Russian hackers likely targeted journalists investigating Flight MH17

Attack consistent with Fancy Bear hacker group’s techniques.

Russian hackers likely targeted journalists investigating Flight MH17

Researchers believe a group of Russian hackers targeted several journalists who are known to be investigating the shooting down of Malaysia Airlines Flight MH17.

The attackers sought out Bellingcat, a group of investigative journalists which as of this writing has contributed nearly 100 posts about Malaysia Airlines Flight MH17's crash in pro-Russian rebel territory in eastern Ukraine on 17 July 2014.

Each of Bellingcat's articles around that particular subject asserts the same message: Russia shot down the airplane.

Perhaps feeling those accusations were unjustified, Russia's hackers sprang to work in early 2015.

The ThreatConnect Research Team, whom Bellingcat contacted after the Russian threat group Fancy Bear (sometimes known as Sofacy, APT28, or Sednit) hacked the DNC, explains what went down in a blog post:

"From February 2015 to July 2016 three researchers at Bellingcat — Higgins, Aric Toler, and Veli-Peka Kivimaki — who had contributed MH17 articles received numerous spearphishing emails, with Higgins alone receiving at least 16 phishing emails targeting his personal email account. A majority of the campaign took place from February to September 2015, with some activity resuming in May 2016. These spearphishing attempts consist of a variety of spoofed Gmail security notices alerting the target that suspicious activity was detected on their account. The target is prompted to click a URL resembling a legitimate Gmail security link to review the details of this suspicious activity."

Image03 4

A screenshot of one spearphishing email targeting Bellingcat researchers. (Source: ThreatConnect)

Of course, the URL in that email is a fake.

Your first clue? It's a shortened Bitly URL with target-specific strings, something which you would NEVER find in a legitimate message sent from Google's security staff. That's because shortened links allow attackers to link to whatever page they want - in this case, a fake Google login page that steals a user's Gmail credentials.

This type of activity went on for months.

Image04 4 1030x613

Interestingly, the URLs with target-specific strings are consistent with a technique used by the Fancy Bear hacking group. Some of the domains, servers, and other infrastructure used to send the spear phishing campaigns also appear to share some overlap with other Fancy Bear campaigns.

If that weren't enough, there might even be evidence that another Russian threat actor known as CyberBerkut participated in the hack after defacing Bellingcat's Twitter account on 10 February 2016.

Image08 1 450x585

If Russia indeed perpetrated the hack, it would appear the nation is willing to go to any lengths to exercise control over narratives that have the potential to damage its international reputation. That includes retaliating against news outlets.

Even so, ThreatConnect urges news sources and others to stand fast and report anything they see:

"These efforts go above and beyond traditional intelligence requirements such as gaining insight into a sensitive project or sources. Vilifying the messenger and dumping their personal data is part of the game, intended to intimidate and embarrass those that speak ill of Moscow. If Russia is willing to go to these lengths to compromise a small journalist organization and its contributors, consider what they are willing to do to major news and media outlets that publish similar articles. While many organizations remain reticent to share information, this knowledge is the prerequisite to establishing how widespread such efforts are and the adversary’s modus operandi."

Aside from that, make sure you turn on two-factor authentication for Google and your other web accounts.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

2 Responses

  1. Deepwater805

    September 30, 2016 at 2:13 am #

    Here's the deal that even russia's Liar in Chief Putin can't hide from: MH17 was shot down by a russian designed, russian built, russian supplied, russian led, russian paid for, russian trained crew who murdered those 298 innocent unsuspecting passengers, and no amount of russian lying trolls can ever change that. The hands of russia are stained by the blood of MH17 and their lying denials only deepen their guilt.

  2. John

    September 30, 2016 at 12:36 pm #

    It is to no surprise to me, that these hacking attempts have taken (are still taking?) place.

    Since if a nation like Russia is failing to admit, or is even covering up, their support of and/or perhaps even active participation in killing 298 innocent people in mid-air, what else could we expect from such total crooks?

Leave a Reply