Fancy Bear US Election Hackers Doctored Leaked Documents

Written by

The Russian hackers behind the break-in at the Democratic National Committee last summer have been caught engaging in “tainted leaks”—i.e., inserting fake information into stolen documents and then releasing them in a disinformation effort.

The first victim of this treatment, according to an investigation by Citizen Lab, was a journalist and noted Kremlin critic David Satter. From there came the discovery of 200+ unique targets spanning 39 countries (including members of 28 governments).

“The list includes a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers, CEOs of energy companies and members of civil society,” the firm said in a summary of the campaign. “After government targets, the second largest set (21%) are members of civil society including academics, activists, journalists and representatives of non-governmental organizations.”

Satter was a top target, having been banned from Russia in 2013 after carrying out investigative reporting on Russian autocracy. He has also published a book arguing that a series of bombings that prompted the second Chechen War were engineered to facilitate Vladimir Putin’s political rise. 

Last October, Satter’s emails were stolen and later published on the CyberBerkut hacking blog after he fell for a phishing lure. Citizen Lab said that unpublished reporting lifted from his emails about Radio Liberty’s Russian investigative reporting project also was leaked to the National Endowment for Democracy (NED), with carefully modified false information. For instance, it removed all reference to Radio Liberty.

“This manipulation created the false appearance that prominent Russian anti-corruption figures, including Alexei Navalny, were receiving foreign funding for their activities. (Alexei Navalny is a well-known Russian anti-corruption activist and opposition figure),” Citizen Lab explained. “We also note how the document was used in an effort to discredit specific reports about corruption among close associates of Russian President Vladimir Putin.”

It added, “We believe that by removing specific references to Radio Liberty, the perpetrators are aiming to give the impression of a broader subversive campaign not limited to a single news organization. Doing so allows the perpetrators to falsely associate non-US funded organizations, such as independent NGOs, to appear to be linked as part of this larger, fictitious program.”

The leaked document also made reference to an article that had not yet been published at the time the document was released, which suggests ongoing surveillance operations.

As for Fancy Bear, aka APT28, numerous links suggest it has ties to these operations; including marked similarities to short codes used in the lures and a collection of other phishing links now attributed to the meddlers in the 2016 US election. The campaign that targeted the DNC also included the same Google security-themed phishing ruse, and abused another URL shortening service, Citizen Lab also found similarities in domain naming and subdomain structures between the tainted leaks campaign and operations linked to Fancy Bear. In fact, the link used to phish John Podesta shares distinct naming and subdomain similarities with domains linked to the phishing operation against Satter.

“The phishing URLs in this campaign were encoded with a distinct set of parameters using base64. When clicked, the links provided key information about the targets to the phishing website,” explained Citizen Lab. “An identical approach to parameters and encoding has been seen before: in the March 2016 phishing campaign that targeted Hillary Clinton’s presidential campaign and the Democratic National Committee.”

It added, “This domain/subdomain naming schema is also extremely close to one featured in Mandiant’s 2017 M-Trends report, in a phishing operation linked to APT28 which targeted OAuth tokens in an effort to obtain persistent access to a victim’s Google account, and to bypass the security of two-factor authentication.”

Despite the circumstantial evidence, Citizen Lab said that it wasn’t able to make a more conclusive technical link to Fancy Bear, which is widely believed to be a nation-state actor supported by the Kremlin. But Forbes carried out its own investigation using information uncovered by SecureWorks and found plenty of evidence:

For instance, one web domain used in the attacks covered by Citizen Lab's report -[.]tk - was also spied by security firm SecureWorks in previous Fancy Bear attacks. SecureWorks, the first firm to find evidence that Google password phishing led to the DNC breach, said between March 18th and March 29th 2016 that domain was used by Fancy Bear to create 224 Bitly shortlinks to phish Gmail users. That was the same domain used in the spear phish on Podesta, as well as another prominent Clinton campaign staffer, according to SecureWorks' analysis. That made it pretty clear the hackers who hit Satter were the same as those behind the DNC breach, the firm added.”

As to whether the information leaked from the DNC had been doctored, no analysis has been applied to it so far. But this kind of tampering is likely to become more and more widespread.

"Tainted leaks are the next frontier of disinformation: an attempt to really tamper with the integrity of large sets of information that people will believe to be genuine," John Scott-Railton, researcher at Citizen Lab, told Forbes.

What’s hot on Infosecurity Magazine?