A hacking campaign using “tainted leaks” targets opponents of the Kremlin. (Sergei Karpukhin/Reuters)

Researchers have discovered an extensive international hacking campaign that steals documents from its targets, carefully modifies them and repackages them as disinformation aimed at undermining civil society and democratic institutions, according to a study released Thursday.

The investigators say the campaign shows clear signs of a Russian link.

Although the study by the Citizen Lab at the Munk School of Global Affairs at the University of Toronto does not demonstrate a direct tie to the Kremlin, it suggests that the attackers are aiming to discredit the Kremlin’s opponents. The report also demonstrates overlap with cyberattacks used in the U.S. and French presidential elections, which American and European intelligence agencies and cybersecurity companies have attributed to hacking groups affiliated with the Russian government.

The campaign has targeted more than 200 government officials, military leaders and diplomats from 39 countries, as well as journalists, activists, a former Russian prime minister and a prominent critic of President Vladi­mir Putin, according to the report. The attackers seek to hack into email accounts using phishing techniques, steal documents and slightly alter them while retaining the appearance of authenticity. These forgeries, which the researchers have dubbed “tainted leaks,” are then released along with unaltered documents and publicized as legitimate leaks.

“Tainted leaks plant fakes in a forest of facts in an attempt to make them credible by association with genuine, stolen documents,” said John Scott-Railton, a senior researcher at the Citizen Lab. “Tainted leaks are a clever and concerning tool for spreading falsehoods. We expect to see many more of them in the future.”

(Citizen Lab at the Munk School of Global Affairs at the University of Toronto)

The study details the hack in October of the email log-in details of David Satter, a renowned Kremlin critic who in 2016 published a book that links Putin’s rise to power with a series of deadly apartment bombings in Russia in 1999.

Hackers were able to access Satter’s emails when he clicked on what appeared to be a legitimate link, an attack that the study found to be technically similar to the 2016 breach of the email account of John Podesta, Hillary Clinton’s campaign chairman.

U.S. intelligence agencies concluded that Russian intelligence agencies carried out hacks against the Democratic Party on Putin’s orders, which the Kremlin has repeatedly denied

In studying Satter’s case, the Citizen Lab investigators developed a technique to identify the other phishing links that were being sent as part of the same operation.

The study describes how the pro-Russian hacking group ­CyberBerkut posted Satter’s emails, some of them carefully altered to create a false narrative of a U.S. government plot to plant negative articles about Putin’s regime in the Russian media. These forgeries were then reported by Russia’s state news agency as evidence of a CIA plot to support a “color revolution” in Russia.

The narrative supports a consistent theme of pro-Putin media: that Russia suffers not because of its leadership’s refusal to loosen its grip on power, but because of constant meddling in Russian affairs by the United States and its European proxies.

“The motivations behind Russian cyberespionage are as much about securing Putin’s kleptocracy as they are geopolitical competition,” said Ronald Deibert, professor of political science and director of the Citizen Lab. “This means journalists, activists and opposition figures — both domestically and abroad — bear a disproportionate burden of their targeting.” 

Mark Galeotti, who studies Russia’s power structures as a senior research fellow at the Institute of International Relations Prague, called the use of tainted leaks “a step forward in Russia’s use of hacking as a weapon of political subversion.”

“In the case of the [Democratic National Committee] hacks, they leaked secret but real messages,” Galeotti said.

Galeotti said that “tainted leaks” are more likely to be used for domestic consumption, where the Kremlin is starting to feel the pressure from scattered, grass-roots protests, epitomized by the anti-corruption campaign of Alexei Navalny.

“While we’re not talking about the kind of critical mass likely to pose a challenge to Putin’s carefully orchestrated reelection in 2018, there is clearly a growing, generalized dissatisfaction across the country,” Galeotti said. “The attempts to paint Navalny and other critics as pawns of Western subversion suggest a degree of worry, even desperation.”