In late July 2019, multiple experts of the European Values Think-Tank became targets of what the ProtonMail CEO described as “the most sophisticated [he has] ever encountered”. According to investigative group Bellingcat, the phishing campaign targeted at least 30 Russia-focused individuals:
Two Bellingcat researchers, one BBC investigative journalist, three Guardian journalists, three journalists from different Russian investigative media, six other investigators and academics focused on Kremlin’s foreign policy and Russian clandestine operations abroad or 10 known targets among Russia-focused think-tank: for example – European Values Think-Tank or the Free Russia Foundation.
According to Bellingcat, the probable penetrator is the GRU:
- (its) preliminary analysis of the source code used on the phishing sites implies that the campaign was the work of a state actor and not of an individual hacker or a hacker collective.
- One indirect reason for attribution to a state actor is the time that it required to build (or re-purpose) the code and infrastructure for the operation. Bellingcat was able to reconstruct (a large part) of the malicious code by harvesting the browser cache of a targeted computer. It found that the main background image used on the log-in portal of the fake site was an edited version of the ProtonMail image and contained Metadata that the original does not. The modifications to the image on the fake site were made on 8 March 2018. This suggests that the ProtonMail phishing campaign has been in the planning stage for over a year.
- Another intriguing detail to the campaign is that there seems to have been at least one “development” website associated with the same operation and used for several months prior to its operational launch. This site was discovered by Marcus Neis, Threat Intel Manager at Swisscom, who found an overlapping SHA256 fingerprint between this site and one of the phishing websites.
- Both ThreatConnect and ProtonMail confirmed that their own investigations point to a likely Russian origin of the phishing attack.
- Bellingcat is aware of an ongoing investigation into the phishing operation by Swiss law enforcement.
“The fact that our analysts are targets of such sophisticated operations alongside the elite of Western investigators of Russian hostilities only confirms to us that we have targets on our backs. That is the price you pay for exposing hostile activities by the Russian dictatorship also in our Central and Eastern European region. None of our critical data were compromised during this incident. We would like to thank to security institutions of democratic countries who are helping to protect people like us and many others,” says Jakub Janda, Executive Director of European Values Think-Tank.
Technical details of the incident were made public by Bellingcat.