Cyber Incident Victim: Linn County
Date:
Apr 2022
Location:
United Kingdom
Summary
A Russian hacking group known as Cold River was linked to a website publishing leaked private emails from prominent Brexit campaigners, including a former British intelligence chief, a historian, and a campaign chair. Google's Threat Analysis Group identified technical connections between the hacking operations and the leak dissemination, attributing the activity to the Russia-based group. Victims confirmed targeted breaches of ProtonMail accounts and characterized the leaks as Russian disinformation designed to distort political narratives. The incident mirrored previous suspected Kremlin operations involving stolen communications from UK officials, with allegations aiming to frame Brexit supporters as conspirators against government figures. The leaked materials' authenticity remained unverified, though their release aligned with broader patterns of cyber operations targeting geopolitical adversaries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving the 'Very English Coop d'Etat' website began with the unauthorized publication of private emails belonging to prominent Brexit supporters, including former MI6 chief Richard Dearlove, historian Robert Tombs, and Vote Leave campaign chair Gisela Stuart. According to Google's Threat Analysis Group director Shane Huntley, technical indicators linked the website to Cold River, a Russia-based hacking group. The leaked correspondence primarily originated from ProtonMail accounts, though the exact method of compromise remained unconfirmed. Victims confirmed they had been targeted by hackers, with Dearlove explicitly attributing the operation to Russian actors while cautioning that the leaked material might be distorted. Tombs similarly characterized the leak as Russian disinformation derived from illegal hacking activities.
The website's operators made unsubstantiated allegations, including claims that Dearlove conspired to oust Prime Minister Theresa May during Brexit negotiations and replace her with Boris Johnson. Dearlove dismissed these assertions as distortions of legitimate lobbying efforts. Impact analysis revealed this marked at least the second instance in three years where suspected Kremlin-affiliated actors leaked stolen UK political communications, following the 2019 theft of classified trade documents from former minister Liam Fox. The UK Foreign Office declined comment on the incident, while Russian diplomatic missions did not respond to inquiries. No containment measures or technical mitigations were disclosed by affected parties or government entities. The leak occurred amid heightened UK-Russia tensions following Johnson's military support for Ukraine, with historical context suggesting a pattern of Russian cyber operations targeting British political processes.