Earlier this week, investigative journalists at Bellingcat were targeted by a sophisticated phishing attack. As there has been some incorrect reporting about the incident, we are releasing a statement to provide clarification.
On July 24, investigative journalists at Bellingcat, which utilize ProtonMail to secure their communications, were targeted by a sophisticated phishing attack that attempted to steal their credentials to gain access to their ProtonMail accounts. Emails were sent to the targeted users claiming to be from the ProtonMail team, asking the targets to enter their ProtonMail login credentials.
The phishing attack did not succeed because of the vigilance of the targets and certain anti-phishing measures that ProtonMail has put in place due to the increased security needs of many of our users. A phishing attack targets users of a service and does not directly target the service itself. Some articles have incorrectly claimed that ProtonMail was hacked or compromised, but a phishing attack does not imply a compromise of the service in question.
ProtonMail is unique in that attacking ProtonMail does not necessarily compromise user data, due to our usage of end-to-end encryption and zero-access encryption. These technologies ensure that any user emails stored on our servers cannot be decrypted by us (or any third party). Generally speaking, only the owner of the mailbox has the ability to decrypt the mailbox. Consequently, the most practical way to obtain email data from a ProtonMail user’s inbox is by compromising the user, as opposed to trying to compromise the service itself. For this reason, the attackers opted for a phishing campaign that targeted the journalists directly.
Attribution of attacks is very difficult to determine. It is well established that Bellingcat is a frequent target of Russian military intelligence due to their prior activities, which have included linking the downing of flight MH17 to Russian forces, and identifying the Russian GRU agents responsible for the nerve agent attack on the Skripals on UK soil. The resources used in this phishing attack (such as the domain registrars and resellers) are also resources that have been used in the past in other cyberattacks conducted by Fancy Bear (also known as APT28), a Russian cyber espionage group which may be affiliated with the GRU. Thus, while it is not conclusively proven, the evidence (along with independent third-party assessments) seem to suggest an attack of Russian origin. A deeper technical analysis of the attack and its links to the Fancy Bear APT can be found here.
We do know that the attack was highly targeted and specifically went after Bellingcat accounts. We have identified over a dozen fake ProtonMail domains that were registered by the attackers, some of which have not yet been used. The attackers attempted to redirect users to the fake domain mailprotonmail.ch, where a fake ProtonMail site was hosted in an attempt to trick the targets into entering their ProtonMail credentials. The fake domains were also registered through a domain registrar that allows anonymous registrations and bitcoin payments to make the attackers harder to track.
Furthermore, the attackers attempted to exploit an unpatched vulnerability in an open source software that is widely used by email providers in an effort to bypass spam and abuse filters. We were previously aware of this vulnerability and have already been watching it for some time, but we will not disclose it here because the software in question is not developed by ProtonMail, and it has not yet been patched by the software maintainers. This vulnerability, however, is not widely known and indicates a higher level of sophistication on the part of the attackers.
Despite the level of sophistication of the attackers, phishing attacks against ProtonMail users generally fail because all official and/or automated emails from ProtonMail are clearly indicated with a star in the ProtonMail inbox, and there is no way for an attacker to spoof this. This means that it is always possible to tell immediately if an email is fake or not.
Immediately after observing the attack, we contacted registrars and webhosts around the world to ensure that all domains used in the attack are promptly suspended. We also worked with the Swiss Federal Police and MELANI to block the Swiss domain that was used in this attack. At present, there is not an ongoing law enforcement investigation into the incident, but we are of course conducting our own investigation.
Phishing attacks are the most common type of attack attempted against ProtonMail users. User security is our foremost concern, and we are continually enhancing and improving our detection and prevention systems to combat phishing. For more information on phishing attacks and how to prevent them, please refer to this article.
The ProtonMail Team
ProtonMail is the world’s largest secure email service. Founded in Geneva in 2014 by scientists who met at the European Centre for Nuclear Research (CERN), ProtonMail protects over 10 million users, including journalists, activists, doctors, lawyers, businesses, and ordinary citizens who want email that is both safer and more private. Because messages are end-to-end encrypted, we cannot read your emails, sell your data to advertisers or compromise the privacy of your communications. ProtonMail is email as it should be — private and secure.
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.