Media Releases

Researchers uncover a major disinformation and cyber espionage campaign with Russian connections

May 25, 2017

Toron­to, ON – A new report, titled “Taint­ed Leaks: Dis­in­for­ma­tion and Phish­ing with a Russ­ian Nexus,” from the Uni­ver­si­ty of Toronto’s Cit­i­zen Lab uncov­ers a major dis­in­for­ma­tion and cyber espi­onage cam­paign with hun­dreds of tar­gets in gov­ern­ment, indus­try, mil­i­tary and civ­il soci­ety. The cam­paign oper­a­tors have a strong Russ­ian nexus, and their tar­gets include a glob­al list of high pro­file indi­vid­u­als such as a for­mer Russ­ian prime min­is­ter, ambas­sadors, CEOs, and offi­cials from at least 39 coun­tries, as well as the Unit­ed Nations and NATO. Many oth­er tar­gets are jour­nal­ists, aca­d­e­mics and oth­er mem­bers of civ­il soci­ety.

The cam­paign is linked to the plant­i­ng of dis­in­for­ma­tion with­in “leaks” of stolen mate­ri­als, a tac­tic in which real mate­ri­als are seed­ed with care­ful­ly con­struct­ed fakes designed to achieve a pro­pa­gan­da end. The researchers refer to this tac­tic as “taint­ed leaks.”

“Taint­ed leaks plant fakes in a for­est of facts in an attempt to make them cred­i­ble by asso­ci­a­tion with gen­uine, stolen doc­u­ments.” — John Scott-Rail­ton, Senior Researcher, The Cit­i­zen Lab, Munk School of Glob­al Affairs

The inves­ti­ga­tion began with a sin­gle tar­get­ed phish­ing oper­a­tion against jour­nal­ist David Sat­ter. After suc­cess­ful­ly trick­ing Sat­ter, the oper­a­tors stole his per­son­al infor­ma­tion. The infor­ma­tion lat­er emerged, with false­hoods added, in a taint­ed leaks cam­paign on a Rus­sia-linked web­site. The taint­ed leaks were designed to dis­cred­it promi­nent crit­ics of the Russ­ian gov­ern­ment, like Alex­ei Naval­ny, by false­ly indi­cat­ing they received for­eign fund­ing.

In ana­lyz­ing the tech­ni­cal details asso­ci­at­ed with the phish­ing attack on Sat­ter, the researchers were able to deter­mine his tar­get­ing was part of a much larg­er cam­paign with at least 218 tar­gets. Many of these tar­gets were promi­nent mil­i­tary and civil­ian offi­cials, or diplo­mats, from at least 39 coun­tries, includ­ing the Unit­ed States, Ukraine, Aus­tria, and Turkey. The sec­ond largest set of tar­gets (21%) are mem­bers of civ­il soci­ety includ­ing aca­d­e­mics, activists, jour­nal­ists, and rep­re­sen­ta­tives of non-gov­ern­men­tal orga­ni­za­tions.

“The scope and range of the tar­gets makes it clear that this was a large-scale oper­a­tion, and would have need­ed to be sup­port­ed by sub­stan­tial ana­lyt­i­cal resources in order to process the stolen mate­r­i­al.” — Adam Hul­coop, Research Fel­low, The Cit­i­zen Lab, Munk School of Glob­al Affairs

The report illus­trates how the twin strate­gies of phish­ing and taint­ed leaks are some­times used in com­bi­na­tion to pen­e­trate civ­il soci­ety tar­gets, and to seed mis­trust and dis­in­for­ma­tion. It also shows how domes­tic con­sid­er­a­tions, specif­i­cal­ly con­cerns about dis­cred­it­ing regime crit­ics can moti­vate espi­onage oper­a­tions, includ­ing those tar­get­ing civ­il soci­ety.

The researchers do not con­clu­sive­ly link the cam­paign to a par­tic­u­lar Russ­ian gov­ern­ment enti­ty, how­ev­er many ele­ments of the cam­paign over­lap with groups pre­vi­ous­ly iden­ti­fied as Rus­sia-affil­i­at­ed by oth­er reports. This over­lap includes oper­a­tions asso­ci­at­ed with the suc­cess­ful breach in 2016 of the email account of John Podes­ta, the for­mer chair­man of the 2016 Hillary Clin­ton pres­i­den­tial cam­paign.

“The moti­va­tions behind Russ­ian cyber espi­onage are as much about secur­ing Putin’s klep­toc­ra­cy as they are geopo­lit­i­cal com­pe­ti­tion. This means jour­nal­ists, activists, and oppo­si­tion fig­ures — both domes­ti­cal­ly and abroad — bear a dis­pro­por­tion­ate bur­den of their tar­get­ing.” — Ron Deib­ert, Pro­fes­sor of Polit­i­cal Sci­ence and Direc­tor of The Cit­i­zen Lab, Munk School of Glob­al Affairs

The Cit­i­zen Lab, based at the Uni­ver­si­ty of Toronto’s Munk School of Glob­al Affairs, has exten­sive expe­ri­ence uncov­er­ing glob­al cyber espi­onage cam­paigns, dat­ing back to 2009’s “Track­ing Ghost­net” report.

Note: The researchers have noti­fied the rel­e­vant e‑mail ser­vice providers and Com­put­er Emer­gency Response Teams, and are not pub­lish­ing the names of tar­gets or vic­tims with­out their con­sent.


For Media Inquiries:

Dena Allen
Exec­u­tive Direc­tor, Pub­lic Affairs and Engage­ment
Munk School of Glob­al Affairs
Uni­ver­si­ty of Toron­to
Tele­phone: +1–416-946‑0123
Mobile: +1–416-795‑3902

Guide on Cit­ing in Media:

Title: Taint­ed Leaks: Dis­in­for­ma­tion and Phish­ing with a Russ­ian Nexus
Authors: Adam Hul­coop, John Scott-Rail­ton, Peter Tan­chak, Matt Brooks, and Ron Deib­ert
Pub­lished by: The Cit­i­zen Lab, Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to
Pub­li­ca­tion date: 25 May 2017
Report URL:
Hash­tag: #taint­edleaks