24 Oct 2016
As we all know, WikiLeaks has been publishing embarrassing emails from the inner circle of Hillary Clinton’s presidential campaign, with the most recent coming from the personal email of John Podesta. The US government and security firms all believe it was the work of hackers acting on the orders of the Russian government, but the hack all started with an email in Podesta’s inbox that appeared to be from Google. It was not. After he opened it and clicked on a link it contained, the hackers had complete access to his account.
The hackers, typically referred to as Fancy Bear, left a pretty obvious trail In the Podesta leak and the one published by DC Leaks of Colin Powell’s email that points to the Russian Government. They all were done using fake Gmail messages that contained a malicious link created with a Bitly account controlled by Fancy Bear.
The URL that was shortened by Bitly appeared to be a Google link but hidden inside of it was a series of 30 characters that looked like gibberish. In reality, that gibberish was actually an encoded version of John Podesta’s email address. Between October and May of 2016, Fancy Bear sent out 9,000 similar emails to 4,000 people, all with similar codes tailored to the individual, presumably to keep track of all the different links. Unfortunately for Fancy Bear, he forgot to set his Bitly account to private.
The security firm SecureWorks was keeping tabs on command and control domains used by Fancy Bear which led them to the Bitly accounts and the thousands of URLs they used in their attacks. Thanks to the unsecured Bitly account, SecureWorks was able to see 213 links targeting 108 different email addresses within the Clinton campaign.
That mistake also connected Fancy Bear to other hacks, including the one on Colin Powell. The attacks have not only targeted the US political system, but also Eastern European journalists. One such group of journalists were from Balligcat and had found evidence that Russian-backed rebels had shot down the Malaysian Airlines flight over the Ukraine in 2014. Each of these attacks contained the same hallmarks of using emails appearing to come from Google and having a link with the victim’s email address encoded in it.
All of this clearly points to these attacks being carried out by Fancy Bear, who are known to work for the Russian government. This ultimately this lead to the US government accusing the Russians of being behind these hacks among others. With all the evidence, at this point anyone who still denying Russia’s involvement is for whatever reason just being willfully ignorant.