Connect with us

Hi, what are you looking for?



Russian Hackers Target Journalists Investigating MH17 Crash

Two Russia-linked threat groups have been targeting citizen journalists investigating Moscow’s involvement in the downing of Malaysia Airlines flight MH17 in July 2014 as it was crossing Ukraine.

Two Russia-linked threat groups have been targeting citizen journalists investigating Moscow’s involvement in the downing of Malaysia Airlines flight MH17 in July 2014 as it was crossing Ukraine.

In October 2015, Trend Micro reported that the Dutch Safety Board (DSB), which had been investigating the cause of the crash, was targeted by the Russian cyberspy group known as Fancy Bear, Pawn Storm, APT28, Sofacy, Sednit and Tsar Team. The DSB published its report on the incident in the same month.

The same actor also appears to have targeted Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.

Bellingcat has published numerous articles on the MH17 crash and its reporting has been used in the investigation conducted by the Joint Investigation Team (JIT), which includes members from Australia, Belgium, Malaysia, the Netherlands and Ukraine. Bellingcat founder Eliot Higgins was an official witness in the investigation.

The JIT, which focused on the criminal investigation, published its report on Wednesday, saying that the plane crashed after being hit by a missile brought in from Russia and fired from an area controlled by pro-Russian separatists.

According to threat intelligence firm ThreatConnect, Bellingcat members who covered the crash of flight MH17 had received spear phishing emails between February 2015 and July 2016. The emails, designed to look like they were coming from Google, were similar to the ones described in June by researchers at SecureWorks, who identified thousands of email accounts targeted by Fancy Bear, including ones belonging to journalists.

The attacks aimed at Bellingcat also involved domains and domain registration data that was previously linked to Fancy Bear activity, ThreatConnect said.

Advertisement. Scroll to continue reading.

In addition to Fancy Bear, Bellingcat has been targeted by CyberBerkut, which claims to be a pro-Russia hacktivist group based in Ukraine. CyberBerkut has taken credit for attacks on Ukrainian, Polish and German government systems.

In February 2015, CyberBerkut breached a Bellingcat contributor’s account and used it to post a story titled “CyberBerkut is already here.” The targeted user was Ruslan Leviev, a Russian opposition blogger and Bellingcat contributor who had covered several Russia-related topics. Leviev said the attackers hijacked his Yandex, LiveJournal and Twitter accounts. The Yandex account was protected with a strong password and two-factor authentication, which led the blogger to believe that the attacker either had direct access to Yandex servers or had knowledge of a zero-day vulnerability.

While it is possible that Leviev was targeted for other Russia-related reporting and the attack carried out by CyberBerkut has nothing to do with Fancy Bear’s interest in the MH17 investigation, ThreatConnect believes a more likely scenario is that the two threat groups are somehow connected.

One possibility is that CyberBerkut targeted Leviev in a more aggressive attack after Fancy Bear’s spear-phishing emails failed. The information used to register CyberBerkut domains also suggests a tie to Fancy Bear.

Furthermore, there is evidence that CyberBerkut is connected to DCLeaks, a Russian-backed influence outlet that has been linked to Guccifer 2.0, the hacker who took credit for the attacks on the U.S. Democratic Party. While Guccifer 2.0 claims to be a hacktivist based in Romania, researchers believe he’s just a persona used by Fancy Bear to throw investigators off track.

Related: Russian Cyberspies Use “Komplex” Trojan to Target OS X Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...