Application security, Malware, Phishing

Tainted leaks technique tied, sort of, to Russia

A recent investigative study by the Citizen Lab connects Russian actors to the practice of stealing, negatively altering and then releasing documents in an effort to damage the personal reputation of government officials, candidates and journalists in dozens of countries.

Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, tenuously ties various Russian intelligence agencies and the criminal cybergangs in their employ for much of this activity. Which was first spotted in 2016 when journalist David Satter fell for a phishing scam that gave an unauthorized person access to his email account. Some emails were then selectively published, several having had false information added.

The practice, called “Tainted Leaks” has a malicious actor gain access to a target's computer, steal documents and then make strategic alterations in them to paint that person in a bad light. The document(s) are then publicly posted with the intent the target's reputation will be so badly damaged that they may lose an election or have their reputation ruined discrediting their work. 

However, the practice goes far beyond hitting a single journalist, one who criticized various Kremlin activities. Citizen Lab found 218 other people in 39 countries had been hit.

“The recent theft and disclosure of documents (branded as a “leak”) from the presidential campaign of Emmanuel Macron is the highest profile case in which it appears that falsified documents were inserted amongst real, stolen documents,” the report stated.

In order to possibly sway votes the documents released had been altered to imply Macron had been involved in several questionable activities. These stories were then given a boost through the use of Twitter bots to tweet and spread them, luckily Macron's campaign was able to quickly debunk the lies.

The primary targets are politicians, academics, journalists, military personnel and industry executives from a wide swath of European and Middle Eastern countries along with the United States. The one topic that connects all the victims, Citizen Lab found, is each has taken issue with Russian activities.

Those in the Ukraine were hit the most, 22 percent; Russia, 11 percent; followed by Turkey, Kyrgystan, Georgia and the United States.

The, admittedly by Citizen Lab, tenuous attribution was made by examining who posted the edited docs.

In Satter's case the emails were posted by CyberBerkut, described as a group of pro-Russian hacktivists, said it was releasing the documents to prove the U.S. was supporting “colour revolution” in Russia by showing Satter was paying Russian journalists and anti-corruption activists to write stories critical of the Russian Government.

While this evidence, along with some technical information derived from the email phishing campaign and the fact that all the targets, in some manner, were confronting the Russian government concerning its actions around the world, there is no way to fully pin any Russian agency with these attacks.

“While the order of events surrounding the phishing, credential theft, and eventual leak of tainted documents belonging to David Satter would seem to point to CyberBerkut, the characteristics of Russian information operations make the task of attribution to a state sponsor challenging,” the report said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.