Citizen Lab, a Toronto-based human rights research group that focuses on cybersecurity and surveillance, issued a report Thursday offering a detailed look at what they call an “extensive Russia-linked phishing and disinformation campaign” that targeted journalists and others, many of whom could be seen as undermining Russian President Vladimir Putin, those close to him, or Russian geopolitical interests.
Entitled “Tainted Leaks,” the report traces the evolution of how stolen emails are altered and eventually used to disrupt political campaigns or dishonestly shape public opinion. In this case, the emails and other documents were stolen from the targets, modified in subtle but meaningful ways, published by pro-Russian hacktivists, and amplified by pro-Russian media in an attempt to discredit negative reporting about Putin and his inner circle. It showed how critical journalism was made to appear more subversive than it was by having locally based stories appear to be the work of a CIA operation looking to foment revolution. Aimed at Russia’s domestic population, the disinformation campaign appears designed to distract from any anger or distrust that reporting about Putin’s and his associates’ corruption may have created.
“Russia-linked cyber espionage campaigns, particularly those involving targeting around the 2016 US elections, and more recently the 2017 French election, have dominated the media in recent months,” the report’s authors write, noting that the most persistent victims of such campaigns are journalists, academics, activists, researchers, and others. “A healthy, fully-functioning, and vibrant civil society is the antithesis of non-democratic rule, and as a consequence, powerful elites threatened by their actions routinely direct the powerful spying apparatuses toward civil society to infiltrate, anticipate, and even neutralize their activities.”
Beginning with the successful breach of journalist David Satter’s email box in October 2016, researchers traced its consequences to an operation that targeted 218 unique targets in at least 39 countries. Satter had worked in Russia for years as a writer and journalist but was kicked out of the country in December 2013, likely as a response to his investigative reporting on powerful Russian figures and corruption for the Financial Times and other outlets. While analyzing the phishing email used to access Satter’s email, the Citizen Lab researchers discovered that the breach that snared Satter was potentially linked to a target list that included politicians and other government officials, journalists, academics, leaders of energy and mining companies, UN officials, and military personnel from more than a dozen countries, including the United States and NATO. In many cases, the targets of the campaign weren’t directly attacked, but by targeting people close to them, the perpetrators were able to discredit them nonetheless. Here is an outline of what they found:
Once Satter’s email account was accessed, the language of some of his emails was altered to change the context, so that it appeared his Radio Liberty reporting project was much bigger than it was. It also gave the impression that Russia-based journalists contributing to the project, who wrote stories critical of Putin and members of his circle, were funded by foreign money. For example, in some cases, the modifications to Satter’s emails made it appear as though Alexei Navalny, an opposition leader in Russia, was receiving foreign funding to carry on his activities.
By studying the URLs used to lure Satter into providing his email login credentials, the researchers believe they’ve found similarities between the operation and that which was used to target Hillary Clinton’s campaign and the Democratic National Committee during the 2016 US presidential election. The group that targeted the Clinton campaign is believed by some researchers and the US government to be APT28, an organization some have tied to Russian intelligence operations. “This similarity suggests possible code re-use,” the researchers write. “The two operations may be using the same phishing ‘kit.'”
The net result of operations such as the one detailed by the Citizen Lab is that by modifying authentic documents and emails in subtle ways, doubt can be cast on entire organizations, campaigns, projects, or individuals themselves. In the context of Russian operations, this is known as “dezinformatsiya,” which is propagating forged documents among legitimate documents to taint and call into question the entire batch.
The researchers acknowledge they have no “smoking gun” evidence pointing to a “particular Russian government agency, despite the overlaps between our evidence and that presented by numerous industry and government reports concerning Russian-affiliated threat actors.” But the researchers note the Russian government is known to use proxy hacking groups to go after targets while maintaining plausible deniability, a practice that has been described by Mark Galeotti of the Institute of International Relations Prague as “guerilla geopolitics” based on its insurgent and asymmetric approach to achieving military and political goals.
“Tainted leaks are a growing and particularly troublesome addition to disinformation tactics, and in the current digital environment are likely to become more prevalent,” the researchers wrote. “Tainted leaks—fakes in a forest of facts—test the limits of how media, citizen journalism, and social media users handle fact checking, and the amplification of enticing, but questionable information.”