A sophisticated phishing campaign targeting Bellingcat and other Russia-focused journalists has been much larger in scope than previously thought, and has lasted at least several months. Bellingcat has identified dozens of targeted individuals across Europe and the US, with the earliest reported attack dating back to April 24 2019, and some evidence suggesting the campaign was in the works since as early as March 2018,
as Bellingcat.com's experts claimed on August 10.
The target list of over 30 individuals using the end-to-end encrypted ProtonMail email service includes journalists, researchers, academics, employees of NGOs, and political activists. (...) Contrary to previous reporting, we have identified that at least some of the phishing attempts have been successful.
All targets are involved in work focused on Russia, and most have previously been subject to public attacks – either personally or institutionally – by the Russian government.
These accounts may be grouped in the following categories:
- Journalists: including Bellingcat researchers (2), BBC investigative journalist (1), Guardian journalists (3), and journalists from different Russian investigative media (3). At least two of the targeted foreign journalists are known to have previously banned from traveling to Russia.
- NGO’s with a focus on Russia or assisting Russian independent media (10 targets). Several of these organizations asked to not be named publicly, in order to discourage further attacks. The list of NGOs included, for instance, the Prague-based European Values Think Tankwhich has been vocally critical of Russian disinformation efforts in Central Europe, and the Free Russia Foundation.
- Investigators and academics focused on Kremlin’s foreign policy and Russian clandestine operations abroad (6).
(...)
Bellingcat believes that this phishing campaign formed a stage of a larger ongoing hacking operation against Russia-focused journalists and researchers, with various methods and tools – some of them without precedent – being deployed against a range of targets both within Russia and abroad.
Bellingcat was first made aware of phishing attempts via ProtonMail on 2 July 2019, when a European private investigation firm with a focus on Russia informed us that three of its employees had received phishing messages containing the “Your private keys have been exported” bait. This attack had occurred in the last days of June 2019. The targets’ accounts had not been breached, however the fact that their non-public and non-eponymous account names had become known to a phishing actor implied that another person who corresponded with them via ProtonMail might have been previously breached.
(...)
The profile of the phishing targets is one way to come up with a short-list of potential actors. In this case, all (known) targets were professionally engaged with activity that is deemed hostile by the Russian government – from investigations of GRU’s covert operations to Russia’s alleged meddling in UK and US political processes. This narrows down the candidates to either the Russian state (the default hypothesis), or a false-flag attack by an adversary of Russia trying to discredit it. (A third possible hypothesis is that this was the work of a para-state Russian actor, i.e. a Russian entrepreneur “investing” in such activity nominally on their own behalf. Because such “private” actors have been previously shown to act on behalf of – and with beneficiary funding from – the Russian state, we will not distinguish this hypothesis from the default one).
It is notable that several of the targets of this campaign (both within the Bellingcat team and among Russian journalists) have been targeted in phishing campaigns dating back to 2015 and 2016 that have been
attributedto Fancy Bear, the cyber-army of Russia’s military intelligence GRU whose hackers were
indicted over their hack of the DNC. Those previous attacks were highly sophisticated, in some cases using as bait custom-written fake documents that were ostensibly “leaked” to journalists.
The overlap in targets between previous and the current phishing operations plus the resources and time needed to build up the n competence and infrastructure necessary for such as a sophisticated operation makes Fancy Bear a likely candidate for the recent operation. Circumstantially this is also corroborated by the use of Njalla and Web4Africa resellers to procure domain infrastructure – these providers have been previously used by Fancy Bear, although obviously this is not an exclusive relationship.
Our preliminary analysis of the source code used on the phishing sites implies that the campaign was the work of a state actor and not of an individual hacker or a hacker collective.
One indirect reason for attribution to a state actor is the time that it required to build (or re-purpose) the code and infrastructure for the operation.
(...)
Many of the comments interspersed in the tens of thousands lines of code used by the phishing site (which combines newly written code, adjustments to existing code and whole segments of borrowed open-source code) indicate that the coder or coders were not native English speakers. Grammatical tense mismatch and wrong word order are particularly prevalent. However, this in itself may not be used as an indication of country of provenance of the coders, as many coders have a functional grasp of English but are not necessarily grammatically proficient.
(...)
Both ThreatConnect and ProtonMail confirmed to us that their own investigations point to a likely Russian origin of the phishing attack, however both deferred to law enforcement agencies as the only authorities that would be able to access raw technical data – such as IP access logs for hosting providers, third-party email provider access logs, etc – that might enable hard attribution.
Bellingcat.com
