Leaked government documents published by reporters and others in a number of countries have helped expose questionable practices and in some cases criminal activity.
But the University of Toronto’s Citizen Lab said Thursday there’s a campaign apparently trying to discredit people and programs critical of authority figures in Russia by turning the tables — breaking into their computers through spear-phishing, stealing and altering original documents which are then “leaked” to pro-Russian media.
Releasing an altered document or documents among a pile of real documents gives legitimacy to the phoney information.
In this particular campaign “the tainting appeared to have two objectives: cause the programs to appear more subversive of Russia than they were, and discredit specific opposition individuals and groups critical of Russian President Putin and his confidants,” says the report.
Citizen Lab says it can’t trace the attackers to a particular Russian government agency but there’s some evidence that the campaign is tied to Russian-affiliated threat actors — particularly a group called APT28, which allegedly was involved in the hack last year of the Democratic National Committee and release of documents by WikiLeaks.
It’s another example of the irony of the creation of the Internet: It can empower citizens by giving them access to information for making informed decisions, but is also a vehicle for spreading disinformation and false news.
But, the report warns, “the spread of disinformation can contribute to cynicism about the media and institutions at large as being untrustworthy and unreliable, and can cultivate a fatigue among the population about deciphering what is true or not.”
The possible targets of the phishing campaign the Citizen Lab describes include governments and companies, as well as what it calls “civil society.” That’s a broad category that includes journalists, many of whom, the report says, are prominent contributors to Russian language news outlets such as Vedomosti, Slon/Republic, Novaya Gazeta, and the BBC Russian Service, as well as academics and activists.
There is “the near perfect alignment between their [civil society] areas of activity and the geopolitical conflicts in which Russia is a known or suspected belligerent, or party to the conflict,” notes the report. “Specifically, the focus areas of the civil society targets span geographic boundaries, including conflict areas such as Syria, Afghanistan, Ukraine, and others. We also found that several dozen of the targeted individuals had as a thread in common that they had received a fellowship from a single funder focused on the region.”
Here’s an example of how Citizen Lab says the scheme works (image courtesy of Citizen Lab):
Journalist David Satter, described as a critic of the Kremlin who was tossed out of the country in 2013, was victimized in October, 2016 by a phony email that appeared to come from Google warning that someone had used his password to access his Gmail account. Assuming it was real, he clicked on a link to change his password on what looked like a legitimate Google login page. Citizen Lab believes attackers used the password to go through Satter’s email and alter one document, a piece by Satter describing Radio Liberty’s Russian Investigative Reporting Project. Radio Liberty is a U.S. government funded broadcaster that says it distributes “uncensored news, responsible discussion, and open debate.” The altered document was then leaked to CyberBerkut, which Citizen Lab says “represents itself as a group of pro-Russian hacktivists.”
The original version describes only Radio Liberty’s investigative work. The altered version, published online two weeks after Satter’s email was compromised, removes some references to Radio Liberty. That, Citizen Lab says, gives the impression of a widespread media campaign against the Russian government, not just by one broadcaster. In fact, the report says, CyberBerkut said it was releasing the document “to provide evidence that the United States was attempting to support a “colour revolution” in Russia.”
In a blog Citizen Lab director Ron Deibert also noted the disinformation was also aimed at providing a false association between Satter, western NGOs, and prominent Russian opposition figures, most notably the prominent Russian anti-corruption activist, Alexei Navalny.
Altering the document also gives the impression non-U.S. funded organizations, such as independent NGOs (non-government organizations), to appear to be linked as part of this larger, fictitious program, says Citizen Lab.
Russia’s state operated news agency RIA Novosti was among those that picked up the theme struck by CyberBerkut, quoting people who claimed that the “leak” was evidence that the United States Central Intelligence Agency (CIA) was attempting to foment a “colour revolution.”
Similarly, Citizen Lab says following a 2015 breach at the Open Society Foundations, altered OSF documents of released by CyberBerkut appear designed to create the impression that several groups and media outlets critical of the Russian government are supported by the foundation. Funded by American magnate George Soros, the OSF’s Web site says it’s goal is “to build vibrant and tolerant democracies whose governments are accountable to their citizens.”
Because the phony phishing Gmail message sent to Satter used Tiny.cc, the link-shortening service, and included predictable features, Citizen Lab says it could trace malicious links that might have been sent to politicians, public servants and government officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam; to senior members of the oil, gas, mining, and finance industries of the former Soviet states; to United Nations officials; to military personnel from Albania, Armenia, Azerbaijan, Georgia, Greece, Latvia, Montenegro, Mozambique, Pakistan, Saudi Arabia, Sweden, Turkey, Ukraine, and the United States, as well to NATO officials.
“We have no conclusive evidence that links these operations to a particular Russian government agency,” Citizen Lab says. “However, there is clear overlap between our evidence and that presented by numerous industry and government reports concerning Russian-affiliated threat actors.”
“While it is possible that a proxy actor is implementing the front-end collection component of the phishing campaign we are describing, the scale of the targeting also suggests a well-resourced actor, such as a nation state. The thread linking all of the targets is their connection to issues that the Russian government cares about. The targets are people whose positions or activities give them access to, or influence over, sensitive information of specific interest to Russia. This links an otherwise extremely diverse target set, which ranges from domestic Kremlin critics and journalists, to anti-corruption investigators, foreign government personnel, and businesspeople.”
David Swan, the Alberta-based director of the cyber intelligence service at the Centre for Strategic Cyberspace and Security Science consultancy, said the Citizen Lab report is detailed and thorough, it’s also “understated.” The Russians are “world-class operators,” said Swan, a former Canadian army intelligence officer
As for what ordinary people who use the Internet for news and information can learn from the Citizen Lab report, Swan said “the challenge is to be extraordinarily cynical in what you read online … Be selective on where you’re getting your news.”
Meanwhile CISOs at news outlets, reporters, academics and non-government organizations have to be vigilant about being targeted by attackers who want to smear them. That means being aware of telephone calls and email from people who may purport to be legitimate, as well as being extra-cautious in the use of passwords and multi-factor authentication — in other words, basic security.