Journalists investigating MH17 hacked by Russia-backed Fancy Bear hackers - ThreatConnect
Fancy Bear and CyberBerkut are not considered to be the same but researchers believe that their corresponding activities in targeting Bellingcat consistently, indicate that they may be collaborating in conducting attacks iStock

Russia may have attempted to compromise the probe into the downing of Malaysia Airlines flight MH17. Security researchers have uncovered that Russia-backed hackers Fancy Bear, hacked a group of citizen investigative journalists called Bellingcat, who are considered vital contributors to the international probe into the downing of the flight over Ukraine in 2014. Bellingcat was also found targeted by a self-styled Russian hacktivist group called CyberBerkut, which experts believe is yet another "front for Moscow".

Security researchers at cybersecurity firm ThreatConnect uncovered that Bellingcat journalists were first targeted in 2015 by an elaborate and massive spear-phishing campaign, which had distinctive and consistent similarities with Fancy Bear "tactics, techniques, and procedures". Bellingcat was again attacked in February 2016 by CyberBerkut, which saw the Bellingcat website defaced and personal information of Russia-based contributor Ruslan Leviev leaked online.

Alarmingly, ThreatConnect's analysis into Fancy Bear's activities led them to uncover suspected links between the hacker group and CyberBerkut, the online persona Guccifer 2.0, who recently rose to fame during the controversial DNC (Democratic National Committee) hack as well as the leak site DCLeaks.

Researchers said: "These efforts go above and beyond traditional intelligence requirements such as gaining insight into a sensitive project or sources. Vilifying the messenger and dumping their personal data is part of the game, intended to intimidate and embarrass those that speak ill of Moscow."

Bellingcat and MH17

Bellingcat, named after a classic Aesop's fable, uses open and publicly available information such as photos, videos and more posted online to gather information. Bellingcat's articles focus on a wide range of current events across the globe. Bellingcat has published over 90 articles in the two years since the MH17 flight crash, with around eight contributors focusing primarily on Russia's involvement in the flight's crash. The group's investigations were also incorporated by the international joint investigation team led by the Dutch.

ThreatConnet researchers said: "Compromising Bellingcat contributors could provide Russian intelligence services with journalists' contacts and sources, personal information, insight into future reporting perceived as indemnifying Russia, as well as sensitive personal information. Such collection could facilitate influence operations and retaliation efforts against Bellingcat, or access that could be leveraged for follow-on operations. Compromising Bellingcat contributors' accounts could also provide access to communications with the JIT, offering a glimpse at how the investigation of the downing of MH17 was proceeding."

Fancy Bear, CyberBerkut, Guccifer 2.0 and DCLeaks all linked?

ThreatConnect researchers analysed the various campaigns that participated in targeting Bellingcat, only to conclude that Fancy Bear, CyberBerkut, the Guccifer 2.0 persona and the DCLeaks site may all indeed be linked to each other.

Researchers said: "We have identified that there is a connection from DCLeaks to Guccifer 2.0 and from Guccifer 2.0 to Fancy Bear, the overlap in leaked documents may suggest that both leak sites obtained their data from the same collection source, Fancy Bear."

Although Fancy Bear and CyberBerkut are not considered to be the same, researchers believe that their corresponding activities in targeting Bellingcat consistently, indicates that they may be collaborating in conducting attacks.

Researchers outlined: "The concerted Fancy Bear spear phishing efforts over a six month timeframe in 2015 shows Moscow's clear intent to compromise Bellingcat, most likely due to their posts on key current events involving Russia. This activity was followed by a hard stop and then additional targeted efforts by CyberBerkut in early 2016, which was in-turn followed by additional Fancy Bear spear phishing from May to July 2016."

According to ThreatConnet, Fancy Bear and CyberBerkut are involved in coordinated attacks, "handing off operations" to each other and each focusing on a specific target; or both groups are not officially linked but working on a "common enemy" approach. "In this scenario, the spear phishing campaigns conducted by Fancy Bear are distinct in purpose and perpetrator from the CyberBerkut attack against Leviev. The spear phishing campaigns are more focused on Bellingcat's coverage of the MH17 shootdown and involvement in the JIT investigation."

Despite CyberBerkut's isolated and separate targeting of Leviev, researchers believe, that the group may still be internally linked to Moscow. CyberBerkut hacked Leviev's Russia-based Yandex email account, despite the account having come with two-factor authentication and the password having been complex and strong. Leviev himself theorised that the hackers were likely able to access his account either with the assistance of an insider working for Yandex, or via the interception of the two-factor authenticating SMS, which points to the involvement of government authorities.

"CyberBerkut targets Leviev separately after his coverage of Russian military involvement in eastern Ukraine with some assistance from supportive friends in Moscow to compromise his Yandex account. Targeting Leviev is less about a broader compromise of Bellingcat and more about harassing one journalist. In this scenario, CyberBerkut is advancing Moscow's interests and can call on the Russian intelligence services, but is still a distinct group," the researchers said.

The recent findings from the MH17 probe have shed the spotlight on Russia, which has already been under fire from US authorities following the DNC hack.

The researchers said: "The campaign against Bellingcat provides yet another example of sustained targeting against an organisation that shines a light on Russian perfidy. The spearphishing campaign is classic Fancy Bear activity while CyberBerkut's role raises yet more questions about the group's ties to Moscow. These end-to-end cyber operations begin with targeting and exploitation and end with strategic leaks and other active measures employed against those with whom they disagree."