Two Russia-linked threat groups have been targeting citizen journalists investigating Moscow’s involvement in the downing of Malaysia Airlines flight MH17 in July 2014 as it was crossing Ukraine.
In October 2015, Trend Micro reported that the Dutch Safety Board (DSB), which had been investigating the cause of the crash, was targeted by the Russian cyberspy group known as Fancy Bear, Pawn Storm, APT28, Sofacy, Sednit and Tsar Team. The DSB published its report on the incident in the same month.
The same actor also appears to have targeted Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.
Bellingcat has published numerous articles on the MH17 crash and its reporting has been used in the investigation conducted by the Joint Investigation Team (JIT), which includes members from Australia, Belgium, Malaysia, the Netherlands and Ukraine. Bellingcat founder Eliot Higgins was an official witness in the investigation.
The JIT, which focused on the criminal investigation, published its report on Wednesday, saying that the plane crashed after being hit by a missile brought in from Russia and fired from an area controlled by pro-Russian separatists.
According to threat intelligence firm ThreatConnect, Bellingcat members who covered the crash of flight MH17 had received spear phishing emails between February 2015 and July 2016. The emails, designed to look like they were coming from Google, were similar to the ones described in June by researchers at SecureWorks, who identified thousands of email accounts targeted by Fancy Bear, including ones belonging to journalists.
The attacks aimed at Bellingcat also involved domains and domain registration data that was previously linked to Fancy Bear activity, ThreatConnect said.
In addition to Fancy Bear, Bellingcat has been targeted by CyberBerkut, which claims to be a pro-Russia hacktivist group based in Ukraine. CyberBerkut has taken credit for attacks on Ukrainian, Polish and German government systems.
In February 2015, CyberBerkut breached a Bellingcat contributor’s account and used it to post a story titled “CyberBerkut is already here.” The targeted user was Ruslan Leviev, a Russian opposition blogger and Bellingcat contributor who had covered several Russia-related topics. Leviev said the attackers hijacked his Yandex, LiveJournal and Twitter accounts. The Yandex account was protected with a strong password and two-factor authentication, which led the blogger to believe that the attacker either had direct access to Yandex servers or had knowledge of a zero-day vulnerability.
While it is possible that Leviev was targeted for other Russia-related reporting and the attack carried out by CyberBerkut has nothing to do with Fancy Bear’s interest in the MH17 investigation, ThreatConnect believes a more likely scenario is that the two threat groups are somehow connected.
One possibility is that CyberBerkut targeted Leviev in a more aggressive attack after Fancy Bear’s spear-phishing emails failed. The information used to register CyberBerkut domains also suggests a tie to Fancy Bear.
Furthermore, there is evidence that CyberBerkut is connected to DCLeaks, a Russian-backed influence outlet that has been linked to Guccifer 2.0, the hacker who took credit for the attacks on the U.S. Democratic Party. While Guccifer 2.0 claims to be a hacktivist based in Romania, researchers believe he’s just a persona used by Fancy Bear to throw investigators off track.