Attack may be linked to Russian gov’t, ProtonMail claims

Journalists using secure email service ProtonMail to investigate topics related to Russia have been targeted by a “sophisticated phishing attack”, with some hinting at a state-backed operation.

Bellingcat, an investigative journalism website that specializes in the use of open source intelligence (OSINT) techniques, announced on July 24 that some staff members had received attempts to gain access to their email accounts.

The fake emails sent to the journalists were masquerading as being sent from ProtonMail, requesting the users’ account login details.

No account was compromised via the spoofed emails, ProtonMail later confirmed.

“The phishing attack did not succeed because of the vigilance of the targets and certain anti-phishing measures that ProtonMail has put in place due to the increased security needs of many of our users,” Dr Andy Yen, ProtonMail founder and CEO, said in a press statement on July 27.

“A phishing attack targets users of a service and does not directly target the service itself.

“Some articles have incorrectly claimed that ProtonMail was hacked or compromised, but a phishing attack does not imply a compromise of the service in question.”

APT: Advanced ProtonMail Threat?

ProtonMail said it had identified over a dozen fake ProtonMail domains registered with the attackers, and that certain “resources” used were similar to those seen in operations made by Russian APT (Advanced Persistent Threat) groups such as Fancy Bear.

“The attackers attempted to redirect users to the fake domain mailprotonmail.ch, where a fake ProtonMail site was hosted in an attempt to trick the targets into entering their ProtonMail credentials,” Yen said.

“The fake domains were also registered through a domain registrar that allows anonymous registrations and bitcoin payments to make the attackers harder to track.”

Despite these parallels, however, Yen admitted that attribution of the attacks is “very difficult to determine”.

Zero-day exploit attempts

The email provider confirmed with The Daily Swig that the Swiss Federal Police and computer emergency response team plan to take action against the the fake domains used in this latest campaign.

It also said that the attackers had attempted to exploit an unpatched and unpublicized vulnerability used in its software.

“We were previously aware of this vulnerability and have already been watching it for some time, but we will not disclose it here because the software in question is not developed by ProtonMail, and it has not yet been patched by the software maintainers,” Yen said.

“This vulnerability, however, is not widely known and indicates a higher level of sophistication on the part of the attackers.”

For those interested in learning more about this latest campaign, ThreatConnect has published a blog post that provides further technical analysis.

ProtonMail has reiterated its advice to users surrounding phishing threats.

“It is important for users to be vigilant and to be educated about what are phishing attacks so that they can avoid becoming a victim of one,” said Yen.

“ProtonMail also implements a large number of security measures to help flag or block phishing emails so that users can avoid falling for them. That is why in this situation, the attack was ultimately unsuccessful.”


RELATED Secure email provider ProtonMail added to Russia’s block list