Cyber Incident Victim: Proton Technologies AG
Date:
Jul 2019
Location:
Switzerland
Summary
A sophisticated phishing attack targeted journalists from investigative outlet Bellingcat through their encrypted email accounts with ProtonMail, attempting to steal login credentials via deceptive emails impersonating the provider. Evidence and third-party assessments indicated Russian origin, specifically linking the operation to the GRU military intelligence unit due to its technical sophistication and alignment with prior targeting of researchers investigating Russian activities. Although the highly convincing attempt failed to compromise credentials, the company alerted Swiss authorities, citing the malicious use of .ch domains as a digital crime within Swiss jurisdiction. The incident highlighted risks to secure communication platforms used by sensitive professions, with Bellingcat's work on high-profile cases like the Skripal poisoning and MH17 downing noted as likely motivators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2019, Swiss-based encrypted email provider ProtonMail reported a sophisticated phishing campaign targeting journalists from the investigative website Bellingcat. The attack involved emails impersonating ProtonMail, sent to Bellingcat reporters between late July and the article's publication date of July 29, requesting recipients to disclose their login credentials. According to ProtonMail CEO Andy Yen, this represented one of the most technically advanced phishing operations the company had observed. The campaign specifically focused on journalists who had investigated Russian military intelligence operations, including Bellingcat's work identifying GRU agents involved in the poisoning of former Russian spy Sergei Skripal in the UK. Evidence collected by ProtonMail, along with independent third-party assessments, suggested Russian state involvement in the attack. Bellingcat investigator Christo Grozev stated the operation demonstrated a "quantum leap" in technical sophistication compared to previous GRU activities, though no reporters ultimately compromised their credentials.
ProtonMail notified Swiss authorities including the Federal Police and MELANI (Switzerland's computer security office) about the incident but had not received confirmation of any official investigation by July 29. The company initiated its own internal investigation into the attack, which exploited Switzerland's .ch domain infrastructure for the phishing operation. Grozev emphasized that Swiss authorities could trace the malicious domain registrants, characterizing the incident as a digital crime occurring within Swiss jurisdiction. While the most concentrated attacks occurred in late July 2019, researchers working on Russia-related investigations reported receiving similar phishing attempts through ProtonMail accounts since April of that year. The incident highlighted ProtonMail's growing use by journalists handling sensitive information due to its end-to-end encryption, though it also demonstrated how threat actors adapted tactics to compromise secure communication channels. Bellingcat's open-source investigations into Russian military activities, including the MH17 downing in Ukraine, established context for the targeting pattern observed in the campaign.