Russian spies may have backed email phishing campaign in effort to spread disinformation

New evidence of aglobal espionage campaign involvingemailphishingattacks and leaked falsified documents emerged on Thursday, with clues suggesting the Russian government might have been involved.

The targets spannedgovernment, industry, militaryand civil society groups,each with ties to Russia or Russian interests, a report by the University of Toronto's Citizen Labsuggests.

Although there is no definitive proof of Russia's involvement in the attacks,there is "overlap" with previously reported Russian espionage activities in particular, the work of a Russia-backed hacking group known as APT-28, or Fancy Bear.

Notably, Citizen Lab's researcherssay "an identical approach" to the phishing campaign described in their report was used in a March 2016 attack targeting Hillary Clinton's presidential campaign and the Democratic National Committee.

"While we have no 'smoking gun'that provides definitive proof linking what we discovered to a particular government agency our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyberespionage,"wrote Citizen Lab director RonDeibertin ablogpost.

U.S. reporter's documents leaked, manipulated

The report focuses in part on what the authors have termed "tainted leaks," leaks ofstolen documents that are largely authenticbut have been manipulated in certain partsto achieve a particular goal in this case, a political one.

In the incident Citizen Lab examined,documents obtained through a phishingoperation in October 2016 that targetedthe email account of U.S. journalist David Satterwere selectively modified in an apparent attempt to discredit Satter and his work and then posted online. Satterhas reported on Russia for decades and was expelled from the country in December 2013.

In unpacking that particular leak, Citizen Lab then identified a further 218 unique email accounts spanning 39 countries that had been targeted using the same phishing method used to fool Satter.

The accounts belong tomembers of governments including "a former Russian prime minister, members of cabinets from Europe and Eurasia, ambassadors, high-ranking military officers, CEOs of energy companies" but also members of civil society organizations, such as academics, activists, journalistsand employees with non-governmental organizations that have been critical of the Russian government or investigated its activities.

The scope of the targets, the report says, "suggests a well-resourced actor, such as a nation state."

Fancy Bear

U.S. intelligence officials believeRussian-backed groups conducted a series of cyberespionage campaigns throughout 2015 and 2016in an attempt to interfere with and potentially swaythe outcome of last year'spresidential election.

One group in particular was mentioned frequently in coverage of the attacks: APT-28, sometimes referred to by the nicknameFancy Bear.Itis believed that the group is backed by a nation state, if not a nation state itself namely,Russia.

While Citizen Lab's researchers could not make a "conclusive technical link" between their findings and Fancy Bear, they identified a number of similarities with the group's prior attacks.

For example, some of the domain names used in the campaign Citizen Lab studied bear a striking similarity to a Fancy Bearlinked phishing operation identified by the cybersecurity research firm Mandiant last year. There are also similarities with the methods used to break into the emailaccount ofClinton's campaign chairman, John Podesta suggesting, at the very least,two separate actors are sharing the samecode.

Tainted Leaks

Civil society groups are particularly rich targets for cyberespionage campaigns, as they tend to lack the resources of larger or better funded organizations to deal with digital attacks.Of note, the researchers say that 21 per centof those targeted in the campaign they studied were activists, academics, journalists, andNGOs the second-largest set after government targets.

"Many of the civil society targets seem to have been singled out for the perception that their actions could pose a threat to thePutinregime," the report said.

In Satter's case,leaked documents were selectively modified in such a way that the majority remained authentic, but misinformation was seeded throughout, in an attempt to lend legitimacy to otherwise false information. The researchers compared Satter's case with that of a prior attack onthegrant-makingorganization Open Society Foundations (OSF).

If the overall goal is just to sow informational chaos, tainted leaks are a good way of doing that.- SevaGunitsky,political science professor, University of Toronto

For example, one document was modified "to make Satter appear to be paying Russian journalists and anti-corruption activists to write stories critical of the Russian government," the report said.

In the OSF case, modifications were made to documents detailing a budget and funding strategies to make it appear as if the U.S.-based group was sponsoring Russian opposition leader Alexei Navalny's Foundation for Fighting Corruption.

Earlier this month, falsified documents appeared in a trove of documents taken from staff on French PresidentEmmanuel Macron's election campaign.

Described as "fakes in a forest of facts," the report concludes thatsuch tainted leaks "test the limits of how media, citizen journalism, and social media users handle fact checkingand the amplification of enticingbut questionable information."

However, University of Toronto political science professor SevaGunitsky says the practice of tainting leaks with false information could ultimately backfire.

"If they actually discover something politically damaging in a future phishing attack, it will be hard to credibly claim it was a real find," he said. "Of course, if the overall goal is just to sow informational chaos, tainted leaks are a good way of doing that."