State Hackers Target Journalists with Phishing Attack from ProtonMail Addresses
Journalists from The Insider and Bellingcat became the targets of one of the most sophisticated recent phishing attacks attributed to the Russian GRU. Alongside them, at least ten other journalists and NGO employees from Russia, Europe, and the United States were also targeted. The attacks occurred in several waves, beginning around late April 2019.
How the Attack Was Carried Out
In early April, the hackers registered 11 domain names to disguise their phishing attempts as legitimate ProtonMail communications. The Swiss secure email service ProtonMail confirmed the phishing attempt at the end of July, stating that the attack was unsuccessful thanks to the vigilance of both Bellingcat journalists and ProtonMail itself, which took several measures to neutralize the threat.
Bellingcat and ProtonMail are convinced that Russian hackers and the GRU were behind the phishing attack. The incident was reported to the Swiss cybersecurity authority.
Details of the Phishing Campaign
Between late April and late July, The Insider and Bellingcat discovered that the attacks originated from several addresses. The phishing emails were fake warnings, supposedly from ProtonMail, about suspicious login attempts or account breaches.
The sender was typically displayed as support[@]protonmail.ch (a legitimate ProtonMail address), but the actual senders (visible, for example, when replying to the email) were accounts from the free mail.uk service—such as kobi.genobi[@]mail[.]uk and notifysendingservice[@]mail[.]uk.
The content and design of the phishing emails closely resembled real ProtonMail alerts and included a hyperlink. Clicking the link would prompt the user to go to their settings to change their password and “protect” their account.
ProtonMail’s Response and Attack Sophistication
ProtonMail’s management described this as the most sophisticated attack the company has ever faced. They explained that the scripts on the fake domains were synchronized with the real ProtonMail domain, which could theoretically allow the attackers to bypass two-factor authentication (meaning, if a user entered their two-factor code on the phishing site, it would be immediately used on the real site). It is unknown whether the hackers managed to exploit this technique.
No Victims Among Journalists
The attempt to deceive the journalists was highly convincing, but none of them fell for the scam or revealed their passwords, emphasized Bellingcat investigative journalist Christo Grozev.
Grozev coordinated the network’s investigation into the March 2018 poisoning of former double agent Sergei Skripal in Salisbury. It was Bellingcat journalists who uncovered the real identities of Russian military intelligence (GRU) agents Alexander Petrov and Ruslan Boshirov, who are believed to be behind the poisoning.
According to Grozev, “There is no doubt that the GRU military intelligence is responsible for the hacking attack.” Andy Yen, head of Swiss provider ProtonMail, agrees with this assessment.