Russia linked to cyberattacks on Bellingcat researchers probing GRU
Bellingcat—the online investigations site—has become synonymous with investigations into crimes committed by Russia's military, including the downing of Malaysia's MH17, the Skripal poisonings, the bombing of civilian targets in Syria.
Earlier on Friday, the Financial Times had reported that Russian hackers were likely behind a cyberattack on the secure email platform used by Bellingcat's team, Forbes reports.
"Yet again," tweeted Bellingcat founder Eliot Higgins on Friday, "Bellingcat finds itself targeted by cyberattacks, almost certainly linked to our work on Russia. I guess one way to measure our impact is how frequently agents of the Russian Federation try to attack it, be it their hackers, trolls, or media."
The email platform in question is the Swiss-based ProtonMail, which boasts the protection of Switzerland's strict privacy laws as well as end-to-end encryption and anonymized accounts. According to the FT, ProtonMail. "became aware of the attempt to compromise its users on Wednesday." ProtonMail's CEO Andy Yen told the FT that the hackers "knew in advance exactly who they wanted to go after. Our research shows that this was a highly targeted operation."
The team were heavily involved in linking MH17 to Russia's 53rd Anti Aircraft Missile brigade. Bellingcat then made the link all the way to "senior officers of the Russian Ministry of Defense and its military intelligence agency, the GRU." The same team identified the GRU officers allegedly responsible for the Skripal poisoning and also Russian missile strikes on civilian targets in Syria.
The hack reported by the FT worked through bogus Swiss domains that replicated ProtonMail's interface and then accessed the real site in the background in real-time to "trick users into giving up their two-factor authentication codes." Linking ProtonMail's anonymized accounts to targeted individuals suggests a leak from a trusted source. "It seems clear that it is linked to our GRU investigations," Bellingcat researcher Christo Grozev told the FT. "They have been trying to get into our regular email accounts for a long time now. But with ProtonMail, it was very odd and unexpected."
Russian hacking group APT28, also known as Fancy Bear, is believed to be controlled by the GRU and is the most likely culprit, although that will be difficult if not impossible to substantiate. According to the cybersecurity researchers at Crowd Strike, APT28 has now "targeted victims in multiple sectors across the globe—because of its extensive operations against defense ministries and other military victims, Fancy Bear's profile closely mirrors the strategic interests of the Russian government, and may indicate affiliation with the GRU, Russia’s premier military intelligence service."
The end-to-end security of messaging platforms has been under scrutiny in recent weeks, with security agencies in the U.S., UK and elsewhere complaining that the lack of backdoors left investigations "in the dark." Earlier in the week, U.S. Attorney General Bill Barr said that "warrant-proof encryption is imposing huge costs on society—we are confident that technical solutions will allow lawful access to encrypted data and communications by law enforcement without materially weakening the security provided by encryption."
This suspected GRU hack of an encrypted platform links directly back to that debate. "Deciding who gets access to intercept technology means we're in the business of determining who's good and who's bad." Joel Wallenstrom, the CEO of uber-secure messaging platform Wickr said.
But a vulnerability is a vulnerability—ProtonMail's CEO told the FT that "user email accounts are fully end-to-end encrypted so users had nothing to worry about unless they had inadvertently given away their passwords," and so this would seem a good reason not to introduce any such backdoors into any such system. Bellingcat and other holders of those secure accounts relied on there being no such vulnerabilities in place.