Civil society, hacking and the danger of tainted leaks


Do you know David Satter? He is a high profile journalist from the US who extensively covered the Soviet Union, Russia and the corruption around Putin and his cronies. As Citizen Lab recently reported in a new report he is the so called “Patient Zero” in a phishing, hacking and disinformation campaign spanning the globe and targeting politicians, companies and especially the civil society, including journalists. All the information gathered here as well as the explanatory graphics are curtsey the Citizen Lab, and they deserve the highest praise for such an in-depth report at this critical time.

I decided to summarize the report here on my blog and give some advice at the end of the post in regard to the importance of cyber security in our days and how we, especially journalists, can protect themselves more effectively.

But first let me explain several of the key words:

Phishing: It is a tool out of the social engineering box, meaning exploiting the weakness of current Internet security as well as of people using it. Normally a phishing attack occurs via an official looking e-mail and an embedded link in the e-mail which directs the person who reads the e-mail and clicks the link to a “fake” webpage looking like the official webpage from a credit institute, mail server or similar service. There the victim enters his sensitive information such as passwords, credit card information etc. and this data is sent to the hackers who orchestrated the phishing attack. With this information the originators can steal money, enter the E-Mail account or, if they connected the phishing attack with other tools, enter the victims computer and copy data or record all communication from that device. Phishing is a neologism created from the term fishing with bait.

Tainted Leaks: Supposed leaks by an unknown actor to the public aimed at discrediting the person/entity targeted with that leak. The original information is obtained via phishing, hacking or surveillance and then doctored and manufactured to spin in a certain direction. For instance in leaked e-mails certain key words are removed and other names and persons integrated into these e-mails to discredit the victim in a certain way. Tainted leaks are often well constructed, almost not distinguishable from “real leaks” and target specific persons like journalists and politicians. These kinds of leaks show the danger in redistributing leaks without in-depth research on the viability of the leak and its possible origin, as they can harm victims in a dangerous way and destroy lives. Especially the media business often fails to scrutinize such information – while state run media actors or internet bots/trolls use this kind of information for their information warfare.

Patient Zero: Used normally in the medical field to indicate the first case of a condition or syndrome (not necessary contagious) before it spreads through a certain part of the population (may it be animals or humans). The term is also used in the cyber security realm to indicate the first infected computer or the first person targeted with a specific tool/virus, often indicating a larger attack pattern or victim pool.

The Patient Zero

David Satter is a high-profile journalist from the US who became well know for his book Darkness at Dawn in which he researched the possibility that the 1999 apartment bombings in Russia where carried out by the FSB to justify the second Chechen War and thus helped Putin to rise to power. In 2013 Satter was furthermore banned from Russia due to his investigative work as a journalist and since then has often been a target of social media campaigns by Russian trolls.

At the beginning of October 2016 Satter received an e-mail notification claiming that his Google account was compromised and thus he had to change his password. One day later a second e-mail arrived with the same disguise. Satter clicked on that second e-mail and was re-directed to a webpage seemingly looking like an official Google page but indeed being a “fake webpage” to scam the passwords from Satter. He put in his data and, as he did not have two factor authentication activated, his e-mail account was compromised and all his e-mails downloaded (probably automatically) to a server in Romania; the e-mails from where the phishing attack came were hosted in Russia (at least the first one).


The e-mails were than doctored and edited to fit into a narrative depicting Satter as well as Russian key opposition figures as having been sponsored by the US government and US intelligence agencies, and aiming at toppling Putin and stirring up a “color revolution” inside Russia. These doctored e-mails and information were than published/leaked by the notorious pro-Russian hacker group CyberBerkut (Berkut is the name of a special police force in Russia). This led to a massive public campaign, spearheaded by the Russian state news and spread via the internet by pro-Russian trolls, bots and conspiracy theorists, aiming at discrediting Satter, several key Russian opposition activists as well as Radio Liberty.

How do we know that the e-mails and information were doctored? Because David Satter gave CitizenLab full access to his records and original e-mails and thus via comparison it was easy to find out what was changed by CyberBerkut to enhance their own narrative.

Attack on Civil Society


In 2015 CyberBerkut had already released similar tainted leaks after they (or their associates) breached the Open Society Foundation (OSF) and made them public in November 2015 (it was part of a much larger campaign, labeled the DC leaks). CitizenLab was able to get hold of the original documents and managed to compare them with the leaked versions. They again display a sophisticated manipulation of key parts of the documents to discredit Russian opposition figures and the OSF. Important to note is that both these tainted leaks, though spread worldwide, were mainly aimed at the Russian population to enhance the standing of Putin and at the same time “destroy” his opponents with disinformation. Some observers even said that if Putin cannot stop people writing critical articles about him and the corruption surrounding his rule then at least he will “pull everybody” down to the same level – thus negating the ideas of democracy, law and just society in itself. This was a typical propaganda scheme by the Soviet Union to quell internal dissent – showing that all human beings are “similarly bad and corrupt” and certain words had no meaning at all – and thus pushing the population to opt for the “lesser but stable evil” instead.

But the attack on Satter was only the tip of the iceberg: CitizenLab managed to find 200 additional targets of the same kind of phishing attack with a similar modus operandi and digital footprint. This means that a vast orchestrated disinformation campaign was and is running, most likely out of Russia. The most worrying part of the findings is that directly after government targets, persons from the civil society sphere, e.g. academics, journalists, lawyers, activists, were the main target. This shows a shift in state sponsored hacking as in the past it was mainly government and industrial facilities that got attacked for cyber espionage. Currently one can observe how crucial the battle for “hearts and minds” is, as well as for the control over media narratives, and thus people from the civil society sphere are more likely to be targeted, and discredited with the help of tainted leaks.

Implications for the media and cyber security

There are several conclusions to be drawn from the report. First and foremost journalists and media companies must be far more careful when publishing leaks and/or redistributing such accusations. It is of utmost importance to know the sources and have digital forensic specialists cross check the material. Of course this costs money and time but as the image of the media business is already faltering and under attack for many years it is money well invested. Freelance investigative journalists should build up their own network of specialists (as the success story of “bellingcat” has shown) to verify images, videos and leaks. If you are not sure if the material is legitimate then do not publish it or try to find confirmation with the help of other, separate sources (as the three-source rule dictates anyway).

For journalists and civil society the implications are to beef up their own security measures on all their computers and IoT devices and learn how to communicate securely and privately. Though Russia and the US got a great deal of media attention in regard to state sponsored hacking and surveillance in recent months they are not the only state and non-state actors out there who are willing to break the law to acquire data from their targets. For a recent report on non-state actor’s surveillance tactics read this report from The Intercept on the No-DAPL protests and military-private networks spying on peaceful protesters and journalists.

Here some basic and easy to implement security measures for you:

  1. Always use two-factor authentication with online services. This means that when a login attempt from an unknown location or IP address is recorded you need to verify that it is you via your mobile phone and a code. This adds an additional layer of security, which is always good.
  2. Never type any sensitive information into a form on a webpage if it has no TLS (former SSL) encryption. Normally a TLS/SSL encryption is shown with a small lock next to the web address in your browser (and sometimes additionally highlighted in color). This does not prevent data theft from sophisticated attackers but is neither the less a good sign for a secure communication.
  3. Never use the same password for different accounts and use non-linear passwords with a mix of numbers, letters and special characters with a minimum length of eight.
  4. On MacOS as well as Windows switch on the built in firewall as well as the built in disk encryption (both are better than nothing – though there are more sophisticated programs out there to handle this kind of job)
  5. If you use MacOS check out THIS webpage for some good and free security related applications
  6. If your e-mail communication includes sensitive material encryption is a must! Install PGP (or the free versions GnuPG/OpenPGP) and use it during all your e-mail communication. Even if a security breach occurs, the attackers cannot read the encrypted e-mails in the first place.
  7. If you fear surveillance or want a minimal online footprint then you should try to go “invisible” on the internet. A good starting point for reading up on it is the following excerpt, published on The Wire, from the book “The Art of Invisibility” by the famous hacker Kevin D. Mitnick: LINK
  8. If you get a “fishy” e-mail and you are not sure if it is legit then check out the extended header of the e-mail to get additional insights on IP-Addresses, e-mail name, servers etc. to clarify if the e-mail came from a trusted source. There are free services online where you can automatically analyze the header. A short read for starters on e-mail headers HERE

These are of course only the first steps on securing your devices – there is far more you can do but this would require an additionally article. So if you are unsure about any of these steps and/or need additional screening or input for you and your organization feel free to contact me at any time.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.