Cyber Incident Victim: The Guardians SecureDrop whistleblower submission site
Date:
Sep 2019
Location:
United Kingdom
Summary
A phishing attack impersonated a secure whistleblower submission platform to harvest confidential source codenames, enabling unauthorized access to past communications and potential impersonation of affected individuals. The fraudulent site also distributed a malicious Android application disguised as a privacy tool, which granted attackers extensive surveillance capabilities including monitoring calls, texts, location, and device activity, while exfiltrating data to a known malicious server. Though the phishing infrastructure was subsequently taken offline, the incident risked exposing sensitive source identities and compromised devices through the malware-laden app.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-September 2019, The Guardian's SecureDrop whistleblower submission platform was targeted by a phishing operation designed to compromise sources' anonymity and harvest sensitive data. The attack involved a replica of The Guardian's legitimate SecureDrop Tor site (hosted at 33y6fjyhs3phzfjj.onion), which was discovered by darknet researcher Sh1ttyKids over the weekend of September 14-15. This fraudulent page closely mimicked the authentic interface to deceive whistleblowers into submitting their unique SecureDrop codenames—critical identifiers that allow sources to communicate securely with journalists. By stealing these codenames, attackers could gain unauthorized access to whistleblowers' prior communications and potentially impersonate them on the legitimate platform. The phishing site additionally promoted an Android application falsely advertised as a tool to conceal users' locations. Sh1ttyKids publicly disclosed the phishing operation via Twitter, after which the malicious site was taken offline, though attribution for its removal remained unclear—either executed by The Guardian's security team following notification or by the attackers themselves.
The incident's secondary attack vector involved the promoted Android application, which security researcher Robert Baptiste obtained and analyzed before its disappearance. Forensic examination revealed the app requested extensive permissions enabling surveillance and device control, including capabilities to monitor calls, read messages, track locations, access cameras, manipulate files, and execute remote commands. The malware connected to a command-and-control server at IP address 213.188.152.96, an endpoint with documented associations to prior malicious campaigns. Device compromise via this app would have exposed victims' communications, stored data, and operational activities to attackers. While the phishing site's takedown limited immediate further codename harvesting, the incident carried significant residual risks: whistleblowers who submitted codenames to the fraudulent site faced potential identity exposure and communication interception, while Android users who installed the malicious app likely had their devices fully compromised. The Guardian did not publicly disclose whether any sources or devices were confirmed as breached.