U of T's Citizen Lab has uncovered an extensive disinformation and cyber espionage campaign with Russian ties, targeting high-profile individuals around the world. Researchers say they also found similarities to phishing links targeting the 2016 U.S. presidential election and the 2017 French presidential election.
The campaign targets at least 218 individuals, including a former Russian prime minister, ambassadors, members of cabinets from Europe, journalists, CEOs of energy companies and activists from at least 39 countries, as well as the United Nations and NATO. It plants false information within “leaks” of stolen official documents.
“We do not conclusively attribute the technical elements of this campaign to a particular sponsor, but there are numerous elements in common between the campaign we analyzed and that which has been publicly reported by industry groups as belonging to threat actors affiliated with Russia,” the report states.
Citizen Lab’s investigation began with a single targeted phishing operation against American journalist David Satter, whose personal information was stolen, laced with false information and then published in a tainted leaks campaign on a Russian-linked website, named CyberBerkut. Satter, who is known for his book Darkness at Dawn, has written extensively about the rise to power of Russian President Vladimir Putin.
The tainted leaks plant fake information in between largely accurate information “in an attempt to make them credible by association with genuine, stolen documents,” says John Scott-Railton, a senior researcher at Citizen Lab, located at the Munk School of Global Affairs.
Citizen Lab researchers were able to determine that Satter’s targeting was part of a larger campaign. In 2015, the Open Society Foundations (OSF) had also experienced a breach of confidential data, and materials from the breach then turned up on CyberBerkut and another leak-branded site. The tainted leaks were all designed to discredit prominent critics of the Russian government and falsely indicated that they received foreign funding.
“The motivations behind Russian cyber espionage are as much about securing Putin’s kleptocracy as they are geopolitical competition,” says Ron Deibert, director of the Citizen Lab. “This means journalists, activists and opposition figures – both domestically and abroad – bear a disproportionate burden of their targeting.”
Researchers also found similarities in domain naming and subdomain structures between the campaign and phishing operations linked to a “threat actor routinely associated with the Russian government.”
In France's recent presidential election, tainted leaks appear to have been used in an attempt to discredit Emmanuel Macron. Citizen Lab researchers cite earlier reports indicating that the same threat actor showed up with those leaks. And the link used to phish the emails of John Podesta, the former chairman of the 2016 Hillary Clinton presidential campaign, also shares “the distinct naming and subdomain similarities with domains linked to the phishing operation against Satter.”
“We identify marked similarities to a collection of phishing links now attributed to one of the most publicly visible information operations in recent history: the targeting of the 2016 US Presidential Campaign,” the report states. “The phishing URLs in this campaign were encoded with a distinct set of parameters....an identical approach to parameters and encoding has been seen before: in the March 2016 phishing campaign that targeted Hillary Clinton’s presidential campaign and the Democratic National Committee. This similarity suggests possible code re-use: the two operations may be using the same phishing ‘kit.’”
While the researchers do not conclusively link the campaign to a particular Russian government entity, they found many elements of the campaign overlap with previous phishing targets.
“The targets we found are connected to, or have access to, information concerning issues in which the Russian government has a demonstrated interest. These issues range from investigations of individuals close to the Russian president, to the Ukraine, NATO, foreign think tanks working on Russia and the Crimea, grantmakers supporting human rights and free expression in Russia, and the energy sector in the Caucasus,” the report states.
“Considering this primary Russian focus, as well as the technical evidence pointing to overlaps and stylistic similarities with groups attributed to the Russian government, we believe there is strong circumstantial – but not conclusive – evidence for Russian government sponsorship of the phishing campaign, and the tainted leaks.”