Russian hackers attacked Bellingcat investigators over MH17

Security firms says Fancy Bear group tried to put the frighteners on journalists over their research into passenger aircraft shot down over the Ukraine two years ago.

A citizen journalist organisation called Bellingcat, founded by Eliot Higgins, helped the investigation by analysing images and documents. This led to it pointing the finger at involvement by Moscow.
A citizen journalist organisation called Bellingcat, founded by Eliot Higgins, helped the investigation by analysing images and documents. This led to it pointing the finger at involvement by Moscow.

A citizen journalist organisation was repeatedly hacked by Russian cyber-spies following its investigation of the MH17 flight over eastern Ukraine in 2014, according to security researchers.

Malaysian Airlines flight MH17 from Amsterdam to Kuala Lumpur was shot down two years ago. An investigation by Dutch officials determined that a missile that brought down the aircraft was Russian-made and was fired from a part of Ukraine that was under the control of Russian-backed Ukrainian separatists at the time.

A citizen journalist organisation called Bellingcat, founded by Eliot Higgins, helped the investigation by analysing images and documents. This led to it pointing the finger at involvement by Moscow.

However, in doing so, it opened itself up to attack in early 2015. Bellingcat contacted IT security outfit ThreatConnect after the journalists started getting what looked like phishing emails.

“From February 2015 to July 2016 three researchers at Bellingcat — Higgins, Aric Toler and Veli-Peka Kivimaki — who had contributed MH17 articles received numerous spear-phishing emails, with Higgins alone receiving at least 16 phishing emails targeting his personal email account,” said ThreatConnect researchers in a blog post.

The researchers added that most of the campaign took place from February to September 2015, with some activity resuming in May 2016. These spear-phishing attempts consist of a variety of spoofed Gmail security notices alerting the target that suspicious activity was detected on their account.

“The target is prompted to click a URL resembling a legitimate Gmail security link to review the details of this suspicious activity,” said the researchers.

Investigation of this by ThreatConnect found that domains and IP addresses used in the Bellingcat spear-phishing campaign apparently also match or “closely resemble” those used by Fancy Bear. ThreatConnect also said there were other overlaps with Fancy Bear's hacking infrastructure.

There is also evidence that another Pro-Russian hacking outfit called CyberBerkut was also hacking Bellingcat.

“The campaign against Bellingcat provides yet another example of sustained targeting against an organisation that shines a light on Russian perfidy,” ThreatConnect said. “The spear-phishing campaign is classic Fancy Bear activity while CyberBerkut's role raises yet more questions about the group's ties to Moscow.”

“If Russia is willing to go to these lengths to compromise a small journalist organisation and its contributors, consider what they are willing to do to major news and media outlets that publish similar articles.”

Adam Vincent, CEO at ThreatConnect, told SCMagazineUK.com that both public and private organisations must engage with one another and share threat information if they are to avoid falling prey to state-backed hackers like those which targeted the World Anti-Doping Agency and the Bellingcat journalists.

“An effective intelligence sharing community allows all members to benefit from the experiences of individual organisations, reducing the time it takes to develop effective countermeasures against recurring state-backed hacking techniques,” he said.

Andy Norton, risk officer at SentinelOne, told SC that it doesn't really matter whether they are state actors or hacktivists or criminals, if someone wants to get in, they will get in.

“That´s a big pill to swallow, and not what the board want to hear. So we pretend we can prevent everything, because it's more palatable. The Lockheed Martin Kill Chain is a great framework for mapping your defences against. What most people find is that they have too much reliance on stopping attacks and little or no ability to nip successful attacks in the bud. Security is currently an all or nothing approach and we have to be smarter than that.”

Sign up to our newsletters