The group, known as COLDRIVER or Callisto, has appeared on TAG’s radar before. However, this is the first time TAG has noticed COLDRIVER leaking private emails and spreading disinformation. The “Very English Coop d’Etat” website contains sensitive and controversial information about the circumstances surrounding the UK’s decision to leave the European Union. At this time, it is unclear how the hackers obtained the emails. However, Google’s threat analysis team and other cybersecurity researchers have pointed out the dangers and complexity of handling a disinformation campaign, especially in the current geopolitical climate.
Details of the Brexit Leak Site
The leak website contains the private emails of various high-profile individuals with a pro-Brexit stance, including Richard Dearlove, the former head of MI6, Gisela Stuart, a former member of Parliament, and Robert Tombs, an eminent historian. At the heart of this controversy are allegations that there was a “deep state” plot to overthrow Theresa May and instate Boris Johnson as Prime Minister. Dearlove, who headed the UK intelligence agency MI6 between 1999 and 2004, is believed to have been one of the chief orchestrators of the secret plan. Both Dearlove and Tombs have said they are aware of the leaked emails and Russia’s involvement. “I am well aware of a Russian operation against a Proton account which contained emails to and from me,” Dearlove told Reuters. He emphasized that the leaked information should be treated with caution, considering the ongoing hostilities between the two nations. The UK has taken a strong stance against Russia’s ongoing military campaign in Ukraine. The country has donated a significant amount of military equipment to Kyiv. In April, Russia banned British Prime Minister Boris Johnson from entering its borders.
Technical Indicators Link Hackers to Leak Website
TAG lifted the lid on COLDRIVER’s credential phishing campaign targeting “government and defense officials, politicians, NGOs and think tanks, and journalists” earlier this month. While this is the first time Google’s threat analysis team has noticed the group carrying out a leak/disinformation campaign, Google TAG director Shane Huntley told Reuters that there are “clear technical links” pointing to COLDRIVER’s involvement. “The “English Coop” website was linked to what the [sic] Google knew as “Cold River,” a Russia-based hacking group. We’re able to see that through technical indicators,” Huntley tweeted.
Previous Email Leak Campaigns
Huntley described the campaign as “clumsy,” adding that it is possible only one ProtonMail account was hacked, resulting in the leaked emails. Thomas Rid, a cybersecurity expert, told Reuters that the “Very English Coop d’Etat” website has some similarities to previous hack-and-leak campaigns by Russian threat actors. This includes two sites that posted leaked emails from the 2016 U.S. Presidential elections. “It looks very familiar in some ways, including the sloppiness,” Rid noted. The UK has faced a similar attack in the recent past. In 2020, reports surfaced that suspected Russian spies stole classified trade documents from Liam Fox, the UK’s former trade minister, after hacking his email. The hackers leaked the documents ahead of the 2019 UK general election. While sensitive email leaks appear to be a common tactic employed by hackers to create disharmony on a bureaucratic level, it can be equally damaging to organizations. If you’re looking for ways to improve email security in your organization, check out our list of the top email service providers in 2022.
