Russian spies may have backed email phishing campaign in effort to spread disinformation

New evidence of a global espionage campaign involving email phishing attacks and leaked falsified documents emerged on Thursday, with clues suggesting the Russian government might have been involved.

218 email accounts across 39 countries targeted, report by University of Toronto's Citizen Lab finds

A global espionage campaign involving email phishing attacks and leaked falsified documents is detailed in a report released Thursday by the University of Toronto's Citizen Lab. (Lee Jae-Won/Reuters)

New evidence of a global espionage campaign involving email phishing attacks and leaked falsified documents emerged on Thursday, with clues suggesting the Russian government might have been involved.

The targets spanned government, industry, military and civil society groups, each with ties to Russia or Russian interests, a report by the University of Toronto's Citizen Lab suggests.

Although there is no definitive proof of Russia's involvement in the attacks, there is "overlap" with previously reported Russian espionage activities — in particular, the work of a Russia-backed hacking group known as APT-28, or Fancy Bear.

Notably, Citizen Lab's researchers say "an identical approach" to the phishing campaign described in their report was used in a March 2016 attack targeting Hillary Clinton's presidential campaign and the Democratic National Committee.

"While we have no 'smoking gun' that provides definitive proof linking what we discovered to a particular government agency … our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyberespionage," wrote Citizen Lab director Ron Deibert in a blog post.

U.S. reporter's documents leaked, manipulated

The report focuses in part on what the authors have termed "tainted leaks," leaks of stolen documents that are largely authentic but have been manipulated in certain parts to achieve a particular goal — in this case, a political one.

In the incident Citizen Lab examined, documents obtained through a phishing operation in October 2016 that targeted the email account of U.S. journalist David Satter were selectively modified in an apparent attempt to discredit Satter and his work and then posted online. Satter has reported on Russia for decades and was expelled from the country in December 2013.

In unpacking that particular leak, Citizen Lab then identified a further 218 unique email accounts spanning 39 countries that had been targeted using the same phishing method used to fool Satter.

The accounts belong to members of governments — including "a former Russian prime minister, members of cabinets from Europe and Eurasia, ambassadors, high-ranking military officers, CEOs of energy companies" — but also members of civil society organizations, such as academics, activists, journalists and employees with non-governmental organizations that have been critical of the Russian government or investigated its activities.

The scope of the targets, the report says, "suggests a well-resourced actor, such as a nation state."

Fancy Bear

U.S. intelligence officials believe Russian-backed groups conducted a series of cyberespionage campaigns throughout 2015 and 2016 in an attempt to interfere with and potentially sway the outcome of last year's presidential election.

One group in particular was mentioned frequently in coverage of the attacks: APT-28, sometimes referred to by the nickname Fancy Bear. It is believed that the group is backed by a nation state, if not a nation state itself — namelyRussia

While Citizen Lab's researchers could not make a "conclusive technical link" between their findings and Fancy Bear, they identified a number of similarities with the group's prior attacks.

For example, some of the domain names used in the campaign Citizen Lab studied bear a striking similarity to a Fancy Bear linked phishing operation identified by the cybersecurity research firm Mandiant last year. There are also similarities with the methods used to break into the email account of Clinton's campaign chairman, John Podesta — suggesting, at the  very least, two separate actors are sharing the same code.

Tainted Leaks

Civil society groups are particularly rich targets for cyberespionage campaigns, as they tend to lack the resources of larger or better funded organizations to deal with digital attacks. Of note, the researchers say that 21 per cent of those targeted in the campaign they studied were activists, academics, journalists, and NGOs — the second-largest set after government targets.

"Many of the civil society targets seem to have been singled out for the perception that their actions could pose a threat to the Putin regime," the report said.

In Satter's case, leaked documents were selectively modified in such a way that the majority remained authentic, but misinformation was seeded throughout, in an attempt to lend legitimacy to otherwise false information. The researchers compared Satter's case with that of a prior attack on the grant-making organization Open Society Foundations (OSF).

If the overall goal is just to sow informational chaos, tainted leaks are a good way of doing that.- Seva Gunitsky, political science professor, University of Toronto 

For example, one document was modified "to make Satter appear to be paying Russian journalists and anti-corruption activists to write stories critical of the Russian government," the report said.

In the OSF case, modifications were made to documents detailing a budget and funding strategies to make it appear as if the U.S.-based group was sponsoring Russian opposition leader Alexei Navalny's Foundation for Fighting Corruption.

Earlier this month, falsified documents appeared in a trove of documents taken from staff on French President Emmanuel Macron's election campaign.

Described as "fakes in a forest of facts," the report concludes that such tainted leaks "test the limits of how media, citizen journalism, and social media users handle fact checking and the amplification of enticing but questionable information."

However, University of Toronto political science professor Seva Gunitsky says the practice of tainting leaks with false information could ultimately backfire.

"If they actually discover something politically damaging in a future phishing attack, it will be hard to credibly claim it was a real find," he said. "Of course, if the overall goal is just to sow informational chaos, tainted leaks are a good way of doing that."


Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.