. What followed was a police raid that took place on Monday morning.
What was even more baffling for the researchers was that this malware appeared to be in unfinished beta development. In fact the attackers first injected the system with common malware and then the Ahtapot which was a form of Remote Access Trojan (RAT), a malware that allows hackers to control a PC without having physical access.
“We have never seen a computer attacked as ferociously as Barış’s. The attackers seemed to pull everything out of their bag of tricks,” says Mark Spencer, digital forensics expert at Arsenal Consulting.
OdaTV has in the past known to be been critical of the Turkish government and the Gülen Movement, which was suspected of orchestrating the recent attempted coup.
In this regard Gabor Szappanos, principal researcher at Sophos says, “The data suggests that these Trojans and domains were used only in this incident, infecting only 1-2 computers. That is not a typical crimeware scenario, and even APT groups target a wider range of victims. The very narrow scope indicates an attacker with a very specific agenda.”
Although the journalists were released from prison in September 2012, the trial continues.