Russian Intelligence Cyberattacked Journalists, Hacking Encrypted Email Accounts
Getty
Barely 24 hours after a heavily-redacted U.S. Senate Intelligence Committee report concluded that Russia had "likely targeted" electoral systems in all 50 states during the 2016 presidential election, the Financial Times reported on Friday (July 26) that Russian state hackers were likely behind a cyberattack on a secure email platform favored by some of the investigative journalists probing the downing of MH17 over Ukraine in 2014 and the poisoning of Sergei Skripal and his daughter in the U.K. in 2018.
The email platform in question is the Swiss-based ProtonMail, which boasts the protection of Switzerland's strict privacy laws as well as end-to-end encryption and anonymized accounts. According to the FT, ProtonMail. "became aware of the attempt to compromise its users on Wednesday." ProtonMail's CEO Andy Yen told the FT that the hackers "knew in advance exactly who they wanted to go after. Our research shows that this was a highly targeted operation."
And that suggests nation-state hackers, andâgiven the targeted accountsâRussia. The hack worked through bogus Swiss domains that replicated ProtonMail's interface and then accessed the real site in the background in real-time to "trick users into giving up their two-factor authentication codes."
One of the targets of the hack was the open-source investigation site Bellingcat, which has consistently targeted Russia. The site's founder Eliot Higgins and his team were heavily involved in linking the Buk missile launcher that downed MH17 to Russia's 53rd Anti Aircraft Missile brigade and to "senior officers of the Russian Ministry of Defense and its military intelligence agency, the GRU." The same team identified the GRU officers allegedly responsible for the Skripal poisoning and also Russian missile strikes on civilian targets in Syria.
When I interviewed Higgins last month, he told me about the imminent Bellingcat podcast, timed to coincide with the fifth anniversary of the missile strike on MH17. "We want as many people as possible to know about what happened," he told me. "We want to reach a new audience, tap into a true-crime kind of audience and introduce that audience to our work." The first episodes of the podcast series have now aired to strong critical acclaim.
Linking ProtonMail's anonymized accounts to targeted individuals suggests a leak from a trusted source. "It seems clear that it is linked to our GRU investigations," Bellingcat researcher Christo Grozev told the FT. "They have been trying to get into our regular email accounts for a long time now. But with ProtonMail, it was very odd and unexpected."
Russian hacking group APT28, also known as Fancy Bear, is believed to be controlled by the GRU and is the most likely culprit, although that will be difficult if not impossible to substantiate. According to the cybersecurity researchers at Crowd Strike, APT28 has now "targeted victims in multiple sectors across the globeâbecause of its extensive operations against defense ministries and other military victims, Fancy Bear's profile closely mirrors the strategic interests of the Russian government, and may indicate affiliation with the GRU, Russiaâs premier military intelligence service."
The end-to-end security of messaging platforms has been under scrutiny in recent weeks, with security agencies in the U.S., U.K. and elsewhere complaining that the lack of backdoors left investigations "in the dark." Earlier in the week, U.S. Attorney General Bill Barr said that "warrant-proof encryption is imposing huge costs on societyâwe are confident that technical solutions will allow lawful access to encrypted data and communications by law enforcement without materially weakening the security provided by encryption."
This suspected GRU hack of an encrypted platform links directly back to that debate. "Deciding who gets access to intercept technology means we're in the business of determining who's good and who's bad." Joel Wallenstrom, the CEO of uber-secure messaging platform Wickr told me last month.
But a vulnerability is a vulnerabilityâProtonMail's CEO told the FT that "user email accounts are fully end-to-end encrypted so users had nothing to worry about unless they had inadvertently given away their passwords," and so this would seem a good reason not to introduce any such backdoors into any such system. The holders of those secure accounts relied on there being no such vulnerabilities in place.
">
Barely 24 hours after a heavily-redacted U.S. Senate Intelligence Committee report concluded that Russia had "likely targeted" electoral systems in all 50 states during the 2016 presidential election, the Financial Times reported on Friday (July 26) that Russian state hackers were likely behind a cyberattack on a secure email platform favored by some of the investigative journalists probing the downing of MH17 over Ukraine in 2014 and the poisoning of Sergei Skripal and his daughter in the U.K. in 2018.
The email platform in question is the Swiss-based ProtonMail, which boasts the protection of Switzerland's strict privacy laws as well as end-to-end encryption and anonymized accounts. According to the FT, ProtonMail. "became aware of the attempt to compromise its users on Wednesday." ProtonMail's CEO Andy Yen told the FT that the hackers "knew in advance exactly who they wanted to go after. Our research shows that this was a highly targeted operation."
And that suggests nation-state hackers, andâgiven the targeted accountsâRussia. The hack worked through bogus Swiss domains that replicated ProtonMail's interface and then accessed the real site in the background in real-time to "trick users into giving up their two-factor authentication codes."
One of the targets of the hack was the open-source investigation site Bellingcat, which has consistently targeted Russia. The site's founder Eliot Higgins and his team were heavily involved in linking the Buk missile launcher that downed MH17 to Russia's 53rd Anti Aircraft Missile brigade and to "senior officers of the Russian Ministry of Defense and its military intelligence agency, the GRU." The same team identified the GRU officers allegedly responsible for the Skripal poisoning and also Russian missile strikes on civilian targets in Syria.
When I interviewed Higgins last month, he told me about the imminent Bellingcat podcast, timed to coincide with the fifth anniversary of the missile strike on MH17. "We want as many people as possible to know about what happened," he told me. "We want to reach a new audience, tap into a true-crime kind of audience and introduce that audience to our work." The first episodes of the podcast series have now aired to strong critical acclaim.
Linking ProtonMail's anonymized accounts to targeted individuals suggests a leak from a trusted source. "It seems clear that it is linked to our GRU investigations," Bellingcat researcher Christo Grozev told the FT. "They have been trying to get into our regular email accounts for a long time now. But with ProtonMail, it was very odd and unexpected."
Russian hacking group APT28, also known as Fancy Bear, is believed to be controlled by the GRU and is the most likely culprit, although that will be difficult if not impossible to substantiate. According to the cybersecurity researchers at Crowd Strike, APT28 has now "targeted victims in multiple sectors across the globeâbecause of its extensive operations against defense ministries and other military victims, Fancy Bear's profile closely mirrors the strategic interests of the Russian government, and may indicate affiliation with the GRU, Russiaâs premier military intelligence service."
The end-to-end security of messaging platforms has been under scrutiny in recent weeks, with security agencies in the U.S., U.K. and elsewhere complaining that the lack of backdoors left investigations "in the dark." Earlier in the week, U.S. Attorney General Bill Barr said that "warrant-proof encryption is imposing huge costs on societyâwe are confident that technical solutions will allow lawful access to encrypted data and communications by law enforcement without materially weakening the security provided by encryption."
This suspected GRU hack of an encrypted platform links directly back to that debate. "Deciding who gets access to intercept technology means we're in the business of determining who's good and who's bad." Joel Wallenstrom, the CEO of uber-secure messaging platform Wickr told me last month.
But a vulnerability is a vulnerabilityâProtonMail's CEO told the FT that "user email accounts are fully end-to-end encrypted so users had nothing to worry about unless they had inadvertently given away their passwords," and so this would seem a good reason not to introduce any such backdoors into any such system. The holders of those secure accounts relied on there being no such vulnerabilities in place.
Gloss