"The more layers you have, the more flexible you can be." This modularity is likely by design so that the operator can change up the individual components, servers, redirectors, etc., and only abandon the pieces that are burned," he said in an online chat. "The construction of the shortcodes pointing to TinyURL shortcodes, which ultimately point to phishing sites on different servers.
So, as Hulcoop put it, they need a modular phishing infrastructure where every element can be modified if needed, as "an insurance policy of sorts" and they use third party services "to try and balance the need for OpSec with the ability to operate at scale." One explanation could be that their phishing campaigns are highly automated, given that they target thousands of people. It's impossible to know why the hackers keep relying on services like Bitly or, which end up exposing some of their operations-although months later. That pattern, as research fellow Adam Hulcoop explained to me, "was chronological." So, starting from the links sent to Satter, the researchers were able to guess other links created around the same time. Similarly, in this case Citizen Lab researchers were able to identify the victims by figuring out that there was a pattern behind how creates short URLs.
Some of those used Bitly URLs that, as it turned out, could be decoded to figure out who they were intended to.Īn analysis of the Bitly link used to phish John Podesta (Image: Thomas Rid/Twitter) And, sometimes, those URL shorteners betray them and end up revealing who they targeted.īetween March 2015 and May 2016, as part of their operation to hack Clinton's campaign chairman John Podesta, and former National Security Advisor Colin Powell, the hackers targeted more than 6,000 people with more than 19,000 phishing links. The Fancy Bear hackers are known to use popular services like URL shorteners in their high-profile hacking operations.
But the researchers said that perhaps the hackers were embedding them in phishing emails, and the fact that they were hosted on Google Plus perhaps helped thwart Gmail's security controls. It's unclear what the hackers used these for, or if they used them at all. That address had a Google Plus page filled with images that appear in real, legitimate Gmail security alerts. And another domain used in the October attacks exposed by Citizen Lab was also previously linked to Fancy Bear, according to SecureWorks, which tracked the phishing campaign against the DNC and the Clinton campaign.Ĭuriously, the email targeting Satter came just a few days before Google warned some Russian journalists and activists that "government-backed attackers" were trying to hack them using malicious links.Ī screenshot of the Google Plus page of an account researchers believe was controlled by Fancy Bear (Image: Citizen Lab). "It's a percentage game, you may not get every person you phish but you'll get a percentage."Īccording to Citizen Lab, who doesn't directly point the finger at Fancy Bear, the email was actually sent by That address was used in 2015 by Fancy Bear to register a domain, according to security firm ThreatConnect. Using Google's own redirect service was also perhaps also a way to get the phishing email past Gmail's automated filters against spam and malicious messages. So if the victim had quickly hovered over the button to inspect the link, they would have seen a URL that starts with /amp, which seems safe, and it's followed by a URL, which the user might not have noticed. "It's a percentage game, you may not get every person you phish but you'll get a percentage," John Scott-Railton, a senior researcher at Citizen Lab, told Motherboard.