On Thursday, the University of Toronto’s Citizen Lab published evidence of a dangerous new twist in the war against truth. Russia-linked hackers, dubbed CyberBerkut, have waged a worldwide phishing campaign against hundreds of government officials, journalists, and NGO workers, and in some cases, tampered with documents stolen from victims and then tried to leak them to the media in an effort to advance Russian propaganda aims. While there is no smoking gun, there are strong similarities between the techniques used in CyberBerkut’s campaign and last year’s phishing attacks targeting the DNC conducted by the Russia-linked hacking group, Fancy Bear, also known as APT 28. I asked Citizen Lab’s Director Ron Deibert and Senior Researcher John Scott Railton to go over some of the key insights from their report on this campaign, Tainted Leaks: Disinformation and Phishing With a Russian Nexus. 

Q: Do you see any connection between this campaign  and the supposed Russian intelligence document detailing an alleged conversation between then-Attorney General Loretta Lynch and the Clinton campaign which James Comey treated with skepticism? What about the DNC hacks? 

There are multiple points of overlap between technical indicators and techniques in our report and those published by industry and government concerning Russian-affiliated threat actors. In addition to technical data, there is substantial contextual information linking targets to Russia’s strategic interests. However, we have no conclusive proof that links this operation to any particular Russian agency.  Nor do we have any evidence that links our investigation to recent news about former FBI Director Comey’s motivation for acting on the Clinton emails.  That said, we do not necessarily expect to be able to find such links, in part because of the open source nature of our investigations, and in part because of the way Russian threat actors operate. Russian cyber espionage is conducted in collaboration with organized criminal groups, providing them with a degree of plausible deniability and obfuscation. – RD 

Pulling the lens out: Even documents with murky provenance can have a strategic impact on decision-making. Part of the power of tainted leaks is that they make some think “hey this might be true.” That is the bar. In the context of a disinformation operation, doubt may be enough warrant a mention in reporting.  Doubt can slow down or impair good decision-making, especially if folks are risk averse. It can also make a questionable course of action appear more reasonable. -JSR

Q: The  misinformation campaign you detail in your report appears to be the latest revelation in the war on truth we’re seeing. What’s the ultimate goal? What’s the best defense? How does this match with traditional autocratic security services’ behavior toward truth and public narratives? 

A few years ago “leaks” seemed like a powerful tool for those with less power to contest the status quo. The concept gained a lot of credibility very quickly. Over time the term “leaks” acquired a second usage: a data breach released by a shadowy or anonymous actor. Yet there is still something inherently plausible, and fascinating, about “leaks,” even when there is no whistleblower. In theory, they get you closer to what people actually say and think behind closed doors.

Enter tainted leaks, a disinformation tactic designed for today’s media environment: quick to gain traction, and time consuming to disprove. By burying carefully tainted documents in a forest of genuine material, they not only put falsehoods in motion, but co-opt the brand of “leaks” to the ends of a state. It is a bitter irony that journalists attempting to expose corruption among a powerful elite are targeted with a smear marketed as a “leak.” – JSR 

Q: How did the attackers collect initial contact information for their victims?

We do not know how the operators obtained the e-mail addresses, profile images, or their target list.  However, the scale of the work required to run the campaign, combined with our belief in state sponsorship, leads us to think that it may come from an intelligence service. -JSR 

Q: What’s the overarching theme linking all of the attacks? 

Threats to the Russian regime, its extended kleptocracy, and targets that are broadly in Russia’s sphere of strategic, political, and economic interests.  One point we emphasize is that of the targets of the operation into which we had a brief window, the second largest set (21%) was civil society — meaning, journalists, human rights activists, anti-corruption investigators, and others.  This high number of civil society targets is a phenomenon we see with growing regularly in Citizen Lab research reports.  Although it is often overlooked in industry and government reporting, it is not surprising when you consider that from the perspective of many governments today, civil society represents perhaps the greatest threat.  Many governments are sliding back into autocracy, and the “third wave” of democratization is in long retreat.  Unfortunately, this shift means that the powerful spying apparatuses of many governments are being turned on civil society, both domestically and abroad. – RD. 

Pulling back: To us, what happened in the 2017 French Presidential Election suggests that the disinformation “scientists” are very hard at work at experimenting with new ways to make the technique more powerful, and expand the time gap between what will be quickly amplified, and what can be verified. We hope that, by basically running track changes on a disinformation campaigns, we can contribute to the conversation by media and scholars about how to handle the growing number of things marketed as “leaks.” – JSR

 Q: Talk about Russian security services’ embrace of the criminal world to advance Moscow’s interests online. What about the overlap and competition between various Russian security services and proxies in conducting online operations?

 Like many governments, Russia actively exploits the criminal underworld for its national security interests.  Individuals involved in organized crime in Russia and the former Soviet Union are given wide latitude to engage in cyber crime with the tacit support of security services.  Often their services are employed, or they are otherwise coerced into engaging in activities that support various aspects of the regime. Moreover, corruption is widespread throughout the Russian state itself, and in particular within the security services.  These characteristics blur the line between “the state” and “organized crime” and provide a convenient layer of plausible deniability for the Russian regime when it comes to cyber espionage operations that appear to have Russian fingerprints on them. – RD

Q: Interestingly, your report shows that, in its campaign against journalist David Satter and Radio Free Europe/Radio Liberty, CyberBerkut manipulated documents to make it appear Satter was doing exactly what Russian officials try to do in the United States — recruit journalists to write pieces advancing Russian interests — except in Satter’s case, the hackers wanted it to appear to be the reverse.

Certainly it is interesting.  The clandestine recruitment of journalists by spy agencies is an old practice, and many governments are known to engage in them.  In the Russian case, we believe the insertion and deletion of material into the tainted documents was meant to give the impression of a wider anti-Putin conspiracy that involved commissioned pieces by investigative reporters digging into Russian corruption.  Obviously such disinformation  would help discredit those investigations, and possibly blunt their effectiveness.  At the very least, such disinformation has the effect of clouding the origins of the authors’ allegiances, and may raise questions with the public about the motivations and ultimate purpose behind such journalism. -RD

Q: Your report also notes that an article by journalist Elena Vinogradova was mentioned in one falsified document before her piece was supposed to be published, indicating that the creators of this document may have had access to intelligence materials. Do you have any theories as to whether this intelligence came from the document forging group’s own hacking efforts, or from another organization? If from another organization, do you have any clues as to which one? Have you seen similar slip ups such as this?

We cannot say where the information came from, or even whether the article, as described in the tainted document, was real. The operators were clearly familiar with Russian media and journalism, and with Elena. We think this case suggests, but does not prove, that the operators may have access to some form of surveillance on Elena. We can only speculate as to whether or not the surveillance was digital…or more analogue. – JSR

Q: You mention that there were inconsistencies between the original and tainted documents stolen from the Open Society Foundations that were posted at different times by CyberBerkut and another famous Russia-linked digital propaganda tool, DC Leaks. Were these inconsistencies the result of sloppiness/lack of coordination or does this speak to the operators’ desire to influence different audiences?

We cannot be sure. It is easy to imagine that this was a coordination issue, or a lack of attention to detail. A substantial number of documents were released by DC Leaks, and it would have required some careful work to harmonize the two dumps.  Still, we may never know. – JSR

Q: The U.S. government doesn’t provide as much information about its methods and findings when it concludes there has been a malicious operation of this type — out of concern that the perpetrators will reverse engineer that information and be able to better conceal their actions in the future. Is that a concern for Citizen Lab? How do you balance the different equities involved?

Since we do not deal in classified information, and have no access to such data, we do not have to conduct our investigations with the same concerns in mind. Our principal concerns in this respect are about the privacy and security of the targets we identified, and those who cooperate with us in our investigations.  We chose not to publish the names of targets in the campaign we uncovered, in order to protect their privacy and security.  Apart from that concern, we publish as much evidence we can in as clear a manner as possible not only to make the case to the public, but to assist other researchers in the global community. But your question raises a larger concern, which I broached in a prior Just Security piece:  “we are entrusting vital public policy matters on cyber security primarily to defense and intelligence agencies of nation-states and the companies that serve them, with little to no independent source of verification of what they produce for the general public.”  That is a structural problem that needs to change.  There needs to be more open-source, independent investigations in digital security issues – RD.

Q: Last year, I received the same “someone has your password” phishing email as David Satter, one of the victim’s attacked by CyberBerkut. It also appears to be identical to the one famously sent to John Podesta. Do you believe the same organization(s) sent all three or is this simply a template used by a variety of unrelated criminals? If someone has received such emails, what can they do to help uncover more information about this campaign?

Please send us the e-mail you got, we would like to have a look. Our report outlines the strong circumstantial evidence that connects this campaign to APT 28, the same operator responsible for the operation that targeted Podesta. The highly similar e-mails, and identical phishing “kit” used are just part of the “fact picture” that supports the linkage.  -JSR

Q: I received the “password” email from an @mail.com address, an easy giveaway that something wasn’t right. Assuming these attacks won’t stop and that they will generate more false information, what can people look out for that may give away a more sophisticated spearphishing attack or a falsified document?

It can be difficult to spot a spearphishing message. This is why they work. The truth, as operators around the world know, someone will almost always click and enter a credential.  Still there are things that you and me can look for.  I wrote this 15 second routine to make your daily e-mail answering a bit safer. -JSR

Image: Citizen Lab