More than a dozen Russian journalists and activists received a strange warning from Google earlier today, notifying them that “government-backed attackers” may be “trying to steal” their passwords. According to the security alert, Google says it “can’t reveal what tipped [it] off because the attackers will take note and change their tactics.” The company says these attacks happen to “less than 0.1 percent of all Gmail users.”
According to opposition activist Oleg Kozlovsky, at least 16 people—including Bellingcat researcher and RuNet-Echo contributor Aric Toler—have received warnings from Google. Kozlovsky says he’s been alerted, along with Transparency International Vice President Elena Panfilova, former Moscow city council member Maksim Kats, journalist Ilya Klishin, and others.
(not a phishing email, alert popped up on my actual Gmail account) pic.twitter.com/c7zdxKfXRr
— Aric Toler (@AricToler) October 11, 2016
Alexey Shlyapuzhnikov, a security consultant for Transparency International, says the hackers were targeting, in part, three domains belonging to the NGO, as well as the email addresses of staff at regional and international offices.
Cybersecurity experts at the “ThreatConnect Research Team” concluded last month that Bellingcat founder Eliot Higgins and some of his top researchers, including Toler, were targeted in a spearphishing campaign consistent with the tactics, techniques, and procedures of the hacker group “Fancy Bear,” which has been implicated in attacks on the Democratic National Convention, the World Anti-Doping Agency, and the Court of Arbitration for Sport.
Bellingcat has been a key contributor to the international investigation of the shootdown of Malaysian Airlines Flight 17 (MH17) over Ukraine in 2014.
Toler says he’s received about a dozen phishing emails warning of unauthorized login attempts, urging him to check his account activity and change his password. The links provided in the emails look legitimate, but they are actually malicious attempts to steal personal data, masked behind tiny.cc hyperlinks.
This is hardly the first time persons connected to Russia’s independent media have found themselves in the crosshairs of hacking efforts. In September 2015, an editor and a journalist at the newspaper Novaya Gazeta reported that their email inboxes had been targeted by persons who obtained unauthorized duplicates of their SIM-cards from cell service providers.
In April 2016, several Russian journalists—including Roman Shleynov, who worked with the Organized Crime and Corruption Reporting Project on the “Panama Papers” investigation—said they received security warnings from Google about possible state-sanctioned attempts to hijack their email accounts.
On April 29, two Russian opposition activists—one of whom was Oleg Kozlovsky—reported that their Telegram messenger accounts had been hacked remotely. They say unauthorized access to their accounts was obtained through tampering with the app's SMS login feature. “There are no doubts that this whole special operation was organized and partially executed by Russia’s Federal Security Service,” concluded Vladislav Zdolnikov, a technology expert working with Alexey Navalny’s Anti-Corruption Foundation.
In June 2012, Google rolled out warnings for users it believes are being targeted by state-sponsored attacks. “If you see this warning it does not necessarily mean that your account has been hijacked,” explained Eric Grosse, Google’s vice president of security engineering. “It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account.”