Russia-linked attack targets government officials, journalists, activists

A newly discovered hacking campaign linked to one of the groups behind the Democratic National Committee breach targeted government officials, journalists and activists, according to report released Thursday.

The attacks used a phishing campaign to steal and subtly alter emails that the attackers, who claim to be a pro-Russian hacking collective calling itself CyberBerkut, later leaked. 

Researchers at the University of Toronto’s Citizen Lab, which investigates global hacking campaigns against dissidents and journalists, noted that CyberBerkut used websites hosted at the same internet address as other attacks attributed to APT 28, which is believed to be a Russian hacking operation also known as Fancy Bear. 

Citizen Lab came across the campaign while investigating the leak of files from the journalist David Satter. Those leaks were largely accurate but contained some alterations apparently made for propaganda purposes. 

{mosads}While investigating the Satter breach, Citizen Lab came across a report from the security firm ThreatConnect about a phishing attack against a different journalist, sent at the same time, from the same email address and using much of the same language. 

Both the Satter and ThreatConnect phishing attacks used a URL shortener to obscure the site, which fraudulently asked for usernames and passwords. URL shorteners are often used in these campaigns to make it harder for spam filters to identify malicious websites. 

The campaign used the Tiny.cc URL shortener to link to obscure a link from a different URL shortener, TinyURL. Ultimately, the chain of URL shorteners ended up at the scam site.

Due to a quirk in how Tiny.cc shortens URLs, Citizen Lab was able to find all the URLs shortened by the site around the same time and discover which of those also sent users to scam sites. Encoded in the web addresses was the contact information of other victims. 

Citizen Lab found more than 200 total targeted email addresses, including United Nations officials, former U.S. officials from the National Security Council and Department of Defense, high-profile critics of Vladimir Putin, the former Russian prime minister and government officials and politicians from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam. 

More than a fifth of the targets were from Ukraine. 

A similar technique used by the firm SecureWorks to identify victims of a different phishing campaign ultimately discovered the email used to hack Hillary Clinton’s campaign chairman, John Podesta.