Russian state-sponsored hackers attacked over 200 Gmail users, including journalists, activists critical of the Kremlin and those connected with the Ukrainian military as part of a massive espionage and disinformation campaign.
Security experts at Citizen Lab said that the hackers abused Google's own services, and used phishing to gain access to the users' credentials. The attacks were detected last October but the hacking was going on for several months before that.
Security experts stumbled onto the espionage campaign after analysing two phishing emails targeting David Satter, a prominent American journalist and academic, who has also reportedly been banned in Russia since 2014 for his criticism of the Kremlin. The analysis led the researchers to a larger, more elaborate campaign by the hackers.
The emails targeting Satter were sent by the infamous Fancy Bear hacker group, which has previously been linked to the DNC hack and is widely considered to be a part of the Russian intelligence outfit GRU.
The espionage campaign targeted over 200 Gmail users across 39 countries, according to researchers at Citizen Lab. "The list includes a former Russian prime minister, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers, CEOs of energy companies, and members of civil society," Citizen Lab researchers said in a report.
"After government targets, the second largest set (21%) are members of civil society including academics, activists, journalists, and representatives of non-governmental organizations."
Who are the Russian hackers?
Although Citizen Lab researchers could not conclusively link the espionage campaign to a specific Russian government agency, the firm said "there is clear overlap between our evidence and that presented by numerous industry and government reports concerning Russian-affiliated threat actors."
Researchers also noted that the hacked and stolen content from Satter's Gmail were leaked on a blog run by a self-professed Russian hacktivist group called CyberBerkut. Citizen Lab used the term "tainted leaks" to highlight how hackers deliberately spread false information by stealing authentic content and altering them to include fake data.
Russia's cyberespionage and its impact on society
Citizen Lab researchers noted that Russia's practice of using "proxy actors in the criminal underworld" dates back to the Soviet times. The "guerrilla geopolitics" strategy has also been used in the past. "There is evidence Russian hackers are being given wide latitude to undertake criminal activities as long as it conforms to Russian security agencies' wishes," researchers said.
Researchers noted that employing tactics such as inserting falsehoods in legitimate content and publicly leaking them is a clever way to create doubts among the public. The motive then becomes tantamount to weakening the society's trust.