Russian hackers spy on Citizen Journalists investigating on Flight MH17 Crash

Pierluigi Paganini September 29, 2016

Researchers at the Bellingcat agency have been hit with spear phishing attacks and account takeover attempts while investigating flight MH17 crash.

Once again cyber security experts warn of a new hacking campaign that this time is targeting Citizen Journalists reporting the crash of the flight MH17 of the Malaysian Airlines. According to the intelligence firm ThreatConnect, reporters from the Bellingcat agency have been targeted by spear phishing messages and suffered account takeover attempts for over a year.

The Bellingcat agency is known for its uncomfortable investigations on strong powers of Governments and organizations worldwide.

Yesterday the Reuters reported the news that the Malaysian flight MH17 was downed by Russian-made missile launched by pro-Russian rebels.

“Malaysia Airlines flight MH17 was shot down by a missile fired from a launcher brought into Ukraine from Russia and located in a village held by pro-Russian rebels, international prosecutors said on Wednesday.” states the post published by the Reuters. “The conclusions were based on thousands of wiretaps, photographs, witness statements and forensic tests during more than two years of inquiries into an incident which led to a sharp rise in tensions between Russia and the West.”

ThreatConnect who investigated the attacks speculates that threat actors have strong ties to the Russian Government, they have targeted a group of citizen journalists for publishing articles critical of Government of Moscow.

Data shared by the Bellingcat’s founder Eliot Higgins indicates the involvement of at least two Russian nation-state groups.

Experts from ThreatConnect claim the involvement of the dreaded Fancy Bear APT group who in the headlines for the attacks against the systems and people involved in the US Presidential election.

“Following our post on DCLeaks as a Russian influence operation, Bellingcat founder Eliot Higgins reached out to us. Bellingcat, a group of citizen investigative journalists, has published articles critical of Russia and has been a key contributor to the international investigation of the shootdown of Malaysian Airlines Flight 17 (MH17) over Ukraine in 2014.” states the report published by ThreatConnect.

“Higgins shared data with ThreatConnect that indicates Bellingcat has come under sustained targeting by Russian threat actors, which allowed us to identify a 2015 spearphishing campaign that is consistent with FANCY BEAR’s tactics, techniques, and procedures.”

According to the experts, the Bellingcat’s agency became a target of the Russian Fancy Bear APT after its reporters investigated the shooting down of the Malaysian Airlines Flight 17 (MH17) occurred in 2014.

The second group behind the attacks is the CyberBerkut, a collective of Ukrainian hackers that are pro-Russia.

The state-sponsored hackers targeted three Bellingcat researchers with a spear phishing campaign between February 2015 and July 2016 for intelligence purposes.

mh17-fancy-bear-attacks-timeline

The attackers used messages themed as Gmail security notices in the attempt to trick victims into clicking on the embedded links, but according to ThreatConnect the attacks failed.

“These spearphishing attempts consist of a variety of spoofed Gmail security notices alerting the target that suspicious activity was detected on their account. The target is prompted to click a URL resembling a legitimate Gmail security link to review the details of this suspicious activity.” continues the post.

mh17-fancy-bear-attacks

The report also analyzes activities conducted by the CyberBerkut that defaced the Bellingcat’s website earlier this year and compromised the email account of the government opposition blogger, Ruslan Leviev.

ThreatConnect speculates that Leviev’s email account hosted by the Russian service provider Yandex was compromised with the support of an employee of the company or by the Russian intelligence. In that case the attackers exploited a zero-day in the Yandex service.

“Leviev published a compelling piece of citizen journalism on May 22, 2015 exploring the fate of Russian Spetsnaz soldiers believed to have been killed in combat operations within Ukraine earlier that month. According to Bellingcat founder Higgins, Leviev’s contributor account was compromised and used to post the CyberBerkut message. In an email interview, Leviev makes the following statement regarding the events that led to the compromise of his credentials and the defacement.” continues the analysis.

“In my case, my old email account, which was located on Yandex servers, was hacked. The email account had a long, difficult password, not a word, from various letters, numbers, and special symbols. Plus there was a telephone number bound to the account for second factor authentication.

Exactly how it was hacked — I don’t know.

  1. Either they as employees, or with their active assistance, intercepted the SMS authentication code.
  2. Or they, again, as an officer from the authorities or with their active assistance, gained direct access to the Yandex Mail servers where they seized the email from my old inbox.
  3. Or they know about a vulnerability in Yandex email that nearly nobody else knows about.

At the time I was writing it is still unclear the relationship between the Fancy Bear and CyberBerkut.

This isn’t the first time that Russian hackers operated to gather sensitive information on the Flight MH17 Crash, in October 2015, according to Trend Micro, the Pawn Storm APT group (aka Fancy Bear) has targeted the Dutch Safety Board to gather information regarding the status of the investigation.

The Dutch Safety Board (known as Onderzoeksraad) became a target of the cyber-espionage group before and after the safety board published their detailed report on the MH17 incident on October 13, 2015. We believe that a coordinated attack from several sides was launched to get unauthorized access to sensitive material of the investigation conducted by Dutch, Malaysian, Australian, Belgian, and Ukrainian authorities.” reported TrendMicro.

Enjoy the analysis.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – MH17, Fancy Bear)



you might also like

leave a comment