**threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/** ThreatConnect Research Team 9/28/2016 ## ThreatConnect reviews activity targeting Bellingcat, a key contributor in the MH17 investigation. _Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic_ _[National Committee”, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man,](https://www.threatconnect.com/guccifer-2-0-dnc-breach/)_ _[the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia](https://www.threatconnect.com/guccifer-2-all-roads-lead-russia/)_ _[“, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch](https://www.threatconnect.com/fancy-bear-it-itch-they-cant-scratch/)_ _“,_ _[“Does a BEAR Leak in the Woods?“, and “Russian Cyber Operations on Steroids“.](https://www.threatconnect.com/blog/does-a-bear-leak-in-the-woods/)_ ##### [UPDATE] October 7th 2016 Introduction [Since posting about the DNC hack, each time we published a blog post on a BEAR-based topic we thought it was going to be](https://threatconnect.com/blog/tapping-into-democratic-national-committee/) our last. But like the Death Star’s gravitational pull, the story keeps drawing us back in as new information comes to light. [Following our post on DCLeaks as a Russian influence operation](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/) [, Bellingcat founder Eliot Higgins reached out to us. Bellingcat,](https://www.bellingcat.com/) a group of citizen investigative journalists, has published articles critical of Russia and has been a key contributor to the [international investigation of the shootdown of Malaysian Airlines Flight 17 (MH17) over Ukraine in 2014.](https://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17) Higgins shared data with ThreatConnect that indicates Bellingcat has come under sustained targeting by Russian threat actors, which allowed us to identify a 2015 spearphishing campaign that is consistent with FANCY BEAR’s tactics, techniques, and procedures. We also analyzed a February 2016 attack by CyberBerkut — a group claiming to be pro-Russian Ukrainian [hacktivists but also a suspected front for Moscow — against Russia-based Bellingcat contributor Ruslan Leviev, where](https://twitter.com/RuslanLeviev) CyberBerkut defaced the Bellingcat website and leaked Leviev’s personal details. As evidenced by these efforts and the attack on the World Anti-Doping Agency, organizations that negatively impact Russia’s image can expect Russian cyber operations [intended to retaliate publicly or privately, influence, or otherwise maliciously affect them. The Diamond Model below](http://www.activeresponse.org/the-diamond-model/) summarizes the activity that Bellingcat experienced. ----- ##### Bellingcat Background Bellingcat is a group of citizen investigative journalists — [named after a classic fable — that uses open source information,](https://en.wikipedia.org/wiki/Belling_the_cat) such as photos and videos posted on social media, maps, and publicly available satellite imagery. Bellingcat articles have focused on a variety of current events in Africa, the Middle East, the U.S., and Europe with a specific focus on notable conflicts related to Syria, Ukraine, and Russia. Bellingcat published its first post on July 5, 2014, and for the next twelve days focused mainly on the ongoing Syrian civil war, covering developments such as the use of chemical weapons, but also occasionally pointing out Russian involvement. On July 17, 2014, Malaysian Airlines Flight 17 crashed in pro-Russian rebel territory in eastern Ukraine and Bellingcat released their [first post on the topic. Over the next two years, Bellingcat would publish no fewer than 92 posts from at least 8](https://www.bellingcat.com/resources/case-studies/2014/07/17/geolocating-the-missile-launcher-linked-to-the-downing-of-mh17/) [contributors](https://www.bellingcat.com/contributors/) focused on Russian involvement in the downing of MH17, using open source information and imagery to prove the presence of the Russian military in eastern Ukraine and that a Russian-supplied Buk missile launcher shot down MH17 from pro-Russian rebel territory. The Kremlin vehemently denies this. [The Dutch took the lead in the criminal investigation through an international Joint Investigation Team (JIT)](https://www.om.nl/onderwerpen/mh17-crash/) and officially considered Bellingcat’s reporting in their investigation. Founder Eliot Higgins was included as an official witness. The Dutch [Safety Board ultimately found MH17 was shot down by a Russian-made surface-to-air missile but declined to assign blame for](https://www.washingtonpost.com/news/worldviews/wp/2015/10/13/a-dutch-report-will-say-what-downed-mh17-it-wont-blame-the-russians/) [who was responsible for the launch. On September 28, the JIT is due to release the results of their criminal investigation.](http://www.nltimes.nl/2016/08/22/mh17-dutch-criminal-investigation-results-ready-sept-28/) Compromising Bellingcat contributors could provide Russian intelligence services with journalists’ contacts and sources, personal information, insight into future reporting perceived as indemnifying Russia, as well as sensitive personal information. Such collection could facilitate influence operations and retaliation efforts against Bellingcat, or access that could be leveraged for follow-on operations. Compromising Bellingcat contributors’ accounts could also provide access to communications with the JIT offering a glimpse at how the investigation of the downing of MH17 was proceeding ----- _Timeline_ The timeline below summarizes the notable dates related to the MH17 crash and investigation, Bellingcat’s articles related to those events, and the malicious activity targeting Bellingcat and Leviev. It’s important to note we do not have complete insight into all of the malicious activity that may have targeted Bellingcat during this timeframe. _FANCY BEAR_ From February 2015 to July 2016 three researchers at Bellingcat — Higgins, Aric Toler, and Veli-Peka Kivimaki — who had contributed MH17 articles received numerous spearphishing emails, with Higgins alone receiving at least 16 phishing emails targeting his personal email account. A majority of the campaign took place from February to September 2015, with some activity resuming in May 2016. These spearphishing attempts consist of a variety of spoofed Gmail security notices alerting the target that suspicious activity was detected on their account. The target is prompted to click a URL resembling a legitimate Gmail security link to review the details of this suspicious activity. Below are screenshots of some of the spearphishing email targeting Bellingcat researchers. ----- ----- ----- The attackers used several methods to redirect the target to credential harvesting pages. In at least 21 of the emails, the URL redirects the victim to a shortened Bitly URL. These shortened Bitly links, in turn, direct the victim to another Google-spoofing [URL appended with the base64 encoded target email and name. One of the emails used a shortened TINYCC URL to achieve](https://en.wikipedia.org/wiki/Base64) the same effect. In four of the other emails, the security links direct the target to a Google Sites page that spoofs a Google login page. Once the target visits the Bitly, TINYCC, or Google Sites URLs, they are prompted to enter their Google credentials, which would then be captured by the threat actors. The specifically crafted URLs with target-specific strings are consistent with a FANCY BEAR technique highlighted in Dell [Secureworks research and employed against a DNC staffer whose files were leaked on DCLeaks. Reviewing the click](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/) information for the Bitly links, we identified that at least three of the Bitly URLs targeting the same Bellingcat individual were accessed in the timeframe consistent with the spearphishing attack. This suggests the individual clicked on the links in three of the spearphishing messages, but Bellingcat confirms that no credentials were supplied to these pages. ----- Other consistencies with Russia and FANCY BEAR activity were also identified. In early May and again in mid-June 2016 the Bellingcat contributor Aric Toler’s personal email address was targeted by FANCY BEAR. Using ThreatConnect’s Email Import function, we are able to identify that both messages abused Moscow-based Yandex email services to send malicious emails to the researcher. In the May phishing example FANCY BEAR used the Yandex account berg01berg01@yandex[.]com. In the June 2016 example, Toler was targeted with a message that used hellomail1@yandex[.]com in a [manner consistent with](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/) h Bill Ri h t t t d i t t t f hi l G il b i t d t DCL k ----- By analyzing the email headers provided by Bellingcat, we identified domains and corresponding IP addresses that the attackers leveraged as part of the spearphishing operation. The table below also shows the registrant for the domain, the creation date for the WHOIS record, and the name server the domain used during the attack timeframe. **Spearphishing Domain** **Mailserver IP** **Domain Registrant** **Domain Create Date** **Name Server During Attack** **Domain** **Create** **Name Server During** **Spearphishing Domain** **Mailserver IP** **Domain Registrant** **Date** **Attack** mxx.evrosatory[.]com 46.22.208.204 andre_roy@mail.com 2/13/14 Carbon2u.com accounts.servicegoogle[.]com 155.254.36.155 theforeignnews@gmail.com 5/22/15 Cata501836.earth.orderboxdns.com mxx.us-westmailundeliversystem[.]com 46.22.208.204 andre_roy@mail.com 2/28/14 Carbon2u.com mx1.servicetransfermail[.]com 95.153.32.53 theforeignnews@gmail.com 6/3/15 Cata501836.earth.orderboxdns.com accounts.google.com.rnil[.]am 198.105.122.187 Private 7/7/14 Carbon2u.com mx6.set132[.]com 198.105.122.187 emmer.brown@mail.com 9/30/14 Carbon2u.com server.mx4.set132[.]com 46.22.208.204 emmer.brown@mail.com 9/30/14 Carbon2u.com ----- [infrastructure that German Intelligence (BvF) established as FANCY BEAR within Cyber Brief Nr. 01/2016.](https://www.verfassungsschutz.de/download/broschuere-2016-03-bfv-cyber-brief-2016-01.pdf) [FANCY BEAR also previously used both the Cata501836 and Carbon2u name servers to host infrastructure and email](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/) [addresses from 1&1’s mail.com to register domains. We were able to identify further overlaps with other FANCY BEAR](https://threatconnect.com/blog/fancy-bear-it-itch-they-cant-scratch/) infrastructure by pivoting off of these indicators, which we will describe in a later blog post. Based on these consistencies, we assess FANCY BEAR almost certainly is behind the spearphishing and credential harvesting campaign targeting Eliot Higgins and other Bellingcat researchers. _CyberBerkut Activity_ [CyberBerkut describes itself as a group of pro-Russian Ukrainian hacktivists. They borrow the “ Berkut” name from the now](https://en.wikipedia.org/wiki/Berkut_(special_police_force)) [disbanded Ukrainian riot police who responded brutally to the 2014 EuroMaidan demonstrations in Kiev. CyberBerkut runs a](https://www.netflix.com/title/80031666) [digitally-fueled, aggressive, active measures campaign directed against a pro-western government in Kiev and points of](https://en.wikipedia.org/wiki/Active_measures) western influence — such as NATO — in eastern Europe. CyberBerkut has conducted attacks across a spectrum of technical sophistication including distributed denial of service attacks [(DDOS), disrupting and degrading the networks of Ukraine’s Central Election Commission during the 2014 election, hacking](https://ccdcoe.org/sites/default/files/multimedia/pdf/CyberWarinPerspective_full_book.pdf) Ukrainian billboards and displaying pro-Russian messages, conducting computer network exploitation and strategic leaks of [emails and documents, and leaking intercepted phone calls between high ranking Ukrainian officials. This range suggests](https://www.youtube.com/watch?v=Wkicw3EolCg) highly capable actors are behind CyberBerkut and they employ a high degree of operational planning when considering the offensive use of information and their effects. [CyberBerkut defaced the Bellingcat webpage on February 10, 2016, claiming credit for the attack and singling out Ruslan](https://twitter.com/bellingcat/status/697334674029412353) Leviev, a Russian opposition blogger and Bellingcat contributor. [Leviev published a compelling piece of citizen journalism on May 22, 2015 exploring the fate of Russian Spetsnaz soldiers](https://www.bellingcat.com/news/uk-and-europe/2015/05/22/three-graves/) believed to have been killed in combat operations within Ukraine earlier that month. According to Bellingcat founder Higgins, L i ’ t ib t t i d d d t t th C b B k t I il i t i L i ----- _y_ _,_ _y_ _,_ _,_ _g,_ _password, not a word, from various letters, numbers, and special symbols. Plus there was a telephone number bound to the_ _account for second factor authentication._ _Exactly how it was hacked — I don’t know._ 1. _Either they as employees, or with their active assistance, intercepted the SMS authentication code._ 2. _Or they, again, as an officer from the authorities or with their active assistance, gained direct access to the Yandex Mail_ _servers where they seized the email from my old inbox._ 3. _Or they know about a vulnerability in Yandex email that nearly nobody else knows about._ _Having seized the old email inbox, they used the password recovery mechanism for LiveJournal. My LiveJournal account (which_ _I have not used for a long time) was connected to my old email address, but LiveJournal does not provide second factor_ _authentication. Via password recovery of my LiveJournal from my stolen email, they took over my LiveJournal account and_ _made a post._ _In the same stolen email account, they found my username and password for my account at Bellingcat (I had once published an_ _investigation directly on the Bellingcat website) and they published a post there in my name._ _At the same time, my icloud account was not setup for second factor authentication, and was connected only to my old email_ _address for password recovery, it was also taken over. They performed a password recovery via my stolen email address for_ _icloud, logged in, but I received a notification on my iPhone about it, and I quickly cut off their access, but they were able to_ _download some photos._ _They also tried to hack my Facebook and Twitter. They were unable to crack Facebook, because I had second factor_ _authentication and always need to enter the code generated by the Facebook app. They were able to login to Twitter and_ _change the password but nothing was deleted and they didn’t tweet anything. I restored the password._ _Based on all the data, I assume that, as in the case of Alburovym, Kozlovsky, Parkhomenko, this was the activity of security_ _services who intercepted the SMS containing the access code. So they got access to my old email account and they also_ _gained access to my Twitter account (which was also under two-factor, but code is sent via SMS rather than generated in an_ _app)._ _Of my social networks where two-factor codes are generated via an application, they were unable to crack. Of my social_ _networks where the two-factor code was sent via SMS, they were able to crack._ Leviev suggests the attackers had direct access to Yandex mail servers or were able to intercept the SMS message used for two factor authentication to compromise his old Yandex email account. Leviev goes on to describe that the actors then used emails from that old account to compromise his iCloud account and access pictures and other information saved from Leviev’s phone to iCloud. Some of this information was ultimately put in a February 24, 2016 post on CyberBerkut’s website that contained sensitive details of Leviev’s personal life, such as his pictures, phone number, address, passport scan, girlfriend’s name, and dating and sexual preferences. These attacks were an overt attempt to discredit Bellingcat research and Leviev, but also carried a message to others who publicly voice positions critical of Moscow that this form of journalism does not go unnoticed. We also found it interesting how much effort was expended and the degree of sources and methods exposed to achieve a simple defacement. We do not know whether the attackers intercepted Leviev’s SMS-based two-factor authentication or had direct access to Yandex mail servers, but either tactic is more suggestive of a state-backed actor as opposed to independent hacktivists. ##### CyberBerkut and FANCY BEAR: Not the Same, But Showing Up to the Same Party Throughout our research, we have focused on FANCY BEAR, an advanced persistent threat (APT) group assessed to be Russian government. CyberBerkut, on the other hand, was a referential data point when we looked at precedence for pro[Russian proxies interfering with elections. CrowdStrike assessed in its 2015 Global Threat Report “there are indications that](https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf) CyberBerkut has ties to Russian state security,” but the degree of Russian government control over the group is disputed. ----- concerted FANCY BEAR spearphishing efforts over a six month timeframe in 2015 shows Moscow s clear intent to compromise Bellingcat, most likely due to their posts on key current events involving Russia. This activity was followed by a hard stop and then additional targeted efforts by CyberBerkut in early 2016, which was in-turn followed by additional FANCY BEAR spearphishing from May to July 2016. A key assumption underlying any assessment about how these activities are related stems from how an analyst assesses the motives for targeting Leviev. We came up with two scenarios: _Stronger/Closer Coordination Between FANCY BEAR and CyberBerkut. In this scenario, the activities against Bellingcat are_ coordinated with these two entities handing off operations. The timing suggests that the state actors, looking to compromise Bellingcat, pivoted to a more aggressive attack against Leviev when the initial spearphishing campaign failed to yield the desired results. Leviev is targeted more aggressively as a means to get at Bellingcat and since he lives in Russia, state actors would have additional tools in their kit to intercept his SMS two-factor authentication messages or gain direct access to Yandex’s mail servers. In this scenario, CyberBerkut functions as much as a strategic messaging outlet as the actual attacker and is subject to a much greater degree of direction and control from Moscow than previously assessed. _The Common Enemies Approach: Weaker/Less Coordination Between FANCY BEAR and CyberBerkut. In this scenario, the_ spearphishing campaigns conducted by FANCY BEAR are distinct in purpose and perpetrator from the CyberBerkut attack against Leviev. The spearphishing campaigns are more focused on Bellingcat’s coverage of the MH17 shootdown and involvement in the JIT investigation. CyberBerkut targets Leviev separately after his coverage of Russian military involvement in eastern Ukraine with some assistance from supportive friends in Moscow to compromise his Yandex account. Targeting Leviev is less about a broader compromise of Bellingcat and more about harassing one journalist. In this scenario, CyberBerkut is advancing Moscow’s interests and can call on the Russian intelligence services, but is still a distinct group. ##### Leak Sites Leaking Over We looked to see if we could identify other overlaps between FANCY BEAR and CyberBerkut that would help us assess which of these two scenarios was more likely. Through our research into the Bellingcat activity, we found some surprising content overlaps with DCLeaks — another assessed Russian influence outlet — and a CyberBerkut pattern of registering infrastructure that FANCY BEAR also uses. These developments move the needle slightly towards a more coordinated relationship between the two groups, but not decisively. _Comparing DCLeaks and CyberBerkut_ [In our previous post, we identified a website called DCLeaks as a Russian-backed influence outlet. Information shared with](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/) ThreatConnect indicates that there is an association of some kind between the Guccifer 2.0 persona and the DCLeaks website. Shortly after publication, we became aware of a cache of documents leaked on the DCLeaks site. The files were allegedly obtained via a compromise of an organization affiliated with George Soros. It is interesting to note that earlier in 2016 CyberBerkut also published files purportedly associated with Soros. [Analysis conducted by Anton Cherepanov, a security researcher who works for ESET, suggests that the content of the two](https://twitter.com/cherepanov74/status/764948917939212289) [leaks are similar with at least three of the Soros documents being found on both sites. The acquisition and publication of](https://foreignpolicy.com/2016/08/22/turns-out-you-cant-trust-russian-hackers-anymore/) documents belonging to, or in some way associated with, the same individual is of interest as overlaps in targeting and potential similarities in stolen content could be indicative of a connection between DCLeaks and CyberBerkut. Further, as we have identified that there is a connection from DCLeaks to Guccifer 2.0 and from Guccifer 2.0 to FANCY BEAR, the overlap in leaked documents may suggest that both leak sites obtained their data from the same collection source, FANCY BEAR. While this alone isn’t enough to verify a relationship between the sites, there are some other interesting similarities. Despite their statuses as a U.S.-focused whistleblower and hacktivist group respectively, the websites of both DCLeaks and CyberBerkut primarily host content that is critical of individuals and governments perceived to oppose Russian foreign and domestic policies. Both sites attempt to appeal to civilian masses in the U.S. and Ukraine respectively by calling attention to purported in the political systems. _Aleksandr Panchenko_ ----- Most of these domains were also registered using privacy protection, but one domain, cyber berkut[.]net was registered by “Aleksandr Panchenko” using the email address alex_panchenko@mail[.]com. The same day the domain was registered through Reg.ru, it was later routed to CloudFlare infrastructure, suggesting that this domain was not opportunistically procured by a domain registrant in hopes they could sell it to the CyberBerkut actors. Additional research into this name and email address identifies six other CyberBerkut-related domains, none of which are active currently, registered by this individual: Cyber-berkut[.]su Cyber-berkut[.]tk Cyber-berkut[.]us Cyber-berkut[.]me Cyber-berkut[.]cz Cyber-berkut[.]im While certainly not definitive, the use of a mail.com email address to register domains is consistent with recently identified [FANCY BEAR registration activity against the DCCC, WADA, and CAS.](https://threatconnect.com/blog/fancy-bear-it-itch-they-cant-scratch/) ##### Tracing out FB Infrastructure Based on Bellingcat Input The activity that Bellingcat alerted us to provided a plethora of domains, IP addresses, email addresses, and other registration and hosting information for us to pivot off of to identify other pertinent infrastructure. In an upcoming blog post, we’ll seek to identify as much FANCY BEAR infrastructure and aliases as possible using the ThreatConnect platform and capabilities from some of our industry partners. Reviewing the CATA501836 and Carbon2u name servers, we were able to identify dozens of active domains that fit the FANCY BEAR mold and likely spoof organizations that Moscow would seek to compromise. Pivoting off of Bellingcat’s email headers we were able to identify hundreds of domains and IPs, and dozens of email addresses d li t lik l d b FANCY BEAR f hi h t i l id tifi d Thi i i il id tifi d ----- **Conclusion** The campaign against Bellingcat provides yet another example of sustained targeting against an organization that shines a light on Russian perfidy. The spearphishing campaign is classic FANCY BEAR activity while CyberBerkut’s role raises yet more questions about the group’s ties to Moscow. These end-to-end cyber operations begin with targeting and exploitation and end with strategic leaks and other active measures employed against those with whom they disagree. These efforts go above and beyond traditional intelligence requirements such as gaining insight into a sensitive project or sources. Vilifying the messenger and dumping their personal data is part of the game, intended to intimidate and embarrass those that speak ill of Moscow. If Russia is willing to go to these lengths to compromise a small journalist organization and its contributors, consider what they are willing to do to major news and media outlets that publish similar articles. While many organizations remain reticent to share information, this knowledge is the prerequisite to establishing how widespread such efforts are and the adversary’s modus operandi. The BEARs win if their active measures campaigns push, scare, or intimidate their targets into doing what they want. If you encounter a BEAR, you’re doing something right. Don’t back down. And turn on two-factor authentication for everything. ### Update On October 5 2016, probable FANCY BEAR actors again sent a spearphishing message to a Bellingcat contributor. This spearphishing message spoofed Google security services, similar to those previously used to target Bellingcat. ----- FANCY BEAR used a shortening service to mask the malicious link, similar to the previous messages, but it appears the actors attempted to obfuscate their activity by using two separate shortening services to hide the final malicious link. The tiny.cc link that is in the spearphishing message actually points to a TinyURL shortened URL. ----- The TinyURL in turn points to the below URL: hxxp://myaccount.google.com-changepassword-securitypagesettingmyaccountgooglepagelogin.id833[.]ga This URL is appended with a target-specific base64 encoded string as was seen in the previous spearphishing messages targeting Bellingcat and others. The id833[.]ga domain is hosted at the 89.40.181[.]119 IP (Bucharest, RO) which also hosts the domain id834[.]ga. There is a subdomain for the id834[.]ga similar to the URL above that is also hosted at the same IP. This suggests that the id834[.]ga domain has also been operationalized, though we have no information indicating who has been targeted with it. The WHOIS records for these domains did not contain any additional information on the registrants or other domains they may have registered. Using ThreatConnect’s Email Import feature, we identified that the spearphishing message was sent through Yandex mail servers using the email address g.mail2017@yandex[.]com. ----- This was the first identified spearphish against Bellingcat since July 2016 and suggests that FANCY BEAR activity against them is ongoing. Other organizations involved in the MH17 investigation that would draw Moscow’s ire should be on the lookout for similar activity. -----