Cyber Incident Victim: Free Press Fight For the Future
Date:
Jul 2017
Location:
United States of America
Summary
A spearphishing campaign targeted digital civil liberties activists associated with an internet freedom nonprofit organization, involving nearly 70 credential theft attempts over approximately one month. Attackers focused on compromising business service accounts including Google, Dropbox, and LinkedIn, successfully breaching at least one neglected account which was then leveraged to send additional phishing emails internally. The perpetrators demonstrated high persistence by continuously adapting their tactics after each unsuccessful attempt, refining their targeting methods throughout the campaign. While credential harvesting was confirmed as the primary objective, the ultimate purpose beyond initial access remained unclear despite the attackers' operational sophistication.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between July 7 and August 8, 2017, a coordinated spearphishing campaign designated "Phish For The Future" targeted employees of digital rights organizations Free Press and Fight For the Future. Attackers conducted nearly 70 credential theft attempts against staff members across both NGOs during this 33-day period. The operation focused on compromising business accounts for services including Google, Dropbox, and LinkedIn through tailored phishing emails. One neglected organizational account with historical access was successfully breached, though its lack of recent activity limited immediate damage. The attackers repurposed this compromised account to distribute additional phishing emails internally, attempting to exploit established trust relationships to penetrate more active or privileged accounts within the organizations.
The threat actors demonstrated significant adaptability throughout the campaign, modifying their phishing techniques after each unsuccessful attempt and refining target selection over time. Forensic analysis confirmed credential theft as the primary objective but could not establish subsequent goals following account compromises. No data exfiltration or secondary attacks stemming from the breach were verified. The persistence of the attacks, coupled with the strategic use of a compromised legacy account to broaden infiltration attempts, indicated a deliberate focus on penetrating these specific internet freedom groups. The campaign's operational security prevented attribution of specific motives or actors behind the phishing attempts despite the high volume of incidents.