One of the world’s most secure email services has been caught up in a sophisticated cyber attack aimed at investigative journalists and other experts who are probing Russian intelligence activities.
Those targeted have used Swiss-based ProtonMail to share sensitive information related to their probes of Moscow’s military intelligence directorate, the GRU. Its agents have been accused of complicity in the downing of MH17 over Ukraine in 2014, and the attempted assassination of Sergei Skripal and his daughter last year in Britain.
ProtonMail, which bills itself as the world’s most secure email platform, because of its cutting edge cryptography and protections against attack, became aware of the attempt to compromise its users on Wednesday.
The company, founded in 2014 by a team of former scientists from the European particle research laboratory Cern, has been in touch with Swiss authorities to help shut down the web domains used to try to dupe its clients and has taken action to block phishing emails.
“The campaign that came in [on Wednesday] was really in the top 1 or 2 per cent in terms of sophistication,” ProtonMail chief executive, Andy Yen, told the Financial Times. “They knew in advance exactly who they wanted to go after. Our research shows that this was a highly targeted operation.”
According to Mr Yen, Swiss domains were registered to mimic ProtonMail’s user interface, paid for through intermediaries using untraceable bitcoin transactions. The fake login portals on those domains were then synchronised with the real ProtonMail login process for simultaneous login, to trick users into also giving up their two-factor authentication codes.
Emails sent to users were carefully scripted, but also exploited a rare unpatched coding bug, unlikely to be understood by all but the best-resourced hackers.
Among the accounts hackers sought to break into were those used by members of a team at Bellingcat, the open-source reporting investigative website, and a corporate intelligence firm whose employees — some of them former intelligence officials — use ProtonMail for sensitive work investigating Russia.
Over the past month, to coincide with the fifth anniversary of the shooting down of Malaysia Airlines flight MH17 over Ukraine, Bellingcat has begun to publish fresh material from its investigations implicating Russia and the GRU in the incident. The Russian government has consistently denied its involvement.
Bellingcat is also preparing to release further information on the senior GRU officials they say co-ordinated the attempted poisoning of Sergei Skripal in Salisbury in March 2018.
“It seems clear that it is linked to our GRU investigations,” said Christo Grozev, a security specialist and researcher at Bellingcat. “They have been trying to get into our regular email accounts for a long time now. But with ProtonMail it was very odd and unexpected.”
Those targeted in the ProtonMail phishing attack have been rattled in particular by how the attackers gained details of their usernames and accounts in the first place, given many use anonymised addresses that are only known to a closed circle of trusted contacts. “I assume that one of them must be compromised,” said Mr Grozev. “So clearly we are going to have to change our accounts.”
Mr Grozev said he had little doubt that the operation was directed by Russia. He told the FT that Bellingcat was homing in on identifying the GRU officer who directed the Skripal assassination attempt. “That is what has triggered their interest,” he said.
Specific evidence pointing to Moscow in the attempt against ProtonMail is however thin on the ground.
Mr Grozev said it seemed likely that the GRU’s own hacking operation was responsible. The unit, known in the west by its nicknames Fancy Bear and APT28, was responsible for the hack against the Hillary Clinton campaign in the 2016 US presidential election.
“The activity and targets in this attack [against ProtonMail] are consistent with what we observed from Fancy Bear in the past,” said Adam Meyers, vice-president of Intelligence at CrowdStrike, the US cyber security company that first identified Fancy Bear’s activities. “It would seem like a classic counter intelligence mission . . . Bellingcat has certainly made a mess of the GRU’s operations.”
Fancy Bear had been quiet recently, said Mr Meyers, but early indications suggested that some recent activities had, like the ProtonMail attacks, become more targeted and narrow.
“Attribution is of course hard,” said Mr Yen. “The choice of targets does give some basis for the claim that this was a state sponsored attack. It has many of the hallmarks of one, especially considering its sophistication.”
Mr Yen said ProtonMail users’ email accounts were fully end-to-end encrypted so users had nothing to worry about unless they had inadvertently given away their passwords.