Russian government hackers began targeting a British citizen journalist in February 2015, eight months after he began posting evidence documenting alleged Russian government involvement in the shoot-down of a Malaysian jetliner over Ukraine.
And then in February 2016, a group that researchers suspect is a propaganda mouthpiece of the Russian government — CyberBerkut — defaced the home page of Eliot Higgins’s citizen journalism website, Bellingcat.com.
That same month, CyberBerkut hacked the email, iCloud and social media account of a Bellingcat researcher in Moscow, then posted online personal pictures, a passport scan, his girlfriend’s name and other private details.
Russia’s information operations against Bellingcat are a taste of what may be in store for other media organizations whose reports anger the Kremlin, said a cyber-research firm that has extensively documented the effort.
“If Russia is willing to go these lengths to compromise a small journalist organization and its contributors, consider what they are willing to do to major news and media outlets that publish similar articles,” said Rich Barger, chief intelligence officer at ThreatConnect, a Northern Virginia-based research firm that analyzed the campaign against Bellingcat in a report released Wednesday. ThreatConnect looked into the matter after being approached by Bellingcat.
The report comes on the same day that a Dutch-led, multinational joint investigative team announced the results of a criminal probe that corroborated Bellingcat’s findings: The airplane was downed by a Russian surface-to-air missile fired from territory held by pro-Moscow separatists.
Russia has denied complicity in the downing.
Malaysia Airlines Flight 17 was destroyed on July 17, 2014, over eastern Ukraine. All 298 passengers and crew members were killed.
Beginning that day and for the next 26 months, Bellingcat published no fewer than 92 posts focused on Russian involvement in the plane’s downing, using open-source information and imagery to prove the presence of Russian military equipment that had been moved into eastern Ukraine despite the Kremlin’s denials.
The Russian harassment and propaganda campaign against Bellingcat, and Higgins in particular, began in February 2015. Bellingcat had completed a report that documented Russian shelling of Ukrainian military positions in eastern Ukraine, which Moscow had denied. The state-run Sputnik website ran an article suggesting that Bellingcat was linked to the CIA.
Beginning that month through July 2016, three Bellingcat researchers, including Higgins, received “spearphishing” emails that were written in a way meant to dupe the recipient into clicking on a link containing malware. Higgins received 16 such emails, which consisted of false Gmail security notices urging the recipient to click a link to review recent suspicious activity.
That technique, Barger said, is consistent with a technique used by a Russian hacker group dubbed Fancy Bear by some security researchers. The group is run out of the GRU, the military intelligence service, analysts said.
Meanwhile, with every new Bellingcat revelation, Russian propaganda outlets such as Sputnik and RT, formerly Russia Today, produced pieces that called into question the citizen journalists’ work.
In October, for instance, Bellingcat published reports based on the geolocation data of Russian defense ministry videos that showed that Russian airstrikes were destroying positions held by the Free Syrian Army and other rebel groups rather than the Islamic State, as Russia had indicated.
Nearly every day for a week, a new piece emerged on RT or Sputnik attacking Bellingcat. “After the fourth day, I said, ‘This is out of control,’ ” Higgins said. “They’ve gone crazy.”
RT even sent a satirist with a cameraman to find Higgins in his home town of Leicester, England.
The comic Nimrod Kamer wound up reaching Higgins’s mother, who, Higgins said, was “in tears” after being questioned by Kamer about her son. “It was intimidating, given the circumstances,” he said.
Then, in February, CyberBerkut, which describes itself as a group of pro-Russian Ukrainian hacktivists, defaced Bellingcat’s website.
In a blog post, the group also said it had hacked Bellingcat researcher Ruslan Leviev. To gain access to his email inbox, the group hijacked a text message sent to his cellphone that contained a security code, Leviev said.
Barger said he thinks the group gained access to Bellingcat’s website through Leviev’s account.
In July, two days before the second anniversary of the crash, Russian bloggers “trolled” Higgins, publishing more than 30 articles in Russian in 30 hours attacking his credibility and questioning his reporting.
Higgins is “bringing to light the truth behind the 298” people killed, Barger said. “There is an aggressive campaign to undermine those who are shining a light” on the tragedy.
“If you cross Russia, you become a target for Russia,” said Higgins, 37.
But, he added, he thinks the campaign of harassment and hacking may backfire. “It just makes them look insane and makes us look far more credible because they are going at us so hard.”