Bellingcat vs Fancy Bear: how hackers tried to halt the MH17 investigation

Bellingcat, the investigative citizen journalist organisation that was a key contributor to the MH17 investigation, was repeatedly targeted by two hacking groups thought to be sponsored by the Russian state.

MH17 was a Malaysian Airlines flight from Amsterdam to Kuala Lumpur that was shot down over Ukraine in 2014. A Dutch-led investigation this week determined that the missile that brought down the aircraft was Russian-made.

Researchers at Bellingcat analysed images and documents to produce articles and reports on their findings that largely pointed to Russian involvement in the incident.

Fancy Bears go phishing

During the course of Bellingcat's own investigation, in early 2015, Bellingcat founder Eliot Higgins began to receive phishing emails purporting to be from Google. Speaking to IT Pro, Higgins said that initially he ignored them.

"I had thought it was just a general scam trying to get my credit card details," Higgins said. "But then I was reading one of the ThreatConnect articles on the DCLeaks and they gave an example that looked a lot like the emails I had received."

He then spoke to other members of Bellingcat to see if they had received similar emails and found two of them had.

"A lot of [the emails] were worded exactly the same, with the same spelling mistakes and the URLs they were using in the links were the same. So then it started becoming clearer that this looked like an orchestrated campaign, rather than just random phishing emails, and that's when I contacted ThreatConnect and passed them all the details," Higgins said.

Analysis by ThreatConnect revealed the method of attack, using specially crafted URLs with target-specific strings, is consistent with that used by Fancy Bear, a hacking collective with links to Russia that is also thought to have been behind the Democratic National Committee hacks.

Contributor account cracked

Higgins said that, thankfully, neither he nor any of the other investigative journalists of Bellingcat targeted clicked on the links in the phishing emails, so this attempt to derail the investigation was unsuccessful.

However, the account of another Bellingcat contributor and Russian opposition blogger, Ruslan Leviev, was successfully cracked in February by another organisation with alleged links to the Kremlin, CyberBerkut. These credentials were then used to post a message criticising both Leviev individually and Bellingcat as a whole, although this was soon rectified.

In a written statement, Leviev said: "My old email account, which was located on Yandex servers, was hacked. The email account had a long, difficult password - not a word - from various letters, numbers and special symbols. Plus there was a telephone number bound to the account for second factor authentication. Exactly how I was hacked - I don't know."

Using the hacked email, the attackers were able to successfully hack into his LiveJournal account, where they also posted a message, and access his Bellingcat email and password. They also tried, unsuccessfully, to hack into his Facebook account, but did manage to briefly gain access to his Twitter, despite it using SMS-based two-factor authentication as well.

"Based on all the data, I assume that ... this was the activity of security services who intercepted the SMS containing the access code. So they got access to my old email account and they also gained access to my Twitter account (which was also under two-factor, but code is sent via SMS rather than generated in an app).

"Of my social networks where two-factor codes are generated via an application, they were unable to crack. Of my social networks where the two-factor code was sent via SMS, they were able to crack."

Fending off attackers

While there is no way for people to prevent themselves from being targeted, both Higgins and ThreatConnect advise people to be "very aware" of phishing attempts what they look like and how to deal with them and to turn on two-factor authentication for all their online accounts.

In a statement, ThreatConnect said: "The campaign against Bellingcat provides yet another example of sustained targeting against an organisation that shines a light on Russian perfidy. The spearphishing campaign is classic FANCY BEAR activity while CyberBerkut's role raises yet more questions about the group's ties to Moscow."

"Vilifying the messenger and dumping their personal data is part of the game, intended to intimidate and embarrass those that speak ill of Moscow," the company continued. "The BEARs win if their active measures campaigns push, scare, or intimidate their targets into doing what they want. If you encounter a BEAR, you're doing something right. Don't back down."

ThreatConnect's analysis can be read in full here.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.