Navigation

Skiplink Navigation

Main Features

Swiss email provider targeted Cyber attack hits email users probing Russian intelligence

padlock on laptop
(Keystone/KPINL KPAPA)

One of the world’s most secure email services has been caught up in a sophisticated cyber attack aimed at investigative journalists and other experts who are probing Russian intelligence activities.

Those targeted have used Swiss-based ProtonMailexternal link to share sensitive information related to their probes of Moscow’s military intelligence directorate, the GRU. Its agents have been accused of complicity in the downing of MH17 over Ukraine in 2014, and the attempted assassination of Sergei Skripal and his daughter last year in Britain.

FT

Logo

FT

ProtonMail, which bills itself as the world’s most secure email platform, because of its cutting edge cryptography and protections against attack, became aware of the attempt to compromise its users on Wednesday.

The company, founded in 2014 by a team of former scientists from the European particle research laboratory CERNexternal link, has been in touch with Swiss authorities to help shut down the web domains used to try to dupe its clients and has taken action to block phishing emails. Its own systems and servers have not been hit in any way, it emphasised.

“The campaign that came in [on Wednesday] was really in the top 1-2% in terms of sophistication,” ProtonMail chief executive, Andy Yen, told the Financial Times. “They knew in advance exactly who they wanted to go after. Our research shows that this was a highly targeted operation.”

Swiss police aware of attack

On Sunday, the Federal Office of Police (fedpol)external link told Swiss news agency Keystone-SDA that ProtonMail had informed it of the cyber attack.

Together with the Federal Reporting and Analysis Centre for Information Assuranceexternal link, initial measures have been taken, said fedpol spokeswoman Lulzana Musliu.

Source: Keystone-SDA/sm

end of infobox

According to Mr Yen, Swiss domains were registered to mimic ProtonMail’s user interface, paid for through intermediaries using untraceable bitcoin transactions. The fake login portals on those domains were then synchronised with the real ProtonMail login process for simultaneous login, to trick users into also giving up their two-factor authentication codes.

Emails sent to users were carefully scripted, but also exploited a rare unpatched coding bug in a widely used open source software package, unlikely to be understood by all but the best-resourced hackers. 

Bellingcat team targeted

Among the accounts hackers sought to break into were those used by members of a team at Bellingcat, the open-source reporting investigative website, and a corporate intelligence firm whose employees — some of them former intelligence officials — use ProtonMail for sensitive work investigating Russia.

Over the past month, to coincide with the fifth anniversary of the shooting down of Malaysia Airlines flight MH17 over Ukraine, Bellingcat has begun to publish fresh material from its investigations implicating Russia and the GRU in the incident. The Russian government has consistently denied its involvement. 

Bellingcat is also preparing to release further information on the senior GRU officials they say co-ordinated the attempted poisoning of Sergei Skripal in Salisbury in March 2018. 

“It seems clear that it is linked to our GRU investigations,” said Christo Grozev, a security specialist and researcher at Bellingcat. “They have been trying to get into our regular email accounts for a long time now. But with ProtonMail it was very odd and unexpected.”

Those targeted in the ProtonMail phishing attack have been rattled in particular by how the attackers gained details of their usernames and accounts in the first place, given many use anonymised addresses that are only known to a closed circle of trusted contacts. “I assume that one of them must be compromised,” said Mr Grozev. “So clearly we are going to have to change our accounts.”

Mr Grozev said he had little doubt that the operation was directed by Russia. He told the FT that Bellingcat was homing in on identifying the GRU officer who directed the Skripal assassination attempt. “That is what has triggered their interest,” he said.

Little specific evidence

Specific evidence pointing to Moscow in the attempt against ProtonMail is however thin on the ground.

Mr Grozev said it seemed likely that the GRU’s own hacking operation was responsible. The unit, known in the west by its nicknames Fancy Bear and APT28, was responsible for the hack against the Hillary Clinton campaign in the 2016 US presidential election. 

“The activity and targets in this attack [against ProtonMail] are consistent with what we observed from Fancy Bear in the past,” said Adam Meyers, vice-president of Intelligence at CrowdStrike, the US cyber security company that first identified Fancy Bear’s activities. “It would seem like a classic counter intelligence mission . . . Bellingcat has certainly made a mess of the GRU’s operations.”

Fancy Bear had been quiet recently, said Mr Meyers, but early indications suggested that some recent activities had, like the ProtonMail attacks, become more targeted and narrow.

“Attribution is of course hard,” said Mr Yen. “The choice of targets does give some basis for the claim that this was a state sponsored attack. It has many of the hallmarks of one, especially considering its sophistication.”

Mr Yen said ProtonMail users’ email accounts were fully end-to-end encrypted so users had nothing to worry about unless they had inadvertently given away their passwords.

Copyright The Financial Times Limited 2019

Chemical warfare Russia accused of pressuring Swiss laboratory

The head of a Swiss laboratory, known for its work in fighting chemical warfare, says that Russia applied severe political pressure in an attempt ...

This content was published on January 31, 2019 1:03 PM

Financial Times

Neuer Inhalt

Horizontal Line


SWI swissinfo.ch on Instagram

SWI swissinfo.ch on Instagram

SWI swissinfo.ch on Instagram

subscription form

Form for signing up for free newsletter.

Sign up for our free newsletters and get the top stories delivered to your inbox.









Click here to see more newsletters