14 DAY TRIAL // Hackers from Fancy Bear, the espionage hacker group with Russian ties, reportedly snuck false information in the data trove they leaked from the Democratic National Committee during the American elections.
According to a report from Citizen Lab, an organization with ties to the University of Toronto, the hackers planted information inside emails belonging to a journalist who's a critic of Putin's regime, which were included in the dump.
Although Citizen Lab says it can't definitely tie Fancy Bear to the tainted leaks, Forbes backs up the information after obtaining evidence indicating the connection.
"Tainted leaks are the next frontier of disinformation: an attempt to really tamper with the integrity of large sets of information that people will believe to be genuine," points out John Scott-Railton, researcher at Citizen Lab.
How it all started
The investigation started with David Satter, journalist and critic of Putin's way of running a country. Back in October 2016, Satter was the target of an attack from hacktivist group Cyber Berkut, known for its pro-Russian views. A phishing email appearing to be from Google asked Satter to change his password. As soon as he tapped the link in that email and entered his login details, the account was no longer his.
The emails were "selectively modified" by Cyber Berkut before being published online, shows Citizen Lab's report. Thus, the leaks contained both real and fake lines. One of the tampered messages pointed out in the report is one featuring a report sent by Satter to the National Endowment for Democracy, a non-profit promoting democracy. The email was changed in a way that makes it appear as if Satter was paying Russian journalists to write articles that were criticizing the Kremlin.
The original report focused on Radio Liberty, which is a US-government sponsored station that broadcasts news in Russia. The edited version removes mentions of Radio Liberty and replaces them with general statements that make it seem as if the journalist was actually supporting a much larger organization.
"By repeatedly adding his reporting to the document, the tainting creates the appearance of foreign funding for his work," writes Citizen Lab.
The leaks also included a report that hadn't been published at the time. Written by journalist Elena Vinogradova, the inclusion of her article before it even went live indicates the hackers were also keeping an eye on her.
The evidence
As mentioned, while Citizens Lab didn't attribute the activity directly to Fancy Bear, Forbes cites multiple cybersecurity experts who confirmed that Cyber Berkut was operating alongside or within the same crew.
One piece of evidence is a web domain used in the attacks covered by Citizen Lab's report - myaccount.google.com-securitysettingpage[.]tk. This one was also noticed by security firm SecureWorks when investigating other Fancy Bear attacks. Between March 18 and 29, 2016, that domain was used to create 224 Bitly shortlinks to phish Gmail users by the Russian group. It's also the same domain used in the spear phish that targeted the Clinton campaign staffers.
Another clue about the link is the fact that the emails sent to Satter looked the same and came from the same address as that used in an attack on contributors for BellingCat, a citizen journalism outlet.
Furthermore, the same link shortening services were used - Tiny.cc and TinyURL.com. Citizen Lab managed to figure out that Tiny.CC created shortened links by following a pattern which allowed them to guess when and how they were created. The information was used to uncover other 218 targets.
The last link to tie Fancy Bear to Cyber Berkut is an email used to spread phishing emails, which was previously used on the Russian group by security firm FireEye.
Clinton's campaign team warned before that the emails published by Wikileaks had been tampered with, but no evidence was given to sustain this theory due to obvious reasons. The fact is - there is evidence the Russian group responsible for the hack has a history of tainting the emails before dumping them online.