Guccifer Rising? Months-Long Phishing Campaign on ProtonMail Targets Dozens of Russia-Focused Journalists and NGOs
A sophisticated phishing campaign targeting Bellingcat and other Russia-focused journalists has been much larger in scope than previously thought, and has lasted at least several months. Bellingcat has identified dozens of targeted individuals across Europe and the US, with the earliest reported attack dating back to April 24 2019, and some evidence suggesting the campaign was in the works since as early as March 2018.
The target list of over 30 individuals using the end-to-end encrypted ProtonMail email service includes journalists, researchers, academics, employees of NGOs, and political activists. The one common denominator among them is the Russian focus of their research or activist work. Contrary to previous reporting, we have identified that at least some of the phishing attempts have been successful.
Bellingcat believes that this phishing campaign formed a stage of a larger ongoing hacking operation against Russia-focused journalists and researchers, with various methods and tools – some of them without precedent – being deployed against a range of targets both within Russia and abroad.
“A Most Sophisticated Phishing Campaign”
The active, publicly traceable phase of the phishing operation began in early April, when the perpetrators registered 11 domains intended to impersonate ProtonMail mail-hosting sites. Bellingcat has identified five different domains that were used between April 26 and July 23 2019 when our initial reporting led to a closure of the offending websites. These domains were:
my[.]secure-protonmail[.]com (April and May)
mail[.]protonmail[.]systems (June and July)
Based on an iterative technique termed “timestamp pivoting” , cyber-threat consultancy ThreatConnect were able to identify a further 6 domains registered by the same actor group. Timestamp-pivoting essentially scouts out domains that were registered in close temporal proximity to the known offending domains, on the assumption that cyber-crime actors purchase groups of a domains in single transactions to minimize resources and exposure.
Timestamp-pivoting is not …read more