# Belling the BEAR

**threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/**

September 28, 2016

## ThreatConnect reviews activity targeting Bellingcat, a key contributor in the MH17 investigation.

_Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the_
_[Democratic National Committee“, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“,](https://threatconnect.com/guccifer-2-0-dnc-breach/)_
_[“Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, “FANCY BEAR Has an (IT)](https://threatconnect.com/reassesing-guccifer-2-0-recent-claims/)_
_[Itch that They Can’t Scratch“, “Does a BEAR Leak in the Woods?“, and “Russian Cyber Operations on Steroids“.](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/)_

### [UPDATE] October 7th 2016

Introduction

[Since posting about the DNC hack, each time we published a blog post on a BEAR-based topic we thought it was going](https://threatconnect.com/blog/tapping-into-democratic-national-committee/)
to be our last. But like the Death Star’s gravitational pull, the story keeps drawing us back in as new information comes
[to light. Following our post on DCLeaks as a Russian influence operation,](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/) [Bellingcat founder Eliot Higgins reached out](https://www.bellingcat.com/)
to us. Bellingcat, a group of citizen investigative journalists, has published articles critical of Russia and has been a key
[contributor to the international investigation of the shootdown of Malaysian Airlines Flight 17 (MH17) over Ukraine in](https://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17)
2014.

Higgins shared data with ThreatConnect that indicates Bellingcat has come under sustained targeting by Russian threat
actors, which allowed us to identify a 2015 spearphishing campaign that is consistent with FANCY BEAR’s tactics,
techniques, and procedures. We also analyzed a February 2016 attack by CyberBerkut — a group claiming to be proRussian Ukrainian hacktivists but also a suspected front for Moscow — against Russia-based Bellingcat contributor
[Ruslan Leviev, where CyberBerkut defaced the Bellingcat website and leaked Leviev’s personal details. As evidenced](https://twitter.com/RuslanLeviev)
by these efforts and [the attack on the World Anti-Doping Agency, organizations that negatively impact Russia’s image](https://threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/)
can expect Russian cyber operations intended to retaliate publicly or privately, influence, or otherwise maliciously affect
them. The [Diamond Model below summarizes the activity that Bellingcat experienced.](http://www.activeresponse.org/the-diamond-model/)


-----

### Bellingcat Background

[Bellingcat is a group of citizen investigative journalists — named after a classic fable — that uses open source](https://en.wikipedia.org/wiki/Belling_the_cat)
information, such as photos and videos posted on social media, maps, and publicly available satellite imagery.
Bellingcat articles have focused on a variety of current events in Africa, the Middle East, the U.S., and Europe with a
specific focus on notable conflicts related to Syria, Ukraine, and Russia.

Bellingcat published its first post on July 5, 2014, and for the next twelve days focused mainly on the ongoing Syrian
civil war, covering developments such as the use of chemical weapons, but also occasionally pointing out Russian
involvement. On July 17, 2014, Malaysian Airlines Flight 17 crashed in pro-Russian rebel territory in eastern Ukraine
[and Bellingcat released their first post on the topic. Over the next two years, Bellingcat would publish no fewer than 92](https://www.bellingcat.com/resources/case-studies/2014/07/17/geolocating-the-missile-launcher-linked-to-the-downing-of-mh17/)
posts from at least 8 [contributors focused on Russian involvement in the downing of MH17, using open source](https://www.bellingcat.com/contributors/)
information and imagery to prove the presence of the Russian military in eastern Ukraine and that a Russian-supplied
Buk missile launcher shot down MH17 from pro-Russian rebel territory. The Kremlin vehemently denies this.

[The Dutch took the lead in the criminal investigation through an international Joint Investigation Team (JIT) and officially](https://www.om.nl/onderwerpen/mh17-crash/)
considered Bellingcat’s reporting in their investigation. Founder Eliot Higgins was included as an official witness. The
[Dutch Safety Board ultimately found MH17 was shot down by a Russian-made surface-to-air missile but declined to](https://www.washingtonpost.com/news/worldviews/wp/2015/10/13/a-dutch-report-will-say-what-downed-mh17-it-wont-blame-the-russians/)
[assign blame for who was responsible for the launch. On September 28, the JIT is due to release the results of their](http://www.nltimes.nl/2016/08/22/mh17-dutch-criminal-investigation-results-ready-sept-28/)
criminal investigation.

Compromising Bellingcat contributors could provide Russian intelligence services with journalists’ contacts and sources,
personal information, insight into future reporting perceived as indemnifying Russia, as well as sensitive personal
information. Such collection could facilitate influence operations and retaliation efforts against Bellingcat, or access that
could be leveraged for follow-on operations. Compromising Bellingcat contributors’ accounts could also provide access
to communications with the JIT, offering a glimpse at how the investigation of the downing of MH17 was proceeding.

### Activity Targeting Bellingcat


-----

_Timeline_

The timeline below summarizes the notable dates related to the MH17 crash and investigation, Bellingcat’s articles
related to those events, and the malicious activity targeting Bellingcat and Leviev. It’s important to note we do not have
complete insight into all of the malicious activity that may have targeted Bellingcat during this timeframe.

_FANCY BEAR_

From February 2015 to July 2016 three researchers at Bellingcat — Higgins, Aric Toler, and Veli-Peka Kivimaki — who
had contributed MH17 articles received numerous spearphishing emails, with Higgins alone receiving at least 16
phishing emails targeting his personal email account. A majority of the campaign took place from February to
September 2015, with some activity resuming in May 2016. These spearphishing attempts consist of a variety of
spoofed Gmail security notices alerting the target that suspicious activity was detected on their account. The target is
prompted to click a URL resembling a legitimate Gmail security link to review the details of this suspicious activity. Below
are screenshots of some of the spearphishing email targeting Bellingcat researchers.


-----

-----

-----

The attackers used several methods to redirect the target to credential harvesting pages. In at least 21 of the emails, the
URL redirects the victim to a shortened Bitly URL. These shortened Bitly links, in turn, direct the victim to another
[Google-spoofing URL appended with the base64 encoded target email and name. One of the emails used a shortened](https://en.wikipedia.org/wiki/Base64)
TINYCC URL to achieve the same effect. In four of the other emails, the security links direct the target to a Google Sites
page that spoofs a Google login page. Once the target visits the Bitly, TINYCC, or Google Sites URLs, they are
prompted to enter their Google credentials, which would then be captured by the threat actors.

The specifically crafted URLs with target-specific strings are consistent with a FANCY BEAR technique highlighted in
[Dell Secureworks research and](https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign) [employed against a DNC staffer whose files were leaked on DCLeaks. Reviewing the](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/)
click information for the Bitly links, we identified that at least three of the Bitly URLs targeting the same Bellingcat
individual were accessed in the timeframe consistent with the spearphishing attack. This suggests the individual clicked
on the links in three of the spearphishing messages, but Bellingcat confirms that no credentials were supplied to these
pages.


-----

Other consistencies with Russia and FANCY BEAR activity were also identified. In early May and again in mid-June
2016 the Bellingcat contributor Aric Toler’s personal email address was targeted by FANCY BEAR. Using
ThreatConnect’s Email Import function, we are able to identify that both messages abused Moscow-based Yandex email
services to send malicious emails to the researcher. In the May phishing example FANCY BEAR used the Yandex
account berg01berg01@yandex[.]com.

In the June 2016 example, Toler was targeted with a message that used hellomail1@yandex[.]com in a manner
consistent with how Billy Rinehart was targeted prior to content from his personal Gmail being posted to DCLeaks.


-----

By analyzing the email headers provided by Bellingcat, we identified domains and corresponding IP addresses that the
attackers leveraged as part of the spearphishing operation. The table below also shows the registrant for the domain,
the creation date for the WHOIS record, and the name server the domain used during the attack timeframe.


**Name Server During**
**Attack**

Carbon2u.com

Cata501836.earth.orderboxdns.com

Carbon2u.com

Cata501836.earth.orderboxdns.com

Carbon2u.com

Carbon2u.com


**Spearphishing Domain** **Mailserver IP** **Domain Registrant**


mxx.evrosatory[.]com

accounts.servicegoogle[.]com

mxx.us-westmailundeliversystem[.]com

mx1.servicetransfermail[.]com

accounts.google.com.rnil[.]am

mx6.set132[.]com


46.22.208.204

155.254.36.155

46.22.208.204

95.153.32.53

198.105.122.187

198.105.122.187


andre_roy@mail.com

theforeignnews@gmail.com

andre_roy@mail.com

theforeignnews@gmail.com

Private

emmer.brown@mail.com


**Domain**
**Create**
**Date**

2/13/14

5/22/15

2/28/14

6/3/15

7/7/14

9/30/14


server.mx4.set132[.]com 46.22.208.204 emmer.brown@mail.com 9/30/14 Carbon2u.com

[The domains evrosatory[.]com,us-westmail-undeliversystem[.]com have been previously identified by Pricewaterhouse](http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf)
Coopers as FANCY BEAR, and the domain servicetransfermail[.]com closely resembles the servicetransferemail[.]com
[infrastructure that German Intelligence (BvF) established as FANCY BEAR within Cyber Brief Nr. 01/2016.](https://www.verfassungsschutz.de/download/broschuere-2016-03-bfv-cyber-brief-2016-01.pdf)

[FANCY BEAR also previously used both the Cata501836 and Carbon2u name servers to host infrastructure and email](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/)
addresses from 1&1’s mail.com to [register domains. We were able to identify further overlaps with other FANCY BEAR](https://threatconnect.com/blog/fancy-bear-it-itch-they-cant-scratch/)
infrastructure by pivoting off of these indicators, which we will describe in a later blog post. Based on these


-----

consistencies, we assess FANCY BEAR almost certainly is behind the spearphishing and credential harvesting
campaign targeting Eliot Higgins and other Bellingcat researchers.

_CyberBerkut Activity_

[CyberBerkut describes itself as a group of pro-Russian Ukrainian hacktivists. They borrow the “Berkut” name from the](https://en.wikipedia.org/wiki/Berkut_(special_police_force))
[now disbanded Ukrainian riot police who responded brutally to the 2014 EuroMaidan demonstrations in Kiev.](https://www.netflix.com/title/80031666)
[CyberBerkut runs a digitally-fueled, aggressive, active measures campaign directed against a pro-western government](https://en.wikipedia.org/wiki/Active_measures)
in Kiev and points of western influence — such as NATO — in eastern Europe.

CyberBerkut has conducted attacks across a spectrum of technical sophistication including distributed denial of service
attacks (DDOS), disrupting and degrading the networks of Ukraine’s [Central Election Commission during the 2014](https://ccdcoe.org/sites/default/files/multimedia/pdf/CyberWarinPerspective_full_book.pdf)
election, [hacking Ukrainian billboards and displaying pro-Russian messages, conducting computer network exploitation](https://www.youtube.com/watch?v=E8A2MIkiavE)
[and strategic leaks of emails and documents, and leaking intercepted phone calls between high ranking Ukrainian](https://www.youtube.com/watch?v=Wkicw3EolCg)
officials. This range suggests highly capable actors are behind CyberBerkut and they employ a high degree of
operational planning when considering the offensive use of information and their effects.

CyberBerkut [defaced the Bellingcat webpage on February 10, 2016, claiming credit for the attack and singling out](https://twitter.com/bellingcat/status/697334674029412353)
Ruslan Leviev, a Russian opposition blogger and Bellingcat contributor.

[Leviev published a compelling piece of citizen journalism on May 22, 2015 exploring the fate of Russian Spetsnaz](https://www.bellingcat.com/news/uk-and-europe/2015/05/22/three-graves/)
soldiers believed to have been killed in combat operations within Ukraine earlier that month. According to Bellingcat
founder Higgins, Leviev’s contributor account was compromised and used to post the CyberBerkut message. In an
email interview, Leviev makes the following statement regarding the events that led to the compromise of his credentials
and the defacement.

_In my case, my old email account, which was located on Yandex servers, was hacked. The email account had a long,_
_difficult password, not a word, from various letters, numbers, and special symbols. Plus there was a telephone number_
_bound to the account for second factor authentication._

_Exactly how it was hacked — I don’t know._

1. Either they as employees, or with their active assistance, intercepted the SMS authentication code.


-----

2. Or they, again, as an officer from the authorities or with their active assistance, gained direct access to the Yandex

_Mail servers where they seized the email from my old inbox._
3. Or they know about a vulnerability in Yandex email that nearly nobody else knows about.

_Having seized the old email inbox, they used the password recovery mechanism for LiveJournal. My LiveJournal_
_account (which I have not used for a long time) was connected to my old email address, but LiveJournal does not_
_provide second factor authentication. Via password recovery of my LiveJournal from my stolen email, they took over my_
_LiveJournal account and made a post._

_In the same stolen email account, they found my username and password for my account at Bellingcat (I had once_
_published an investigation directly on the Bellingcat website) and they published a post there in my name._

_At the same time, my icloud account was not setup for second factor authentication, and was connected only to my old_
_email address for password recovery, it was also taken over. They performed a password recovery via my stolen email_
_address for icloud, logged in, but I received a notification on my iPhone about it, and I quickly cut off their access, but_
_they were able to download some photos._

_They also tried to hack my Facebook and Twitter. They were unable to crack Facebook, because I had second factor_
_authentication and always need to enter the code generated by the Facebook app. They were able to login to Twitter_
_and change the password but nothing was deleted and they didn’t tweet anything. I restored the password._

_Based on all the data, I assume that, as in the case of Alburovym, Kozlovsky, Parkhomenko, this was the activity of_
_security services who intercepted the SMS containing the access code. So they got access to my old email account and_
_they also gained access to my Twitter account (which was also under two-factor, but code is sent via SMS rather than_
_generated in an app)._

_Of my social networks where two-factor codes are generated via an application, they were unable to crack. Of my social_
_networks where the two-factor code was sent via SMS, they were able to crack._

Leviev suggests the attackers had direct access to Yandex mail servers or were able to intercept the SMS message
used for two factor authentication to compromise his old Yandex email account. Leviev goes on to describe that the
actors then used emails from that old account to compromise his iCloud account and access pictures and other
information saved from Leviev’s phone to iCloud. Some of this information was ultimately put in a February 24, 2016
post on CyberBerkut’s website that contained sensitive details of Leviev’s personal life, such as his pictures, phone
number, address, passport scan, girlfriend’s name, and dating and sexual preferences.

These attacks were an overt attempt to discredit Bellingcat research and Leviev, but also carried a message to others
who publicly voice positions critical of Moscow that this form of journalism does not go unnoticed. We also found it
interesting how much effort was expended and the degree of sources and methods exposed to achieve a simple
defacement. We do not know whether the attackers intercepted Leviev’s SMS-based two-factor authentication or had
direct access to Yandex mail servers, but either tactic is more suggestive of a state-backed actor as opposed to
independent hacktivists.

### CyberBerkut and FANCY BEAR: Not the Same, But Showing Up to the Same Party

Throughout our research, we have focused on FANCY BEAR, an advanced persistent threat (APT) group assessed to
be Russian government. CyberBerkut, on the other hand, was a referential data point when we looked at precedence for
[pro-Russian proxies interfering with elections. CrowdStrike assessed in its 2015 Global Threat Report “there are](https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf)
indications that CyberBerkut has ties to Russian state security,” but the degree of Russian government control over the
group is disputed.

The timing of the FANCY BEAR spearphishing campaigns and the CyberBerkut attack against Leviev are interesting.
The concerted FANCY BEAR spearphishing efforts over a six month timeframe in 2015 shows Moscow’s clear intent to
compromise Bellingcat, most likely due to their posts on key current events involving Russia. This activity was followed
by a hard stop and then additional targeted efforts by CyberBerkut in early 2016, which was in-turn followed by
additional FANCY BEAR spearphishing from May to July 2016. A key assumption underlying any assessment about
how these activities are related stems from how an analyst assesses the motives for targeting Leviev.


-----

We came up with two scenarios:

_Stronger/Closer Coordination Between FANCY BEAR and CyberBerkut. In this scenario, the activities against Bellingcat_
are coordinated with these two entities handing off operations. The timing suggests that the state actors, looking to
compromise Bellingcat, pivoted to a more aggressive attack against Leviev when the initial spearphishing campaign
failed to yield the desired results. Leviev is targeted more aggressively as a means to get at Bellingcat and since he
lives in Russia, state actors would have additional tools in their kit to intercept his SMS two-factor authentication
messages or gain direct access to Yandex’s mail servers. In this scenario, CyberBerkut functions as much as a strategic
messaging outlet as the actual attacker and is subject to a much greater degree of direction and control from Moscow
than previously assessed.

_The Common Enemies Approach: Weaker/Less Coordination Between FANCY BEAR and CyberBerkut. In this_
scenario, the spearphishing campaigns conducted by FANCY BEAR are distinct in purpose and perpetrator from the
CyberBerkut attack against Leviev. The spearphishing campaigns are more focused on Bellingcat’s coverage of the
MH17 shootdown and involvement in the JIT investigation. CyberBerkut targets Leviev separately after his coverage of
Russian military involvement in eastern Ukraine with some assistance from supportive friends in Moscow to compromise
his Yandex account. Targeting Leviev is less about a broader compromise of Bellingcat and more about harassing one
journalist. In this scenario, CyberBerkut is advancing Moscow’s interests and can call on the Russian intelligence
services, but is still a distinct group.

### Leak Sites Leaking Over

We looked to see if we could identify other overlaps between FANCY BEAR and CyberBerkut that would help us assess
which of these two scenarios was more likely. Through our research into the Bellingcat activity, we found some
surprising content overlaps with DCLeaks — another assessed Russian influence outlet — and a CyberBerkut pattern of
registering infrastructure that FANCY BEAR also uses. These developments move the needle slightly towards a more
coordinated relationship between the two groups, but not decisively.

_Comparing DCLeaks and CyberBerkut_

In [our previous post, we identified a website called DCLeaks as a Russian-backed influence outlet. Information shared](https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/)
with ThreatConnect indicates that there is an association of some kind between the Guccifer 2.0 persona and the
DCLeaks website. Shortly after publication, we became aware of a cache of documents leaked on the DCLeaks site.
The files were allegedly obtained via a compromise of an organization affiliated with George Soros. It is interesting to
note that earlier in 2016 CyberBerkut also published files purportedly associated with Soros.

[Analysis conducted by Anton Cherepanov, a security researcher who works for ESET, suggests that the content of the](https://twitter.com/cherepanov74/status/764948917939212289)
[two leaks are similar with at least three of the Soros documents being found on both sites. The acquisition and](https://foreignpolicy.com/2016/08/22/turns-out-you-cant-trust-russian-hackers-anymore/)
publication of documents belonging to, or in some way associated with, the same individual is of interest as overlaps in
targeting and potential similarities in stolen content could be indicative of a connection between DCLeaks and
CyberBerkut. Further, as we have identified that there is a connection from DCLeaks to Guccifer 2.0 and from Guccifer
2.0 to FANCY BEAR, the overlap in leaked documents may suggest that both leak sites obtained their data from the
same collection source, FANCY BEAR.

While this alone isn’t enough to verify a relationship between the sites, there are some other interesting similarities.
Despite their statuses as a U.S.-focused whistleblower and hacktivist group respectively, the websites of both DCLeaks
and CyberBerkut primarily host content that is critical of individuals and governments perceived to oppose Russian
foreign and domestic policies. Both sites attempt to appeal to civilian masses in the U.S. and Ukraine respectively by
calling attention to purported in the political systems.

_Aleksandr Panchenko_

CyberBerkut’s main domain, cyber-berkut[.]org, was registered using privacy protection through the registrar Internet.bs
and shortly thereafter hosted using CloudFlare infrastructure. Several other CyberBerkut-related domains redirect to this
website. Most of these domains were also registered using privacy protection, but one domain, cyber-berkut[.]net was


-----

registered by Aleksandr Panchenko using the email address alex_panchenko@mail[.]com. The same day the domain
was registered through Reg.ru, it was later routed to CloudFlare infrastructure, suggesting that this domain was not
opportunistically procured by a domain registrant in hopes they could sell it to the CyberBerkut actors.

Additional research into this name and email address identifies six other CyberBerkut-related domains, none of which
are active currently, registered by this individual:

Cyber-berkut[.]su
Cyber-berkut[.]tk
Cyber-berkut[.]us
Cyber-berkut[.]me
Cyber-berkut[.]cz
Cyber-berkut[.]im

While certainly not definitive, the use of a mail.com email address to register domains is consistent with recently
[identified FANCY BEAR registration activity against the DCCC,](https://threatconnect.com/blog/fancy-bear-it-itch-they-cant-scratch/) [WADA, and CAS.](https://threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/)

### Tracing out FB Infrastructure Based on Bellingcat Input

The activity that Bellingcat alerted us to provided a plethora of domains, IP addresses, email addresses, and other
registration and hosting information for us to pivot off of to identify other pertinent infrastructure. In an upcoming blog
post, we’ll seek to identify as much FANCY BEAR infrastructure and aliases as possible using the ThreatConnect
platform and capabilities from some of our industry partners.

Reviewing the CATA501836 and Carbon2u name servers, we were able to identify dozens of active domains that fit the
FANCY BEAR mold and likely spoof organizations that Moscow would seek to compromise.

Pivoting off of Bellingcat’s email headers we were able to identify hundreds of domains and IPs, and dozens of email
addresses and aliases most likely used by FANCY BEAR, some of which were not previously identified. This review
primarily identified historical FANCY BEAR information, but the conclusions from it help verify FANCY BEAR TTP
assessments, provide additional targeting context, and may be useful in retrospective reviews of malicious activity.

**Conclusion**


-----

The campaign against Bellingcat provides yet another example of sustained targeting against an organization that
shines a light on Russian perfidy. The spearphishing campaign is classic FANCY BEAR activity while CyberBerkut’s role
raises yet more questions about the group’s ties to Moscow. These end-to-end cyber operations begin with targeting
and exploitation and end with strategic leaks and other active measures employed against those with whom they
disagree.

These efforts go above and beyond traditional intelligence requirements such as gaining insight into a sensitive project
or sources. Vilifying the messenger and dumping their personal data is part of the game, intended to intimidate and
embarrass those that speak ill of Moscow. If Russia is willing to go to these lengths to compromise a small journalist
organization and its contributors, consider what they are willing to do to major news and media outlets that publish
similar articles. While many organizations remain reticent to share information, this knowledge is the prerequisite to
establishing how widespread such efforts are and the adversary’s modus operandi.

The BEARs win if their active measures campaigns push, scare, or intimidate their targets into doing what they want. If
you encounter a BEAR, you’re doing something right. Don’t back down. And turn on two-factor authentication for
everything.

## Update

On October 5 2016, probable FANCY BEAR actors again sent a spearphishing message to a Bellingcat contributor. This
spearphishing message spoofed Google security services, similar to those previously used to target Bellingcat.


-----

FANCY BEAR used a shortening service to mask the malicious link, similar to the previous messages, but it appears the
actors attempted to obfuscate their activity by using two separate shortening services to hide the final malicious link.
The tiny.cc link that is in the spearphishing message actually points to a TinyURL shortened URL.

The TinyURL in turn points to the below URL:


-----

hxxp://myaccount.google.com changepassword securitypagesettingmyaccountgooglepagelogin.id833[.]ga

This URL is appended with a target-specific base64 encoded string as was seen in the previous spearphishing
messages targeting Bellingcat and others.

The id833[.]ga domain is hosted at the 89.40.181[.]119 IP (Bucharest, RO) which also hosts the domain id834[.]ga.
There is a subdomain for the id834[.]ga similar to the URL above that is also hosted at the same IP. This suggests that
the id834[.]ga domain has also been operationalized, though we have no information indicating who has been targeted
with it. The WHOIS records for these domains did not contain any additional information on the registrants or other
domains they may have registered.

Using ThreatConnect’s Email Import feature, we identified that the spearphishing message was sent through Yandex
mail servers using the email address g.mail2017@yandex[.]com.


-----

This was the first identified spearphish against Bellingcat since July 2016 and suggests that FANCY BEAR activity
against them is ongoing. Other organizations involved in the MH17 investigation that would draw Moscow’s ire should
be on the lookout for similar activity.


-----