
Bellingcat journalists targeted by failed phishing attempt - jbegley
https://techcrunch.com/2019/07/27/bellingcat-targeted-failed-phishing-attempt/
======
roywiggins
"The researchers use open-source intelligence and information gathering where
police, law enforcement and intelligence agencies often fail."

intel agencies may succeed but they certainly are not shouting their success
to the skies except in rare cases. Open source intelligence gathering isn't
always about one-upping the intelligence agencies! It's about retrieving
information that can inform the public and isn't locked away by intelligence
and political actors.

~~~
londons_explore
Bellingcat to me looks like a way for intelligence agencies to announce their
results to the world without saying how they figured this stuff out.

It's very easy to do this 'open source journalism' if you already have the
answers via an NSA tipoff.

~~~
JetSpiegel
Not sure why the NSA would squander all the positive publicity of identifying
those GRU officers that killed Skripal. OTOH, you could also argue that not
stopping them at the border was a failure.

------
panarky
Statement from ProtonMail: [https://protonmail.com/blog/bellingcat-
cyberattack-phishing/](https://protonmail.com/blog/bellingcat-cyberattack-
phishing/)

~~~
hannob
There is this interesting part:

> Furthermore, the attackers attempted to exploit an unpatched vulnerability
> in an open source software that is widely used by email providers in an
> effort to bypass spam and abuse filters. We were previously aware of this
> vulnerability and have already been watching it for some time, but we will
> not disclose it here because the software in question is not developed by
> ProtonMail, and it has not yet been patched by the software maintainers.
> This vulnerability, however, is not widely known and indicates a higher
> level of sophistication on the part of the attackers.

So there's a yet unfixed vulnerability, but some email provider knows about it
and also probably some russian spies. Yet protonmail doesn't want to disclose
it. Why do they know about it in the first place? Who else knows about it?

~~~
panarky
The phishing mail spoofed support@protonmail.ch, which should have been caught
by SPF and DMARC.

And protonmail-to-protonmail should be E2E encrypted and authenticated.

Many unanswered questions here about how this got past ProtonMail to users.

~~~
stebann
Nice observation. Maybe the vulnerability might be related to spoofing SPF and
other security mechanism? They should be fixing this by now.

------
ga-vu
ThreatConnect source: [https://threatconnect.com/blog/building-out-protonmail-
spoof...](https://threatconnect.com/blog/building-out-protonmail-spoofed-
infrastructure/)

The article glosses over attack details and mumbles about 'Russia is bad' for
three-quarters of the text

~~~
nkozyra
I don't understand why you take onus with the Russian state/Fancy Bear aspect
of the story. They seem to be addressed in the same spirit in both articles.

~~~
vuln
It you look at the indicators of compromise that law enforcement shared on
Fancy Bear and Grizzly Steppe you would notice that a large portion of the IP
address are tied to VPN providers like Hide My Ass. Attribution is very very
very hard.

[https://krebsonsecurity.com/2017/08/blowing-the-whistle-
on-b...](https://krebsonsecurity.com/2017/08/blowing-the-whistle-on-bad-
attribution/)

------
manjana
The language in the phishing mail comes off as awkward and ingenuine.

~~~
TheOtherHobbes
It's very poor English.

I find it hard to believe that a state actor couldn't put together a spoof
email written in good idiomatic English if it really wanted to.

But from my limited experience of Russian troll farms they seem to be staffed
by younger people who don't respect Westerners and think any action is a bit
of a joke, so attention to detail may not be their main interest.

They're effectively a kind of weaponised Russian version of 4chan, not a
professional intelligence department or PR machine.

~~~
solarkraft
This is interesting. Do you have more information to share about this topic?

------
fibers
s/Bellingcat/SomethingAwful Posters/g

