A sophisticated cyber attack was conducted on one of the most secure email services Protonmail, aimed at investigative journalists and other experts who are exploring Russian intelligence activities. However, it was effectively stopped, said Protonmail.
"This was not a hack of ProtonMail itself but a targeted phishing attack against specific users. The attack failed. No data was breached, no accounts were compromised, and ProtonMail's systems remain secure," it said in an email.
No data was breached and even a highly sophisticated attack by a determined actor "failed" proving that it's far from "easy" to steal data stored in ProtonMail, said the service provider.
The targets of these cybercriminals have apparently shared sensitive information related to their high profile investigation on the intelligence arm of Russia's armed forces, called GRU while using Swiss-based ProtonMail, which is an end-to-end encrypted email service.
As per early reports, the agents of GRU have been accused of involvement in the downing of MH17 over Ukraine in 2014 and an attempted assassination of former Russian military intelligence officer Sergei Skripal and his daughter last year in Britain.
"These attacks did not attempt to break ProtonMail encryption. Phishing attacks are commonplace and can happen on any platform. In fact, ProtonMail's advanced anti-phishing tools were part of the reason the attacks failed," said the company which claimed to have thwarted the attempt immediately.
As per the recent updates, the company which was formed in 2014, is currently helping the Swiss authorities to assists in the process of shutting down the web domains and also taken action to block phishing emails. The phishing attack took place on Wednesday, July 24.
The Twitter is abuzz with claims and counter-claims as below:
According to Financial Times, ProtonMail chief executive Andy Yen, a researcher at CERN, said, "The campaign that came in [on Wednesday] was really in the top 1 or 2 per cent in terms of sophistication."
The cybercriminals knew who wanted to go after and the research conducted by the ProtonMail's team has shown that it was a "highly targeted operation," said Yen adding that the hackers used Swiss domains, registered to mimic ProtonMail's user interface and paid for through intermediaries using untraceable bitcoin transactions.
Then they synchronised those fake login portals with real ProtonMail login process for simultaneous login and tricked the users. Even the emails sent to the users were also carefully scripted exploiting a rare unpatched coding bug.
It was also revealed that those attempted the phishing attack to steal information from those accounts which were used by members of an investigative journalism website, Bellingcat and a corporate intelligence firm whose employees included some ex-intelligence officers and used the emailing platform to share sensitive work while investigating Russia.
A security specialist and researcher at Bellingcat, Christo Grozev said that targeting a particular organisation clarifies that it is linked to GRU.
"They have been trying to get into our regular email accounts for a long time now. But with ProtonMail it was very odd and unexpected," he added.
Since the account details are only known by a few close circle people, Grozev said that someone from their own organisation might have been compromised.