Cyber attack hits email users probing Russian intelligence

  • August 01, 2019

One of the world’s most secure email services has been caught up in a sophisticated cyber attack aimed at investigative journalists and other experts who are probing Russian intelligence activities. Those targeted have used Swiss-based ProtonMail to share sensitive information related to their probes of Moscow’s military intelligence directorate, the GRU. Its agents have been accused of complicity in the downing of MH17 over Ukraine in 2014, and the attempted assassination of Sergei Skripal and his daughter last year in Britain.

ProtonMail, which bills itself as the world’s most secure email platform, because of its cutting edge cryptography and protections against attack, became aware of the attempt to compromise its users on Wednesday. The company, founded in 2014 by a team of former scientists from the European particle research laboratory Cern, has been in touch with Swiss authorities to help shut down the web domains used to try to dupe its clients and has taken action to block phishing emails. Its own systems and servers have not been hit in any way, it emphasised.

“The campaign that came in was really in the top 1 or 2 per cent in terms of sophistication,” ProtonMail chief executive, Andy Yen, told the Financial Times. “They knew in advance exactly who they wanted to go after. Our research shows that this was a highly targeted operation.” According to Mr Yen, Swiss domains were registered to mimic ProtonMail’s user interface, paid for through intermediaries using untraceable bitcoin transactions. The fake login portals on those domains were then synchronised with the real ProtonMail login process for simultaneous login, to trick users into also giving up their two-factor authentication codes.

Emails sent to users were carefully scripted, but also exploited a rare unpatched coding bug in a widely used open source software package, unlikely to be understood by all but the best-resourced hackers.  Among the accounts hackers sought to break into were those used by members of a team at Bellingcat, the open-source reporting investigative website, and a corporate intelligence firm whose employees — some of them former intelligence officials — use ProtonMail for sensitive work investigating Russia.

Over the past month, to coincide with the fifth anniversary of the shooting down of Malaysia Airlines flight MH17 over Ukraine, Bellingcat has begun to publish fresh material from its investigations implicating Russia and the GRU in the incident. The Russian government has consistently denied its involvement.