Hook with open locks on mobile phone showing the recent phishing attack on ProtonMail accounts of Bellingcat journalists was linked to Russia
Recent Phishing Attack on ProtonMail Accounts of Bellingcat Journalists Linked to Russia by Scott Ikeda

Recent Phishing Attack on ProtonMail Accounts of Bellingcat Journalists Linked to Russia

Investigative news outlet Bellingcat has focused much of its eight years of work on high-level government controversies and cover-ups, particularly on issues in Russia in the past two years. It would appear that someone in the country has taken an interest in them. The ProtonMail email accounts of several Bellingcat journalists were targeted by a phishing campaign, which was ultimately not successful but provided leads that indicate Russian hacking groups backed by the government were involved.

Penetrating ProtonMail

ProtonMail is a unique web-based email service that offers strong standard end-to-end encryption and has a basic tier that is free. Based in Switzerland, the service is outside the jurisdiction of the EU and is popular with journalists working on sensitive stories and communicating with anonymous sources.

Given that ProtonMail was designed to be the ultimate in privacy and security, hackers generally look to phish individual users rather than attack the system. That was the case here, as in late July the journalists in question received a false breach notice purporting to be from the ProtonMail team. The notice claimed that encryption keys had been compromised and would need to be replaced.

The phishing attack was somewhat sophisticated in that it made use of a spoofed return address that made it appear to be coming from a legitimate ProtonMail staff account. The email also contained links to a fake ProtonMail site registered by the attackers that attempted to deliver some sort of malware via JavaScript. ProtonMail has measures in place to automatically detect and filter these sorts of attacks, but chief executive Andy Yen revealed that the hackers exploited a vulnerability in a third-party system that was not previously known to the public.

However, the English used in the phishing attack email was awkward and the manner of the notification was unusual, likely tipping recipients off that something was wrong.

Links to Russia found in the Bellingcat phishing attack

Security researchers at ThreatConnect investigating the attack noted that the hackers registered their spoofed infrastructure with Njalla, a reseller based in the Caribbean that the notorious Russian state-sponsored group Fancy Bear (aka APT28) has been known to use in the past in similar attacks.

Bellingcat confirmed that the attacks were focused on several researchers working on stories covering the downing of flight MH17 and the poisoning of Sergei and Yulia Skripal on UK soil. The Bellingcat reporters were the ones who broke key details of each of these stories, such as the names of the Russian operatives believed to be behind the MH17 attack and the Skripal poisoning.

In addition to the MH17 and Skripal stories, Bellingcat has outed members of Russia’s GRU intelligence agency that are active in other countries. The media outlet has also reported on covert Russian activity in Venezuela, the Kerch Strait incident involving Russia and the Ukraine, and the FSB’s techniques for obtaining travel visas.

Eliot Higgins, founder of Bellingcat, had this to say in a tweet: “Yet again, Bellingcat finds itself targeted by cyber attacks, almost certainly linked to our work on Russia … I guess one way to measure our impact is how frequently agents of the Russian Federation try to attack it, be it their hackers, trolls, or media.”

Though the identity of the perpetrator is still not 100% clear, this would not be the first time Fancy Bear has targeted Bellingcat. The group attempted an initial phishing attack in 2015, and a hack and defacement of their website in 2016 was caused by related Russian attack group CyberBerkut.

Lessons from ProtonMail’s phishing defenses

When these phishing stories hit the news, it’s usually about a security failure leading to some sort of noteworthy breach. This is a rare case in which the target successfully and completely defended themselves from a nation-state APT group.

The first factor is that a relatively small number of people at Bellingcat were targeted, and they were aware of and prepared for a phishing attack. The phishing email has a number of signs that should give anyone that is expecting phishing attempts pause – the rather abrupt subject field, the ungrammatical English, the odd paragraph formatting and the instruction to follow specific links within the email to enter personal information. If an employee knows the company may be phished and knows what spoofing is, these things should cause the email to register as suspect with them even though it appears to be coming from a legitimate address.

ProtonMail also has a specific security feature that is extremely difficult to replicate, and was not duplicated by the attackers – if a message is sent from a ProtonMail server to a customer, it is automatically marked with a yellow star. This should have immediately removed any doubt left in the recipient’s mind that this was a phishing attack.

ProtonMail has a similar intra-network feature that would be useful to any organization. A purple lock symbol appears next to anything sent by another member of the organization, telling users at a glance that the message is not spoofed.

ProtonMail accounts also incorporate link verification, a common email feature that is sometimes turned off by default and that users are not aware of. Link verification simply causes a confirmation window to pop up that displays the URL when a link is tapped, giving you a chance to see exactly where you are going and confirm before the link is followed.

Fortunately, all of these security measures are not unique to ProtonMail. This functionality can be replicated (and even expanded) by any organization by implementing a DMARC solution into their inbound email screening. DMARC is a common protocol in use since 2007 that logs information about email senders and checks inbound emails against a database to determine the level of risk of it being a phishing attack.

Finally, ProtonMail took an important step in the wake of the phishing attack that all companies receiving phishing emails would ideally take. They reported the attack to relevant authorities and monitoring organizations, which leads to the domains used in the attack being suspended and blacklisted.