Fancy Bear hackers launch stealth phishing campaign to steal Bellingcat journalists' Gmail passwords
Security experts say that the Russian hackers used Blogspot to hide their malicious credential-stealing links.
Fancy Bear hackers are known to target high-profile journalists, dissidents, think tanks and political activists, among others, as part of their various cyberespionage campaigns. The Russian hackers' latest attack targeted the citizen journalism organisation Bellingcat in a new stealth phishing campaign.
Bellingcat journalists have previously conducted various open-source investigations on Russia-related issues. Fancy Bear first targeted Bellingcat journalists in 2015 and again last year as the journalists probed the mysterious downing of flight MH17.
The campaign was designed to trick Bellingcat journalists into divulging their Gmail credentials. According to security experts at ThreatConnect, who analysed the attack, the Kremlin-linked hackers used new measures to hide their malicious credential-stealing links. This may indicate that the attackers tailored their attack to ensure that the Bellingcat journalists, who presumably are more security-aware than average users, would not suspect suspicious activity when clicking on the phishing links.
"Fancy Bear employed a new tactic we hadn't previously seen: using Blogspot-hosted URLs in their spear-phishing email messages. The Blogspot page contained a javascript window location that redirected the visitor to a second URL hosted on a dedicated server," ThreatConnect researchers said in a blog.
Researchers said that by leveraging Blogspot, the hackers were likely able to circumvent security measures that would have normally identified the malicious links. "In this same way, a URL hosted on Google's own systems, in this case, Blogspot, may be more likely to get past spam filters than URLs hosted on a third party IP address or hostname," ThreatConnect researchers added.
Fortunately, the phishing links were identified as such by the organisation and shared with ThreatConnect researchers.
According to the researchers, the Fancy Bears' recent campaign is also linked to a previous campaign identified by the German intelligence agency (BfV). Last year, the agency accused Russia of having hacked the German parliament, Nato members and the Ukrainian power grid, among others.
It is unclear how the current campaign is linked to BfV's report. It is also unclear whether the hackers were specifically looking to hack into Bellingcat journalists' Google accounts to spy on any current investigations. It remains unknown whether the hackers were successful in stealing any data and/or credentials before the attack was discovered. IBTimes UK has reached out to ThreatConnect for further clarity on the details of the new campaign.
The new phishing campaign indicates that despite widespread awareness of Fancy Bears' activities, the hackers are still actively attacking targets, tailoring new attacks to yield desired results. The hacker group made headlines last year after being accused of orchestrating the cyberattacks against the Democratic Party during the 2016 US presidential election. Since then, the group has been identified by various security experts as having a hand in multiple cyberespionage campaigns targeting organisations across the globe.