Researchers believe a group of Russian hackers targeted several journalists who are known to be investigating the shooting down of Malaysia Airlines Flight MH17.
The attackers sought out Bellingcat, a group of investigative journalists which as of this writing has contributed nearly 100 posts about Malaysia Airlines Flight MH17’s crash in pro-Russian rebel territory in eastern Ukraine on 17 July 2014.
Each of Bellingcat’s articles around that particular subject asserts the same message: Russia shot down the airplane.
Perhaps feeling those accusations were unjustified, Russia’s hackers sprang to work in early 2015.
The ThreatConnect Research Team, whom Bellingcat contacted after the Russian threat group Fancy Bear (sometimes known as Sofacy, APT28, or Sednit) hacked the DNC, explains what went down in a blog post:
“From February 2015 to July 2016 three researchers at Bellingcat — Higgins, Aric Toler, and Veli-Peka Kivimaki — who had contributed MH17 articles received numerous spearphishing emails, with Higgins alone receiving at least 16 phishing emails targeting his personal email account. A majority of the campaign took place from February to September 2015, with some activity resuming in May 2016. These spearphishing attempts consist of a variety of spoofed Gmail security notices alerting the target that suspicious activity was detected on their account. The target is prompted to click a URL resembling a legitimate Gmail security link to review the details of this suspicious activity.”
Of course, the URL in that email is a fake.
Your first clue? It’s a shortened Bitly URL with target-specific strings, something which you would NEVER find in a legitimate message sent from Google’s security staff. That’s because shortened links allow attackers to link to whatever page they want – in this case, a fake Google login page that steals a user’s Gmail credentials.
This type of activity went on for months.
Interestingly, the URLs with target-specific strings are consistent with a technique used by the Fancy Bear hacking group. Some of the domains, servers, and other infrastructure used to send the spear phishing campaigns also appear to share some overlap with other Fancy Bear campaigns.
If that weren’t enough, there might even be evidence that another Russian threat actor known as CyberBerkut participated in the hack after defacing Bellingcat’s Twitter account on 10 February 2016.
If Russia indeed perpetrated the hack, it would appear the nation is willing to go to any lengths to exercise control over narratives that have the potential to damage its international reputation. That includes retaliating against news outlets.
Even so, ThreatConnect urges news sources and others to stand fast and report anything they see:
“These efforts go above and beyond traditional intelligence requirements such as gaining insight into a sensitive project or sources. Vilifying the messenger and dumping their personal data is part of the game, intended to intimidate and embarrass those that speak ill of Moscow. If Russia is willing to go to these lengths to compromise a small journalist organization and its contributors, consider what they are willing to do to major news and media outlets that publish similar articles. While many organizations remain reticent to share information, this knowledge is the prerequisite to establishing how widespread such efforts are and the adversary’s modus operandi.”
Aside from that, make sure you turn on two-factor authentication for Google and your other web accounts.
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Russian hackers likely targeted journalists investigating Flight MH17”
Here's the deal that even russia's Liar in Chief Putin can't hide from: MH17 was shot down by a russian designed, russian built, russian supplied, russian led, russian paid for, russian trained crew who murdered those 298 innocent unsuspecting passengers, and no amount of russian lying trolls can ever change that. The hands of russia are stained by the blood of MH17 and their lying denials only deepen their guilt.
It is to no surprise to me, that these hacking attempts have taken (are still taking?) place.
Since if a nation like Russia is failing to admit, or is even covering up, their support of and/or perhaps even active participation in killing 298 innocent people in mid-air, what else could we expect from such total crooks?