I am pleased to announce a new Citizen Lab report, entitled “Tainted Leaks: Disinformation and Phishing With a Russian Nexus.” The report is authored by the Citizen Lab’s Adam Hulcoop, John Scott-Railton, Peter Tanchak, Matt Brooks, and myself, and can be found here.
Our report uncovers a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society. Those targets include a large list of high profile individuals from at least 39 countries (including members of 28 governments), as well as the United Nations and NATO. Although there are many government, military, and industry targets, our report provides further evidence of the often-overlooked targeting of civil society in cyber espionage campaigns. Civil society — including journalists, academics, opposition figures, and activists — comprise the second largest group (21%) of targets, after government.
Other notable targets include:
- A former Russian prime minister
- A former U.S. Deputy Under Secretary of Defense and a former senior director of the U.S. National Security Council
- The Austrian ambassador to a Nordic country and the former ambassador to Canada for a Eurasian country
- Senior members of the oil, gas, mining, and finance industries of the former Soviet states
- United Nations officials
- Military personnel from Albania, Armenia, Azerbaijan, Georgia, Greece, Latvia, Montenegro, Mozambique, Pakistan, Saudi Arabia, Sweden, Turkey, Ukraine, and the United States, as well as NATO officials
- Politicians, public servants and government officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam
While we have no “smoking gun” that provides definitive proof linking what we discovered to a particular government agency (a common challenge in open source investigations like ours) our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyber espionage. This overlap includes technical details associated with the successful breach in 2016 of the email account of John Podesta, the former chairman of Hillary Clinton’s unsuccessful presidential campaign.
As is often the case with Citizen Lab research on targeted threats, our report began with a “patient zero” — in this case, the prominent journalist, David Satter. Satter is a well-known author on Russian autocracy. He was banned from Russia in 2013 for his investigative reporting on corruption and abuse of power associated with the Putin regime. In October 2016, Satter’s Gmail account was successfully phished. Documents stolen from his account then appeared on the website of CyberBerkut, a self-described pro-Russian hacktivist group. Using the genuine documents obtained with Satter’s consent, our report details the disinformation campaign that was orchestrated around his stolen emails to give the false impression that Satter was part of a CIA-backed plot to discredit Putin and his adversaries and engineer a “colour revolution.” The disinformation was also aimed at providing a false association between Satter, western NGOs, and prominent Russian opposition figures, most notably the prominent Russian anti-corruption activist, Alexei Navalny.
A very detailed technical analysis of the infrastructure and methods used in the phishing attack on Satter, led by Citizen Lab’s Adam Hulcoop, then allowed us to unravel and ultimately identify a much larger group of over 200 individuals across 39 countries targeted by the same operators. Not since our Tracking Ghostnet report in 2009 do I recall us discovering such an extensive list of high-profile targets of a single cyber espionage campaign.
Why target civil society? For many powerful elites, a vibrant civil society is the antithesis to their corrupt aims. In the case of Russia, the motivations behind cyber espionage are as much about securing Putin’s kleptocracy as they are geopolitical competition. It often matters just as much for the Kremlin to know what critical exposé is going to be published on Putin’s inner circle, or what demonstration is going to be organized in the streets of St. Petersburg, as it does what happens in corporate boardrooms or government headquarters abroad. This means journalists, activists, and opposition figures — both domestically and around the world — bear a large burden of the spying.
Our report also offers a detailed glimpse of the new frontier of digital disinformation. Tainted leaks, such as those analyzed in our report, present complex challenges to the public. Fake information scattered amongst genuine materials — “falsehoods in a forest of facts” as Citizen Lab’s John Scott-Railton referred to them — is very difficult to distinguish and counter, especially when it is presented as a salacious “leak” integrated with what otherwise would be private information.
Russia has a long history of experience with what is known as dezinformatsiya, going back even to Soviet times. The prospect of a country with its superpower resources engaging in systematic “tainted leak” operations generated with data stolen by affiliated cyber criminal “proxy” groups is daunting. Even more daunting is the prospect that the model of its success will breed similar campaigns undertaken by other governments. To the extent it is both cheap and effective, and provides plausible deniability when outsourced to the shady underworld, it will almost certainly inspire other governments to follow suit.
With digital insecurity and data breaches now a pervasive and growing problem, it is highly likely digital disinformation operations are going to become widespread. Indeed, we could be on the cusp of a new era of superpower-enabled, digital disinformation. The public’s faith in media (which is already very low), and the ability of civil society to do its job effectively, will both invariably suffer as collateral damage.
Our hope is that in studying closely and publishing the details of such tainted leak operations, our report will help us better understand how to recognize and mitigate them. We also hope that in highlighting the large number of civil society members targeted in yet another cyber espionage campaign, the “silent epidemic” can be properly addressed by policymakers, industry, and others.
One final note concerning notification: we chose not to identify targeted or victimized individuals without their consent in order to protect their privacy. Instead, we have notified the email service provider and relevant Computer Emergency Response Teams.