IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Bellingcat vs Fancy Bear: how hackers tried to halt the MH17 investigation

Citizen journalist shares how Russian hackers targeted Bellingcat with phishing attempts

Bellingcat, the investigative citizen journalist organisation that was a key contributor to the MH17 investigation, was repeatedly targeted by two hacking groups thought to be sponsored by the Russian state.

MH17 was a Malaysian Airlines flight from Amsterdam to Kuala Lumpur that was shot down over Ukraine in 2014. A Dutch-led investigation this week determined that the missile that brought down the aircraft was Russian-made.

Researchers at Bellingcat analysed images and documents to produce articles and reports on their findings that largely pointed to Russian involvement in the incident.

Fancy Bears go phishing

During the course of Bellingcat's own investigation, in early 2015, Bellingcat founder Eliot Higgins began to receive phishing emails purporting to be from Google. Speaking to IT Pro, Higgins said that initially he ignored them.

"I had thought it was just a general scam trying to get my credit card details," Higgins said. "But then I was reading one of the ThreatConnect articles on the DCLeaks and they gave an example that looked a lot like the emails I had received."

He then spoke to other members of Bellingcat to see if they had received similar emails and found two of them had.

"A lot of [the emails] were worded exactly the same, with the same spelling mistakes and the URLs they were using in the links were the same. So then it started becoming clearer that this looked like an orchestrated campaign, rather than just random phishing emails, and that's when I contacted ThreatConnect and passed them all the details," Higgins said.

Analysis by ThreatConnect revealed the method of attack, using specially crafted URLs with target-specific strings, is consistent with that used by Fancy Bear, a hacking collective with links to Russia that is also thought to have been behind the Democratic National Committee hacks.

Contributor account cracked

Higgins said that, thankfully, neither he nor any of the other investigative journalists of Bellingcat targeted clicked on the links in the phishing emails, so this attempt to derail the investigation was unsuccessful.

However, the account of another Bellingcat contributor and Russian opposition blogger, Ruslan Leviev, was successfully cracked  in February by another organisation with alleged links to the Kremlin, CyberBerkut. These credentials were then used to post a message criticising both Leviev individually and Bellingcat as a whole, although this was soon rectified.

In a written statement, Leviev said: "My old email account, which was located on Yandex servers, was hacked. The email account had a long, difficult password - not a word - from various letters, numbers and special symbols. Plus there was a telephone number bound to the account for second factor authentication. Exactly how I was hacked - I don't know."

Using the hacked email, the attackers were able to successfully hack into his LiveJournal account, where they also posted a message, and access his Bellingcat email and password. They also tried, unsuccessfully, to hack into his Facebook account, but did manage to briefly gain access to his Twitter, despite it using SMS-based two-factor authentication as well.

"Based on all the data, I assume that ... this was the activity of security services who intercepted the SMS containing the access code. So they got access to my old email account and they also gained access to my Twitter account (which was also under two-factor, but code is sent via SMS rather than generated in an app).

"Of my social networks where two-factor codes are generated via an application, they were unable to crack. Of my social networks where the two-factor code was sent via SMS, they were able to crack."

Fending off attackers

While there is no way for people to prevent themselves from being targeted, both Higgins and ThreatConnect advise people to be "very aware" of phishing attempts what they look like and how to deal with them and to turn on two-factor authentication for all their online accounts.

In a statement, ThreatConnect said: "The campaign against Bellingcat provides yet another example of sustained targeting against an organisation that shines a light on Russian perfidy. The spearphishing campaign is classic FANCY BEAR activity while CyberBerkut's role raises yet more questions about the group's ties to Moscow."

"Vilifying the messenger and dumping their personal data is part of the game, intended to intimidate and embarrass those that speak ill of Moscow," the company continued. "The BEARs win if their active measures campaigns push, scare, or intimidate their targets into doing what they want. If you encounter a BEAR, you're doing something right. Don't back down."

ThreatConnect's analysis can be read in full here.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
Larger monitors aren't all they're cracked up to be

Larger monitors aren't all they're cracked up to be

3 Dec 2022
Microsoft: Russia increasingly timing cyber attacks with missile strikes in Ukraine
cyber warfare

Microsoft: Russia increasingly timing cyber attacks with missile strikes in Ukraine

5 Dec 2022