Media Releases

Researchers uncover a major disinformation and cyber espionage campaign with Russian connections

May 25, 2017

Toronto, ON – A new report, titled “Tainted Leaks: Disinformation and Phishing with a Russian Nexus,” from the University of Toronto’s Citizen Lab uncovers a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society. The campaign operators have a strong Russian nexus, and their targets include a global list of high profile individuals such as a former Russian prime minister, ambassadors, CEOs, and officials from at least 39 countries, as well as the United Nations and NATO. Many other targets are journalists, academics and other members of civil society.

The campaign is linked to the planting of disinformation within “leaks” of stolen materials, a tactic in which real materials are seeded with carefully constructed fakes designed to achieve a propaganda end. The researchers refer to this tactic as “tainted leaks.”

“Tainted leaks plant fakes in a forest of facts in an attempt to make them credible by association with genuine, stolen documents.” — John Scott-Railton, Senior Researcher, The Citizen Lab, Munk School of Global Affairs

The investigation began with a single targeted phishing operation against journalist David Satter. After successfully tricking Satter, the operators stole his personal information. The information later emerged, with falsehoods added, in a tainted leaks campaign on a Russia-linked website. The tainted leaks were designed to discredit prominent critics of the Russian government, like Alexei Navalny, by falsely indicating they received foreign funding.

In analyzing the technical details associated with the phishing attack on Satter, the researchers were able to determine his targeting was part of a much larger campaign with at least 218 targets. Many of these targets were prominent military and civilian officials, or diplomats, from at least 39 countries, including the United States, Ukraine, Austria, and Turkey. The second largest set of targets (21%) are members of civil society including academics, activists, journalists, and representatives of non-governmental organizations.

“The scope and range of the targets makes it clear that this was a large-scale operation, and would have needed to be supported by substantial analytical resources in order to process the stolen material.” — Adam Hulcoop, Research Fellow, The Citizen Lab, Munk School of Global Affairs

The report illustrates how the twin strategies of phishing and tainted leaks are sometimes used in combination to penetrate civil society targets, and to seed mistrust and disinformation. It also shows how domestic considerations, specifically concerns about discrediting regime critics can motivate espionage operations, including those targeting civil society.

The researchers do not conclusively link the campaign to a particular Russian government entity, however many elements of the campaign overlap with groups previously identified as Russia-affiliated by other reports. This overlap includes operations associated with the successful breach in 2016 of the email account of John Podesta, the former chairman of the 2016 Hillary Clinton presidential campaign.

“The motivations behind Russian cyber espionage are as much about securing Putin’s kleptocracy as they are geopolitical competition. This means journalists, activists, and opposition figures — both domestically and abroad — bear a disproportionate burden of their targeting.” — Ron Deibert, Professor of Political Science and Director of The Citizen Lab, Munk School of Global Affairs

The Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, has extensive experience uncovering global cyber espionage campaigns, dating back to 2009’s “Tracking Ghostnet” report.

Note: The researchers have notified the relevant e-mail service providers and Computer Emergency Response Teams, and are not publishing the names of targets or victims without their consent.


For Media Inquiries:

Dena Allen
Executive Director, Public Affairs and Engagement
Munk School of Global Affairs
University of Toronto
Telephone: +1-416-946-0123
Mobile: +1-416-795-3902

Guide on Citing in Media:

Title: Tainted Leaks: Disinformation and Phishing with a Russian Nexus
Authors: Adam Hulcoop, John Scott-Railton, Peter Tanchak, Matt Brooks, and Ron Deibert
Published by: The Citizen Lab, Munk School of Global Affairs, University of Toronto
Publication date: 25 May 2017
Report URL:
Hashtag: #taintedleaks