• by Ray Schultz , July 28, 2019

ProtonMail, an email service based in Switzerland, has been targeted in a sophisticated cyber attack aimed at journalists investigating Russian intelligence activities, the company says.

The target was Bellingcat, an open-source investigative website that has been probing the involvement of Russia and its GRU intelligence service in the downing of flight MH17 over Ukraine in 2014.   

On Saturday, ProtonMail posted a blog saying that these attempts have failed, and that reports stating that ProtonMail itself had been hacked were inaccurate. 

“A phishing attack targets users of a service and does not directly target the service itself,” it says.

Generally, such attempts fail because all automated emails from ProtonMail “are clearly indicated with a star in the ProtonMail inbox, and there is no way for an attacker to spoof this,” the blog claims.

According to the blog, the attackers sent emails to targeted users saying they were from ProtonMail, and asking for their login credentials. The purpose apparently was to gain access to their ProtonMail accounts.

The blog continues that “Bellingcat is a frequent target of Russian military intelligence due to their prior activities, which have included linking the downing of flight MH17 to Russian forces, and identifying the Russian GRU agents responsible for the nerve agent attack on the Skripals on UK soil.”  

While it is not absolutely proven, “the evidence (including third-party assessments) seem to suggest an attack of Russian origin,” it adds.

The resources used in the attack have also been utilized in “other cyberattacks conducted by Fancy Bear (also known as APT28), a Russian cyber espionage group which may be affiliated with the GRU,” the blog charges.

Whatever the source, “the attack was highly targeted and specifically went after Bellingcat accounts,” the blog states. “We have identified a dozen fake ProtonMail domains that were registered by the attackers, some of which have not yet been used.”

ProtonMail  continues that “the attackers attempted to exploit an unpatched vulnerability in an open source software that is widely used by email providers in an effort to bypass spam and abuse filters."

The company was previously aware of this vulnerability, it says.

Financial Times reported on Saturday that the false domains were paid for by intermediaries using untraceable bitcoin transactions, and that the goal was to trick ProtonMail users into surrendering their two-factor authentication codes. Bellingcat uses ProtonMail for “sensitive work investigating Russia,” it adds.