Russian Hackers Sow Disinformation Via Leaks

Uploaded on 2017-06-02 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Over the past year, the Kremlin’s strategy of weaponising leaks to meddle with democracies around the world has become increasingly clear, first in the US and more recently in France

But a new report by a group of security researchers digs into another layer of those so-called influence operations: how Russian hackers alter documents within those releases of hacked material, planting disinformation alongside legitimate leaks.

The report from researchers at the Citizen Lab group at the University of Toronto’s Munk School of Public Affairs documents a wide-ranging hacking campaign, with ties to known Russian hacker groups. The effort targeted more than 200 individuals, ranging from Russian media to a former Russian prime minister to Russian opposition groups, and assorted government and military personnel from Ukraine to Vietnam. 

Noteworthy among the leaks: A Russia-focused journalist and author whose emails were not only stolen but altered before their release. Once they appeared on a Russian hacktivist site, Russian state media used the disinformation to concoct a CIA conspiracy.

The case could provide the clearest evidence yet that Russian hackers have evolved their tactics from merely releasing embarrassing true information to planting false leaks among those facts. “Russia has a long history of experience with disinformation,” says Ron Deibert, the political science professor who led Citizen Lab’s research into the newly uncovered hacking spree. “This is the first case of which I am aware that compares tainted documents to originals associated with a cyber espionage campaign.”

Go Phish

In his 2003 book Darkness at Dawn, journalist David Satter alleged that Vladimir Putin had arranged for Russian security forces to bomb apartment buildings in Moscow in 1999, in an attempt to incite war with Chechnya. 

In October of last year, Satter received a phishing email that spoofed a message from Google security requiring him to enter his Gmail account credentials, the same tactic used to breach the inbox of Clinton campaign chairman John Podesta last year. Satter, too, fell for the ruse.

Later that month, a Russian hacker group calling itself CyberBerkut released a collection of emails from Satter’s inbox, just as Russian hackers dumped pilfered emails from Podesta, the Democratic National Committee, the political party of French president Emmanuel Macron, and others. But in Satter’s case, one of those emails had been very clearly altered.

The original message had included a report by Satter on Russia-focused work for Radio Liberty, the US government-backed news outlet. But the version of the report released by CyberBerkut had been altered to make it appear that Satter was instead coordinating the publication of critical articles on a wide swath of Russian opposition websites, including the site of Russian opposition leader Alexei Navalny. 

The additions even included a mention of an upcoming article about Russian officials and businessmen by one Russian journalist who hadn’t yet published it, suggesting that she’d been tracked or hacked as well.

CyberBerkut called the doctored leak evidence of US efforts to meddle in Russian politics, and even to inspire a popular revolution. Russian state media outlets RIA Novosti and Sputnik Radio picked up that thread, quoting sources linking the plot to the CIA.

Others have accused Russian hackers of this sort of disinformation trick. But when the Clinton campaign warned that its hacked emails, posted to WikiLeaks, shouldn’t be trusted, it couldn’t point to any specific fakes in the collection. 

The Macron campaign similarly warned that the emails published from its En Marche party contained unspecified spoofed documents, though in that case En Marche had seemingly planted them as well, in an effort to confuse hackers. The Satter case provides a concrete example.

Citizen Lab notes that CyberBerkut has published fake documents in other cases, as well. They confirm a Foreign Policy report that found the group had altered documents in a late 2015 release to make it appear that George Soros’ Open Society Foundation had funded Russian opposition media and Navalny’s anti-corruption group.

Hacks of State

The Citizen Lab report goes further, though, showing new evidence that the CyberBerkut isn’t just an independent hacktivist organisation. They also show that CyberBerkut has key links to the group known as Fancy Bear or APT28, which cybersecurity firms and US intelligence agencies have agreed pulled off the attacks on the Democratic National Committee and the Clinton campaign.

That detective work began when Citizen Lab analysed the URL shortener, known as Tiny.cc, that the hackers had used to generate the link that led Satter to the phishing site. They found they could generate “adjacent” URLs that were almost certainly created by the same user, and that one of those had been used to hack a reporter at the journalism outlet Bellingcat, an attack that the cyber-security firm ThreatConnect had tied to Fancy Bear.

In analyzing more of the “adjacent” URLs, they found the hundreds of other likely targets of the Russian hackers, including Russian dissidents and foreign government officials. They also discovered that another of the URLs was tied to what appeared to be a test account that security firm FireEye had previously linked to Fancy Bear. And, of course, the Gmail phishing technique matched exactly with the one used against Podesta earlier in 2016.

Citizen Lab’s Deibert admits that none of this is a “smoking gun.” But it’s strong new evidence linking CyberBerkut’s fake leaks to a group already believed to be backed by the Kremlin. “All we can say is that the indicators we uncovered overlap extensively with other public reporting on APT28,” he says. “These, alongside the context of the targets, which match Russian strategic interests both domestically and abroad, provide very strong evidence that Russia is involved in some manner.”

All of which adds up to the strongest evidence yet that Russian hackers are indeed mixing fakes into their leaks, what the report calls “falsehoods in a forest of facts.” And that could reduce the credibility, Deibert says, of journalists who report on the leaks. It adds a new layer of falsehoods to an era fraught with fake-news accusations. “Campaigns of this sort have the potential to undermine the public’s already low confidence in media,” Deibert says.

But evidence that Russian hackers are fabricating their leaks could also make them less effective. Mixing fakes in with facts may work for Russian propaganda outlets. When it comes to involving US media in Russia’s influence operations, though, reporters may now think twice about trusting the contents of the next dumped inbox covered in Russian fingerprints.

Wired:

You Might Aslo Read:

Just Who Are Russia's Cyber Warriors?:

We Are Not Paid Agents of Russia…:

Macron Hackers Linked To Russian Intelligence:

 

 

« WannaCry Outbreak Is Just A Tip Of An Iceberg
Eight Steps To The GDPR Countdown »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Cyber Data-Risk Managers

Cyber Data-Risk Managers

Cyber Data-Risk Managers Pty Ltd is an insurance broker based in Melbourne, Australia specializing in Cyber insurance / Data breach insurance.

Cyber Command

Cyber Command

Our Managed IT service allows clients to offload the management of day-to-day computer, server, and networking support to our team of professionals.

Wind River

Wind River

Wind River delivers the technology and expertise that enables the deployment of safe, secure, and reliable intelligent connected systems.

Aiuken Cybersecurity

Aiuken Cybersecurity

Aiuken is an international IT Security company, focused on communications and IT technologies, specialised in Security and Cloud Services solutions with high added value.

NextVision

NextVision

NextVision is a Cybersecurity and Technology company offering a range of solutions and services for Security, Compliance and IT Infrastructure Management.

Hardenite

Hardenite

Hardenite solution helps R&D, DevOps and IT teams to continuously manage security risks and hardening efforts of any Linux OS – based product, throughout the product life cycle.

Kleiner Perkins

Kleiner Perkins

For five decades, Kleiner Perkins has made history by partnering with some of the most ingenious and forward-thinking founders in technology and life sciences.

Inspira Enterprise

Inspira Enterprise

Inspira Enterprise is a leading digital transformation company with expertise in Cyber Security, Internet of Things (IOT), Blockchain, Big Data & Analytics, Intelligent Automation and Cloud Computing.

Secure Ideas

Secure Ideas

Secure Ideas is focused on penetration testing and application security including web applications, web services and mobile applications.

SecureLayer7

SecureLayer7

SecureLayer7 is an international provider of integrated business information security solutions with an innovative approach to IT security.

Amnesty Tech

Amnesty Tech

Amnesty Tech's Security Lab leads technical investigations into cyber-attacks against civil society and provides critical support when individuals face such attacks.

Fenix24

Fenix24

Fenix24 is an industry leader in the incident-response space. We ensure the fastest response, leading to the full restoration of critical infrastructure, data, and systems.

NexGen Cyber

NexGen Cyber

NexGen Cyber helps customers in commercial SMB markets with IT security, security integration, service management, outsourced service transition, and transformative security solutions.

Positka FSI Pte Ltd

Positka FSI Pte Ltd

Positka, being a Splunk Singapore partner, provides Splunk & Phantom Services, Cybersecurity & Risk Management, Analytics & Big Data, Lean Process Optimization, and Managed Security Services.

Harrison Clarke

Harrison Clarke

Harrison Clarke is a leading staffing and recruiting firm in the Cloud, Cybersecurity, Data & AI space.

NewEvol

NewEvol

Don’t React, Evolve! Outsmart threats with real-time AI-powered dynamic defense capability of NewEvol all-in-one cybersecurity platform.