Russian hackers got access to a journalist’s e-mails, then altered some documents they found before ‘leaking’ them, a report released by the University of Toronto’s Citizen Lab explained Thursday.
Citizen Lab’s investigation looked at a digital attack on David Satter, a reporter who is a strong critic of Russian president Vladimir Putin. Satter, an American, was expelled from Russia in 2013.
In October of 2016, Satter was successfully targeted by a phishing attack, which used a fake security warning from Google urging him to change his password. Clicking on the link led to a fake Google login page (actually on a server in Bucharest, Romania), which compromised Satter’s password.
Once in, the Bucharest server was set to automatically download the entire contents of Satter’s Gmail account.
READ: Russian cyber criminals use malware planted on mobile devices to rob bank customers
Documents from the hack were then published at cyber-berkut.org, a site run by pro-Russian hacktivists. Some of the documents were genuine and original, but they were mixed with others that were altered in a way that seemed to discredit Satter and others, a process the researchers call “leak tainting.”
“A carefully constructed tainted leak included in a set of real stolen material is surrounded by documents that, by juxtaposition, indirectly signal that it is legitimate,” the report explains. “This could help the tainted leak survive initial scrutiny by reporters and others seeking corroboration.”
The tainting created a narrative in which Satter appeared to be paying Alexei Navalny, a Russian opposition leader and anti-corruption activist.
“The tainted leak told a series of new, false stories, intended not only to discredit Satter, but to support domestic narratives familiar to many Russians: of foreign interference, and of a foreign hand behind criticism of the government.”
READ: United States watched as Russians hacked French networks before election
When the U of T investigators studied the URL shortener used by the hackers (tiny.cc) they realized that Satter was only one of many victims. About 4,000 Tiny.cc addresses, created all together, all led to a convincing fake of the Gmail password change page.
Following the URLs led them to evidence that there were at least 218 targets of the phishing operation, of whom about 85 per cent could be identified. Ukraine was the most commonly targeted country, followed by targets in Russia itself. About 5 per cent were in the United States, and none in Canada.
Who are the hackers? It’s not clear. Criminal hacker groups in Russia are left alone by the government, so long as they are broadly serving state goals: “Multiple Russian-affiliated operators could compromise the same target unwittingly and without seeming coordination. This ‘piling on’ around a target further complicates attribution.”
READ: Russia hacks Danish defence, gains access to two years worth of emails
However, the report adds: “… the resources of a government would likely be necessary to manage such a large and ambitious campaign, given the number of languages spoken by targets, and their areas of work. The group includes a former Russian Prime Minister, a global list of government ministers, ambassadors, military and government personnel, CEOs of oil companies, and members of civil society from more than three dozen countries.”
In May, hackers targeted then-French presidential candidate (now president) Emmanuel Macron. They published the material, both with false material they inserted, and also — unknowingly — with other false material that Macron’s campaign team had inserted ahead of time to discredit a hack.
READ: Emmanuel Macron campaign emails leaked online days before French presidential vote