The first evidence that the hacker crew responsible for the breach of the Democratic National Committee (DNC) snuck false information into their leaks has been uncovered by a group of researchers.
The hackers, a group called Fancy Bear that U.S. intelligence and law enforcement claim to be sponsored by Russia's intelligence unit, the GRU, planted the information inside a leak of emails belonging to a journalist and critic of the Putin regime, according to a report from Citizen Lab, a University of Toronto-based organization. That formed part of a massive hacking campaign attempting to steal Google passwords from 218 targets across 39 countries, including former American defense officials.
Though Citizen Lab couldn't definitively tie Fancy Bear to those "tainted leaks," Forbes separately obtained evidence that indicated the group was responsible.
It marks a worrying moment in the early history of mega-leaks: the doctoring of data and the subsequent promulgation of that legitimate-looking information to prop up propaganda. "Tainted leaks are the next frontier of disinformation: an attempt to really tamper with the integrity of large sets of information that people will believe to be genuine," said John Scott-Railton, researcher at Citizen Lab.
Following Fancy Bear's footprints
Citizen Lab started their probe with a "patient zero": David Satter, a prominent journalist and Kremlin critic. On October 7th 2016, Satter was targeted by a self-proclaimed pro-Russian hacktivist group known as Cyber Berkut, which pilfered his emails in much the same way as Fancy Bear compromised Hillary Clinton campaign chairman John Podesta. They sent phishing emails that appeared to come from Google asking Satter to change his password, but as soon as he visited the link included in the faked message and entered his login details, his account was effectively in the hands of the hackers.
Those emails were then "selectively modified" by Cyber Berkut before being published online, Citizen Lab wrote in its report released Thursday. Those "tainted leaks" contained both real and faked communications. Amongst the tampered-with messages was a report sent by Satter to the National Endowment for Democracy (NED), a U.S. non-profit promoting democracy across the world. It was altered in such a way as to make it appear Satter was paying Russian journalists to write articles damning of the Russian regime.
The real report focused on the work of Radio Liberty, a U.S.-government sponsored station that broadcasts news into Russia. But the surreptitious edits removed mentions of Radio Liberty, replacing them with general statements to make it appear Satter was supporting a larger operation, while adding articles from other sources that were never in the original document. Crucially, amongst the added articles were some penned by or including Alexei Navalny, a prominent Russian anti-corruption activist and opposition, focusing on corruption. "By repeatedly adding his reporting to the document, the tainting creates the appearance of 'foreign' funding for his work," Citizen Lab wrote.
A phishing attempt sent to journalist David Satter. It successfully tricked him into handing over... [+]
Russian state-owned media, including RIA Novosti and Sputnik Radio, later reported that the document showed a CIA-backed conspiracy to foster revolution within Moscow. And, to add to the irony, the document was used to support claims that there was an ongoing deliberate misinformation campaign perpetrated by outsiders.
There was another red flag: amongst the leaked emails was a reference to a report that hadn't been published at the time. The fact that Cyber Berkut had access to that investigative article, written by journalist Elena Vinogradova, before it went live indicated the hackers were spying on her publication, though Citizen Lab could not confirm any breach.
And Cyber Berkut planted more false information in leaks from the Open Society Foundations (OSF) back in November 2015, according to Citizen Lab. In that case, it appeared a funding strategy document and a budget spreadsheet were altered to make it seem as though certain media outlets and Navalny's Foundation for Fighting Corruption were supported by OSF.
As for the wider hacking activity in which Satter was caught up, the Cyber Berkut crew sent phishing emails to a former Russian Prime Minister as well as journalists and political activists in the country. Most targets were in Ukraine, including politicians and government officials.
While U.S. targets were in the minority, they included a previous director of the Department of Defense and a former deputy under secretary of defense, an ex-senior director of the National Security Council. One more irony: a NATO specialist on counter propaganda was on the hackers' hit list.
Russia has previously denied any involvement in the attacks on the U.S. election or links to the Fancy Bear group.
Confirming the links to Fancy Bear
The researchers didn't go as far as to attribute the activity directly to Fancy Bear. But multiple cybersecurity experts speaking with Forbes confirmed Cyber Berkut was operating alongside or within the same crew that hacked the U.S. election.
For instance, one web domain used in the attacks covered by Citizen Lab's report - myaccount.google.com-securitysettingpage[.]tk - was also spied by security firm SecureWorks in previous Fancy Bear attacks. SecureWorks, the first firm to find evidence that Google password phishing led to the DNC breach, said between March 18th and March 29th 2016 that domain was used by Fancy Bear to create 224 Bitly shortlinks to phish Gmail users. That was the same domain used in the spear phish on Podesta, as well as another prominent Clinton campaign staffer, according to SecureWorks' analysis. That made it pretty clear the hackers who hit Satter were the same as those behind the DNC breach, the firm added.
Furthermore, as noted by Citizen Lab, the emails sent to Satter not only looked the same but also came from the same address as that used in an attack on contributors working for citizen journalism outlet BellingCat. They also used the same link shortening services, Tiny.cc and TinyURL.com. Security firm ThreatConnect had previously tied that activity to Fancy Bear. (Rather ingeniously, the researchers at Citizen Lab were able to determine that Tiny.cc created shortened links in a predictable manner, allowing them to guess when and how they were created. This subsequently let them look at shortened links created in the same timeframe as those sent to Satter and BellingCat. They used that information to uncover the other 218 targets).
Citizen Lab's map showing the location of individuals targeted by hackers believed to be sponsored... [+]
One final link: amongst the emails used to send phishing emails was an address: myprimaryreger@gmail[.]com, also previously linked to Fancy Bear hacking by security firm FireEye. FireEye also confirmed it had reviewed Citizen Lab's report and determined it was indeed Fancy Bear (though it refers to the group as APT28).
That's not nearly all tainted leaks
While Citizen Lab's report and subsequent analysis provide the first definitive evidence of Russian spies spreading falsified leaks, there have been rumors of similar efforts. The Clinton campaign warned about the files pilfered from Podesta and published on Wikileaks, though it never offered any proof. Files stolen from the campaign of French president Emmanuel Macron were also reportedly tampered with, though it later transpired that may have been a smart tactic used by his En Marche security team.
"I think that the tainted leaks operators are in a developmental phase," added Scott-Railton, warning this was just the beginning. "When such leaks hit social media, and there are already people or groups prepared to believe it, or with an incentive to spread it, it becomes very potent."
