Kremlin-Linked Hackers Expose a Network of Fake Tech-News Sites
When ‘Anonymous Poland’ hackers went after the Bellingcat collective, they appear to have let slip that LeakData.us and others are part of the misinformation campaign, too.
LeakData.us looks like any other bargain-bin tech-news site, with a smattering of stories on hacking, cybersecurity, and privacy, as well as plenty of stereotypical stock photos. But probing closer, apparently the only original content on this site is a series of articles praising hackers previously linked to a Russian military intelligence agency.
Instead of an ordinary blog, LeakData.us is a website intimately connected to an ongoing disinformation campaign against Bellingcat, a group of fact-checkers and citizen journalists that, through its investigations, has repeatedly irked the Kremlin.
As The Daily Beast reported this month, a dubious hacker group calling itself Anonymous Poland put online an alleged cache of personal data belonging to Ukrainian veterans. Anonymous Poland, which cybersecurity researchers have previously linked to the Russian hacking group APT28 (the outfit that infamously breached the Democratic National Committee), claimed in a series of tweets that the data came from Bellingcat, the online collective that has repeatedly exposed Russian government lies. A swarm of apparently related accounts also impersonated Bellingcat contributors, continued to spread the data, and even tweeted the cache at journalists, presumably in an attempt to garner media attention and smear the group’s image.
Since then, Anonymous Poland has ramped up its campaign against Bellingcat and released more data—but it also exposed the connected LeakData.us website in the process.
Last week, one Twitter account unconvincingly pretending to be Bellingcat co-founder Eliot Higgins tweeted a LeakData.us article entitled “Lithuanian Banks Black Friday.” Anonymous Poland had published a list of alleged credit-card details from a Lithuanian bank, and again credited Bellingcat for the hack. LeakData’s poorly sourced but flattering article about the hackers said the banks had “suffered huge losses during a well-planned and highly effective hacking attack.”
A follow-up LeakData.us article published Tuesday repeated much of the news, including that Anonymous Poland had also recorded a video announcing it had made bomb threats against the banks.
These stories were not accurate, however, said Ieva Kulvinskaitė, head of communications at SEB, one of the Lithuanian banks.
“It is ‘fake news’ that someone is spreading intentionally,” she told The Daily Beast. “Our clients’ data is safe and secure; there are no real credit-card data in the mentioned database. Moreover, [SEB Lithuania] have not received any bomb threat phone calls or suffered system disturbances on Black Friday. Our business is stable and services are provided as usual for our customers.”
Crucially, these two LeakData.us articles are seemingly the only original posts on the website, despite LeakData.us being active and publishing news pieces for months. Higgins, who helped The Daily Beast research LeakData.us, discovered that other articles were ripped off, sometimes verbatim and in other instances with minor tweaks, from legitimate tech blogs and news sites. The Daily Beast found that the “about” section on LeakData.us was lifted nearly word-for-word from another hacking-focused blog.
According to a Twitter search at the time of the Lithuanian bank dump, the account impersonating Higgins was the only Twitter user to share the first LeakData.us article.
LeakData’s site just gets more suspicious. Some of the author photographs are copied from elsewhere: a portrait of Freddie Farrell, who is said to be LeakData’s editor, actually shows an associate director in IT from the University of Florida, according to a Google reverse-image search. The site’s Twitter account only started posting about hacking news in January of this year; before then, it tweeted in a mixture of Spanish and English, and shared generic viral videos, suggesting the account was hijacked at some point, according to an archive of LeakData’s tweets created by The Daily Beast. Twitter has since suspended LeakData’s account altogether.
LeakData did not respond to multiple requests for comment sent to a number of email addresses linked to the site.
Another clue on LeakData points to a second connected dodgy news site. In one LeakData article, which is copied in part from a piece on a real tech blog, the author writes that a publication called “Cyber-USA” interviewed a group of hackers. That tidbit leads to cyber-usa.com, which is startlingly similar to LeakData.us in presentation and content. Again, many of the articles have been stolen from other sites, except one talking about Anonymous Poland’s escapades. According to online records, both the LeakData.us and cyber-usa.com domains were registered within days of each other.
LeakData.us does not appear to be a financially driven website, designed to pull in clicks and ad revenue. The site’s posts are sporadic, sometimes with long gaps in between short spasms of articles, and as Higgins noted, the articles are seemingly not shared on social media, bar the tweets from one Anonymous Poland-linked account.
All of this leaves the exact motivation of LeakData.us unclear.
“Apart from two articles linking hacking to Bellingcat, the rest of the sites’ content appear to be stolen from other websites, and this has been something they’ve done for over a year. However, the earlier articles don’t appear to have been shared on social media, so what is the purpose of creating a site like this? Maybe an attempt to lend legitimacy to fake articles the creators had plan to publish at some point,” Higgins told The Daily Beast. This lines up with Anonymous Poland’s strategy on Twitter: Several accounts pushing the allegedly hacked data tried to masquerade as journalists, including a reporter at The Economist.
Using the moniker Anonymous Poland is significant though. As Thomas Rid, professor of strategic studies at Johns Hopkins University, previously told The Daily Beast during the earlier phase of the disinformation campaign, “Bellingcat has been targeted by APT28 for a while, and the researchers know it. Using the already APT28-linked ‘Anonymous Poland’ moniker enables sending a hidden message of intimidation on a public channel: Bellingcat gets the message; but most people won’t. And most journalists and researchers likely won’t comment because the evidence is too flimsy.”
APT28 has previously pulled the stunt of adopting a name that investigators have already linked to the hacking group. After cybersecurity firm dubbed the unit “Fancy Bear,” the group dumped stolen data from the Word Anti-Doping Association (WADA), and explicitly referred to itself as The Fancy Bears Hack Team.
Beyond the dodgy websites, Anonymous Poland’s disinformation campaign has also ballooned on Twitter. After this reporter archived a copy of Anonymous Poland’s bomb-threat video and tweeted it, the video was retweeted by 15,000 users, the vast majority of which were likely automated accounts. Many used Twitter’s default avatar, and others had all retweeted other identical tweets in the past, suggesting they were somehow coordinated.
“Work with us and Bellingcat? Against Russia,” Anonymous Poland recently asked this reporter in a direct message, before Twitter suspended the account.