Investigative news site Bellingcat has confirmed several of its staff were targeted by an attempted phishing attack on their Protonmail accounts, which the journalists and the email provider say failed.
“Yet again, Bellingcat finds itself targeted by cyber attacks, almost certainly linked to our work on Russia,” wrote Eliot Higgins, founder of the investigative news site in a tweet. “I guess one way to measure our impact is how frequently agents of the Russian Federation try to attack it, be it their hackers, trolls, or media.”
News emerged that a small number of Protonmail email accounts were targeted during the week — several of which belonged to Bellingcat’s researchers who work on projects relating to activities by the Russian government. A phishing email purportedly from Protonmail itself asked users to change their email account passwords or generate new encryption keys on a similarly named domain set up by the attackers. Records show the fake site was registered anonymously, according to an analysis by security researchers.
In a statement, Protonmail said the phishing attacks “did not succeed” and denied that its systems or user accounts had been hacked or compromised.
“The most practical way to obtain email data from a ProtonMail user’s inbox is by compromising the user, as opposed to trying to compromise the service itself,” said Protonmail’s chief executive Andy Yen. “For this reason, the attackers opted for a phishing campaign that targeted the journalists directly.”
Yen said the attackers tried to exploited an unpatched flaw in third-party software used by Protonmail, which has yet to be fixed or disclosed by the software maker.
“This vulnerability, however, is not widely known and indicates a higher level of sophistication on the part of the attackers,” said Yen.
It’s not known conclusively who was behind the attack. However, both Bellingcat and Protonmail said they believe certain tactics and indicators of the attack — and the fact that the targets were Bellingcat’s researchers working on the ongoing investigation into the downing of flight MH17 by Russian forces and the release of nerve agent in the U.K. — may point to hackers associated with the Russian government.
Higgins said in a tweet that this week’s attempted attack likely targeted a number of people “in the tens” unlike earlier attacks attributed to the Russian government-backed hacker group, known as APT 28 or Fancy Bear.
Bellingcat in the past year has gained critical acclaim for its investigations into the Russian government, uncovering the names of the alleged Russian operatives behind the suspected missile attack that blew up Malaysian airliner MH17 in 2014. The research team also discovered the names of the Russian operatives who were since accused of poisoning former Russian intelligence agent Sergei Skripal and his daughter Yulia in a nerve agent attack in Salisbury, U.K. in 2018.
The researchers use open-source intelligence and information gathering where police, law enforcement and intelligence agencies often fail.
It’s not the first time that hackers have targeted Bellingcat. Its researchers were targeted several times in 2016 and 2017 following the breach on the Democratic National Committee which saw thousands of internal emails stolen and published online.
A phone call to the Russian consulate in New York requesting comment was not returned.