Bellingcat vs Fancy Bear: how hackers tried to halt the MH17 investigation

Citizen journalist shares how Russian hackers targeted Bellingcat with phishing attempts

Bellingcat, the investigative citizen journalist organisation that was a key contributor to the MH17 investigation, was repeatedly targeted by two hacking groups thought to be sponsored by the Russian state.

MH17 was a Malaysian Airlines flight from Amsterdam to Kuala Lumpur that was shot down over Ukraine in 2014. A Dutch-led investigation this week determined that the missile that brought down the aircraft was Russian-made.

Researchers at Bellingcat analysed images and documents to produce articles and reports on their findings that largely pointed to Russian involvement in the incident.

Fancy Bears go phishing

Advertisement
Advertisement - Article continues below

During the course of Bellingcat's own investigation, in early 2015, Bellingcat founder Eliot Higgins began to receive phishing emails purporting to be from Google. Speaking to IT Pro, Higgins said that initially he ignored them.

"I had thought it was just a general scam trying to get my credit card details," Higgins said. "But then I was reading one of the ThreatConnect articles on the DCLeaks and they gave an example that looked a lot like the emails I had received."

He then spoke to other members of Bellingcat to see if they had received similar emails and found two of them had.

"A lot of [the emails] were worded exactly the same, with the same spelling mistakes and the URLs they were using in the links were the same. So then it started becoming clearer that this looked like an orchestrated campaign, rather than just random phishing emails, and that's when I contacted ThreatConnect and passed them all the details," Higgins said.

Analysis by ThreatConnect revealed the method of attack, using specially crafted URLs with target-specific strings, is consistent with that used by Fancy Bear, a hacking collective with links to Russia that is also thought to have been behind the Democratic National Committee hacks.

Contributor account cracked

Higgins said that, thankfully, neither he nor any of the other investigative journalists of Bellingcat targeted clicked on the links in the phishing emails, so this attempt to derail the investigation was unsuccessful.

However, the account of another Bellingcat contributor and Russian opposition blogger, Ruslan Leviev, was successfully cracked  in February by another organisation with alleged links to the Kremlin, CyberBerkut. These credentials were then used to post a message criticising both Leviev individually and Bellingcat as a whole, although this was soon rectified.

In a written statement, Leviev said: "My old email account, which was located on Yandex servers, was hacked. The email account had a long, difficult password - not a word - from various letters, numbers and special symbols. Plus there was a telephone number bound to the account for second factor authentication. Exactly how I was hacked - I don't know."

Using the hacked email, the attackers were able to successfully hack into his LiveJournal account, where they also posted a message, and access his Bellingcat email and password. They also tried, unsuccessfully, to hack into his Facebook account, but did manage to briefly gain access to his Twitter, despite it using SMS-based two-factor authentication as well.

Advertisement
Advertisement - Article continues below

"Based on all the data, I assume that ... this was the activity of security services who intercepted the SMS containing the access code. So they got access to my old email account and they also gained access to my Twitter account (which was also under two-factor, but code is sent via SMS rather than generated in an app).

"Of my social networks where two-factor codes are generated via an application, they were unable to crack. Of my social networks where the two-factor code was sent via SMS, they were able to crack."

Fending off attackers

While there is no way for people to prevent themselves from being targeted, both Higgins and ThreatConnect advise people to be "very aware" of phishing attempts what they look like and how to deal with them and to turn on two-factor authentication for all their online accounts.

In a statement, ThreatConnect said: "The campaign against Bellingcat provides yet another example of sustained targeting against an organisation that shines a light on Russian perfidy. The spearphishing campaign is classic FANCY BEAR activity while CyberBerkut's role raises yet more questions about the group's ties to Moscow."

"Vilifying the messenger and dumping their personal data is part of the game, intended to intimidate and embarrass those that speak ill of Moscow," the company continued. "The BEARs win if their active measures campaigns push, scare, or intimidate their targets into doing what they want. If you encounter a BEAR, you're doing something right. Don't back down."

ThreatConnect's analysis can be read in full here.

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now
Advertisement

Most Popular

Visit/business-strategy/mergers-and-acquisitions/354191/xerox-threatens-hostile-takeover-after-hp-rebuffs
mergers and acquisitions

Xerox threatens hostile takeover after HP rebuffs $30bn takeover

22 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019
Visit/business-strategy/it-infrastructure/354188/tsb-payment-delays-suggest-second-it-meltdown
IT infrastructure

TSB payment delays suggest second IT meltdown

22 Nov 2019
Visit/public-cloud/34850/salesforce-takes-aws-relationship-to-the-next-level
News

Salesforce takes AWS relationship to the next level

19 Nov 2019