The Insider and Bellingcat have been the targets of the GRU's most sophisticated phishing attack ever. Together with them, at least ten other journalists and NGO workers from Russia, Europe and the United States were among the targets. The attacks had several waves and began around the end of April 2019.
In early April, hackers registered 11 domain names in order to disguise attacks as ProtonMail. The fact of phishing was confirmed by the administration of the Swiss secure mail service at the end of July this year - according to her, the attack was unsuccessful due to the vigilance of both Bellingcat journalists themselves and the service, which took a number of measures to neutralize the threat.
Bellingcat and ProtonMail are convinced that Russian hackers and the GRU are behind the phishing attack. The incident was reported to the Swiss computer security agency.
In the course of fixing all attacks from late April to late July, The Insider and Bellingcat found out that the attack came from several addresses, and the phishing campaigns were fake alerts on behalf of ProtonMail about suspicious login attempts or account hacking.
In the mail, the sender was usually displayed as support [@] protonmail.ch (a valid ProtonMail address), but the real senders (you can see it, for example, if you click "reply to the letter") were accounts from the free mail service mail.uk - kobi.genobi [@] mail [.] uk and notifysendingservice [@] mail [.] uk.
The text of the phishing emails, both in content and design, was very similar to real ProtonMail warnings and contained a hyperlink, following which the user had to go to the settings in order to change the password and “protect” his account.
ProtonMail management called this attack the most sophisticated attack the company had to face. The company also explained that the fake domain scripts were synchronized with the real ProtonMail domain, which in theory could allow to bypass two-factor authentication (that is, if the user entered the second factor code on a phishing site, the same code would be automatically entered on the real one) ... However, it is not known whether the hackers managed to use this technique.
The attempt to mislead the journalists was very convincing, but none of them fell for the bait and did not give out their password, said investigative journalist Belligcat Christo Grozev.
Grozevated the network's investigation into the March 2018 poisoning of former double agent Sergei Skripal in Salisbury. It was Bellingcat journalists who found out the real names of the agents of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (formerly the GRU) Alexander Petrov and Ruslan Boshirov, presumably behind this poisoning.
According to Grozev, "there is no doubt that the military intelligence of the GRU is responsible for the hacker attack." Andy Yen, head of the Swiss provider ProtonMail, agrees with him.
