How Sneaky Hackers Altered Stolen Emails to Attack Putin's Critics

By Dell Cameron on at

Cyber espionage operations and leaks of sensitive government data are a regular occurrence these days. In our eagerness to learn hidden truths it is also imperative that we ask ourselves whether we can trust the accuracy of information offered up by unknown actors whose intentions are obscured. Is this information real, or has it been tampered with to further some powerful entity’s shadowy agenda? Should our default position be to treat leaks with the strictest suspicion—perhaps even as the calculated product of digital disinformation—until proven otherwise?

The latest report from Citizen Lab, Tainted Leaks: Disinformation and Phishing With a Russian Nexus, indicates that perhaps we’re a little too credulous when reviewing “leaks.” The report details major cyber espionage campaigns rife with falsified information, seemingly intended to discredit those on the front lines of wars against government corruption. The targets, spread over 39 countries, include government and industry leaders, military officers, diplomats, and notable members of civil society, including journalists, activists, academics, as well as other high-profile individuals.

Civil society, according to the report, represents the second largest target of cyber espionage following government. As Citizen Lab Director Ron Deibert explains, “For many powerful elites, a vibrant civil society is the antithesis to their corrupt aims.”

The research begins with a large-scale phishing and disinformation campaign linked to Russia, offering evidence of how documents stolen from a prominent journalist were tampered with before their release into the wild. Citizen Lab refers to this propaganda technique as “tainted leaks.”

Patient zero is David Satter, an American journalist exiled from Russia, who in October 2016 fell victim to a targeted phishing campaign. Satter, perhaps best known for implicating Russian intelligence services in the September 1999 apartment bombings in Buynaksk, Moscow, and Volgodonsk, which killed 293 people, had mistakenly entered his password into a credential harvesting site. His emails were subsequently stolen and eventually leaked by the self-described pro-Russian hacktivist group CyberBerkut.


Prior to being leaked, many of Satter’s emails were carefully modified to create the illusion that anti-corruption activist Alexei Navalny, among other such opposition figures, had been in receipt of foreign funding. Further, the tainted leaks were used as dezinformatsiya to “discredit specific reports about corruption among close associates of Russian President Vladimir Putin.” The suspicious timing suggests “advance knowledge of the publication of an upcoming piece of investigative journalism concerning senior Russian officials and businessmen.”

A sentence inserted into one modified document read: “Besides, on October 24-25, Vedomosti columnist Elena Vinogradova will publish an article about Moscow Oblast issues in which senior Russian officials and businessmen close to Putin will be mentioned.” This suggests coordination with or at least knowledge of an ongoing surveillance operation targeting Vedomosti, or Vinogradova, or both.

As with patient zero, more than half of the civil society targets examined by Citizen Lab were journalists, many of whom work for prominent Russian language outlets, including “Vedomosti, Slon/Republic, Novaya Gazeta, and the BBC Russian Service.”

One of the tactics employed involved adding the names of journalists to tainted material in order to implicate them in a fictitious scheme in which they are portrayed as having received foreign money in exchange for negative coverage of the Russian government. Another tactic involved removing the specific name of an outlet, Radio Liberty, in order to create the appearance of a broader conspiracy against the Kremlin. “The operators modified the document’s scope in an attempt to create the appearance of a widespread media campaign,” Citizen Lab wrote. “They did this by removing or modifying mentions of Radio Liberty throughout the document.”

The tainted material was then circulated among Russian state operated new agencies, including RIA Novosti and Sputnik Radio, which portrayed the “leak” as evidence of a Central Intelligence Agency (CIA) operation to incite a “colour revolution,” a term which refers to civil society strikes and demonstrations aimed at toppling regimes; the Iranian “Green Revolution” of 2009, or the 1986 “Yellow Revolution” in the Philippines, for example.

Revolution is considered by many scholars to be the supreme fear of President Putin, whose formative years include a sort of near-death experience at the Dresden headquarters of the Stasi, the East German secret police, which was nearly overrun by demonstrators after the fall of Berlin Wall.

An analysis by Citizen Lab of the technical methods deployed against Satter enabled the researchers to uncover as many as 200 other individuals in 39 countries similarly targeted by the same threat actors. “Not since our Tracking Ghostnet report in 2009 do I recall us discovering such an extensive list of high-profile targets of a single cyber espionage campaign,” writes Citizen Lab Director Ronald Deibert.

Attributing these methods and attacks to Russian information operations remains challenging, particularly due to the Kremlin’s use of proxy actors, i.e., the outsourcing of operations to the criminal underworld. While this is no “smoking gun,” Citizen Lab said, in addition to the required resources and scale (suggestive of a nation state), all of the targets are connected “to issues that the Russian government cares about.”

The data collected from such a campaign would come in more than a dozen languages, and concern a diverse range of political, military, and policy issues from at least 39 countries and 28 governments. In addition, such a campaign would be likely to generate large volumes of data. For this reason, a professionalised, well-resourced operator would be needed for any effective post-collection analysis of the stolen data. Even greater resources would be required to analyse, and in some instances carefully modify in a short timeframe, the contents of stolen email and cloud-storage accounts for the purposes of seeding disinformation via tainted leaks.

In one instance, by examining a link-shortening service used in the operation against Satter (, the researchers were able to uncover 233 malicious links targeting as many as 218 unique targets in two distinctive campaigns. “One thread that links the targets is that their professional activities connect them to issues where the Russian government has a demonstrated interest,” the researchers wrote. “In some cases, the targets are Russians, ranging from an ex-Prime Minister, to journalists who investigate corruption, to political activists.”

High-ranking military personnel and elected government officials in Ukraine were, unsurprisingly, one of the largest groups of individuals targeted.

According to Deibert, other notable targets include: United Nations officials; a former senior director of the US. National Security Council; a former US deputy under secretary of defense; and senior members of oil, gas, mining, and finance industries of former Soviet states.

These operations are likely to become far more pervasive as the number of significant data breaches continues to grow. “Indeed, we could be on the cusp of a new era of superpower-enabled, digital disinformation,” writes Deibert. “The public’s faith in media (which is already very low), and the ability of civil society to do its job effectively, will both invariably suffer as collateral damage.” [Citizen Lab]

More Politics Posts: