Russian spies impersonating Western researchers in ongoing hacking campaign

Hackers working for Russia’s intelligence services are impersonating researchers and academics in an ongoing campaign to gain access to their colleagues’ email accounts, according to messages and files seen by Recorded Future News and independently analyzed by two cybersecurity companies.

Keir Giles, the British author of “Russia's War on Everybody” and a consulting fellow at the Chatham House think tank, shared with Recorded Future News several suspect emails sent by accounts purporting to be fellow researchers. Other correspondence we have seen shows multiple researchers who did not consent to being identified in this report also being targeted over the past three months.

All of the correspondence suggests several of the researchers have been successfully compromised by the hackers, who pretend to solicit feedback on academic articles — including an op-ed about sanctions on Moscow — or a draft version of Ukraine’s maritime security strategy.

The campaign, which also has impacted individuals in the United States and Europe, is the latest example of Russian cyber activity that serves both an intelligence-gathering function as well as providing the Kremlin with material it can use to discredit its critics.

Emails offering authentic feedback from one victim to an address controlled by the threat actor indicate that the spies have created actual articles to support the plot. Potentially due to feeling humiliated, one of the targets who had likely been hacked stopped speaking to colleagues after being informed the article they had reviewed was a lure designed to allow the hackers to harvest their credentials.

A spokesperson for the U.K.’s National Cyber Security Centre (NCSC) — which works with victims in confidence when they report an incident — told Recorded Future News that “those who may have fallen victim should not feel embarrassed or ashamed,” given that spearphishing attacks are “an established technique used by many actors.”

Independent analyses of the emails, attachments, and the credential-harvesting infrastructure targeting Keir Giles were conducted by cybersecurity companies Secureworks and Mandiant.

Both companies said they believed the campaign was perpetrated by a state-sponsored threat group tracked variously as Iron Frontier, Calisto, Coldriver, or Star Blizzard/Seaborgium, that the British government has assessed to be operating for the Russian intelligence services.

“The document uses a common ruse, blurring the content and placing a button (‘Open in Google Drive’) front-and-center indicating that the viewer should click it in order to de-blur the document,” explained Rafe Pilling, director of threat research at the Secureworks Counter Threat Unit (CTU).

The button links to a fake Google Drive domain hosted by the hackers, designed to look like a login page for the target’s account. However any password and two-factor authentication token entered on this page is actually captured by the Russian intelligence services and used to access the victim’s email account.

“An interesting side note, in addition to the blurred content in the PDF there are several pages at the end that appear blank but in fact have white-on-white hidden text which appears to be re-arranged extracts from ‘The Little Prince,’ possibly as a spam detection evasion mechanism,” added Pilling.

“Going over the artefacts I have, I’m moderately confident this is IRON FRONTIER. A lot of the tradecraft is similar to what they have done before. The use of a Russian hoster is a little odd, but lots of other things line up with past attacks by that group,” the Secureworks CTU director said.

Hack-and-leak

Last year the British government summoned the Russian ambassador over the activities of the hacking group, which it outed as accountable to Center 18 of the Russian Federal Security Service (FSB) and accused of being behind a “sustained but unsuccessful” campaign of hack-and-leak operations designed to undermine democratic institutions.

At the same time, the U.S. Department of Justice charged two Russian nationals with being part of Center 18’s spearphishing campaigns dating back to 2016 — FSB officer Ruslan Aleksandrovich Peretyatko, and Andrey Stanislavovich Korinets, who was not described as an FSB officer but as the creator of the fraudulent domains.

According to the British government, Center 18’s previous targets in the United Kingdom include Sir Richard Dearlove, the former head of the Secret Intelligence Service (MI6), and a think tank called the Institute for Statecraft, which had worked on countering Russian information operations.

“We’ve seen repeated examples of political impacts that Russia has achieved to the detriment of this country through accessing the email accounts of individuals who are prominent or politically active, especially if they are critical of Russia,” said Giles.

Following the hack of Dearlove’s email account, private correspondence between him and his associates appeared online as part of a disinformation narrative. The Institute for Statecraft ultimately shut down after its internal emails were published first by Russian media and then by outlets in the United Kingdom, prompting political controversy.

The hack-and-leak program is “a low-cost and high-impact intervention,” said Giles, “with the side benefit to Russia of causing enormous inconvenience, personal expense, and psychological harm to people who are critical of the Russian state.”

During the British general election in 2019, the leader of the opposition Jeremy Corbyn brandished trade documents stolen from the personal inbox of a British minister by Russian hackers. The Labour Party subsequently condemned the Russian interference, although Corbyn — who has since been suspended from the party — refuted that the trade documents were provided by Russia.

In almost all of the hack-and-leak incidents, the Russian intelligence services benefited from media coverage — in some cases by mainstream publications, but often from fringe online outlets — that amplified the disruption caused by leaking stolen emails.

“It’s been an ongoing conversation about how exactly journalists should respond to hack-and-leak operations, and in a way it’s regrettable that conversation has not yet been resolved because it ought to be a fairly straightforward choice: That despite the fact that the story is juicy and enticing, if you’re aiding a hostile power to have malign political influence against your own country, you shouldn’t touch it,” said Giles.

Last month, Britain's new National Security Act came into force, allowing for the first time law enforcement agencies in the United Kingdom to prosecute undeclared foreign spies. The law also includes the new offenses of engaging “in conduct of any kind” that intends or is likely to “materially assist a foreign intelligence service,” potentially exposing writers at fringe outlets to prosecution and up to 14 years imprisonment.

Phishy emails

Giles said it was fortunate he did not click on the emails immediately, although they weren’t at first-glance suspicious. Academics and researchers have “a busy and active correspondence … and as such we often exchange information, opinions, drafts of things that we’ve written. It’s perfectly normal for people to write to each other.”

Several of the targets in the most recent campaign are veteran researchers who Giles said may not have been entirely confident about technology. A number of psychological factors can play into the harm of being hacked, including the emotional impact when a charitable act — reviewing a colleague’s article and offering feedback before publication — is exploited to the target’s own detriment.

Some of the targeted individuals declined to discuss the matter publicly with Recorded Future News, as they have referred the incidents to government authorities.

Giles told Recorded Future News that in his case the emails fell victim to the same fate as many others he receives, even from close friends, in that he just didn’t get around to opening them until much later in the day.

“That played in my favor, because by the time I did actually consider the first email it meant I was sitting calmly, without being in a rush, and so could actually recognise that it was being sent from an unusual address and that this individual wouldn’t normally have sent an attachment as a password-protected PDF,” he added.

The first fake address and email were initially convincing. It was written in perfect English, and the address was in the same format as the impersonated researcher’s authentic Gmail address but from a Proton Mail account. It also featured the same profile image as was used on the researcher’s Gmail account. A second impersonated researcher’s email address substituted a capital “i” for the lowercase “L” and again was sent from a Proton Mail account.

While the lures in this campaign are designed to capture login credentials, researchers from Mandiant, a part of Google Cloud, and Google's Threat Analysis Group, have also observed the same hackers delivering malware with the PDF files.

NCSC publishes guidance for individuals and organizations — including academics and researchers — to help “reduce the chances of falling victim to a spear-phishing attack,” particularly as conducted by the FSB’s Center 18, although the agency has observed Iranian state-sponsored hackers running similar campaigns.

Unsuccessful interference?

Giles said that the British government’s assertion that Russian attempts to interfere in the country’s democratic processes have been “unsuccessful” was “so vaguely worded that it's hard to contradict directly, but it certainly gives a misleading impression.”

“The impact of these hack-forge-dump attacks is substantial. Not just in the direct harm to individuals, and the chilling effect of suppressing their further participation in public politics, but also in the institutional damage. You might claim that Russia's neutralization of the Institute for Statecraft may not have been a direct ‘interference with politics and democracy,’ but you can't claim it wasn’t a great success for Moscow.

“And with the attacks intended to have a direct impact on politics and democracy, like that on Richard Dearlove, and the stolen documents cynically exploited by Jeremy Corbyn in 2019, you can't claim that there was no impact on democracy because the impact is unquantifiable. Who knows how many people voted differently as a result?”

Back in 2019, a parliamentary inquiry investigating “disinformation and ‘fake news’” complained that the government “cannot state definitively that there was ‘no evidence of successful interference’ in our democratic processes, as the term ‘successful’ is impossible to define in retrospect.”

Ministers have continued to assert that all foreign interference has failed. Announcing sanctions against the FSB hacking group last month, the foreign secretary David Cameron said: “Russia’s attempts to interfere in UK politics are completely unacceptable and seek to threaten our democratic processes. Despite their repeated efforts, they have failed.”

At the time, the home secretary James Cleverly said: “An attack against our democratic institutions is an attack on our most fundamental British values and freedoms. The UK will not tolerate foreign interference and through the National Security Act, we are making the UK a harder operating environment for those seeking to interfere in our democratic institutions.”

On Thursday, ahead of expected elections in the United Kingdom later this year, the Joint Committee on the National Security Strategy launched a new inquiry to scrutinize how effective the British government has been at protecting the country's democratic integrity from foreign interference.