A Russian cyber attack group has been targeting politicians, journalists, and military and intelligence officials across Britain and Europe for at least seven years, and may have stockpiled access to and data from target computers and phones for future operations, according to data analysed by Computer Weekly.
The group’s greatest success to date has been to publicly compromise emails and documents from Richard Dearlove, a top British spy chief and former head of MI6, as well as over 60 others in a secretive network of right-wing activists set up in 1988 to campaign for extreme separation of Britain from the European Union. Dearlove was chief of the UK Secret Intelligence Service (SIS) from 1999 to 2004, holding the post immortalised in James Bond films and fiction as “M” – although in real life the role is known as “C”.
Soon after the Iraq war, Dearlove left SIS to become master of Pembroke College Cambridge. In August 2018, after leaving Cambridge, Dearlove joined with retired history academic Professor Gwythian Prins to launch a covert operation called Operation Surprise. The declared goal of Operation Surprise was to create a “Continuity Leave vehicle” to “block any deal” negotiated by then Prime Minister Teresa May.
The group’s “political aims” included, “if necessary, to remove this Prime Minister and replace with one fit for purpose”, and “in due course, to cleanse the polluted civil service from top to bottom”.
Each page of Prins’s plan, which was among the thousands of leaked emails and documents, was watermarked “top secret” in red capital letters, as if classified as a genuine government plan. The final page, wrote Prins, was “super top secret” because it listed the “Op Surprise” top team and identified the people they wanted to recruit.
Besides Dearlove and Prins, and Gisela Stuart, a former Labour MP who supported Boris Johnson over Brexit, as chair, the team that were going to “save” Britain were retired Cambridge history professor Robert Tombs, Vote Leave organiser Matthew Elliott, Lawyers for Britain organiser Martin Howe KC, and Robert Salisbury, the Marquis of Salisbury.
Dearlove’s emails and files were among 22,002 harvested from encrypted Protonmail accounts and made available on an anonymously registered website called Sneakystrawhead, which first appeared on the internet on 20 April 2022. It consists of one page featuring images, a short article, and selected document extracts. The full emails were published as 12 compressed zip files on two separate internet storage sites.
Computer Weekly downloaded the files as soon as they were identified, checked for malware, and has loaded all the mails, files and metadata to free text and structured query systems for full analysis and future projects.
Included in the leaked documents were 871 emails and files sent and received by Dearlove between 2018 and 2022, revealing his contacts and emails with over 400 government, military, intelligence and political officials. These included former chief of defence staff Lord Guthrie and Falklands War commander Brigadier Julian Thompson. Several former senior SIS officers are named in the emails, as are politicians including Gisela Stuart, Steve Baker, MP, and Jacob Rees-Mogg, MP.
Dearlove was the highest profile and most important target for any Russian-backed hacking group. At MI6, he presided over intelligence operations in the run-up to the Iraq war, when the agency produced intelligence reports that were used by the government to justify its support for the war against Saddam Hussein.
The subsequent Chilcot report into the Iraq war found that government references to intelligence about weapons of mass destruction were over-certain and did not adequately stress uncertainties. According to Chilcot, “Personal intervention [by Dearlove] and its urgency gave added weight to a report that had not been properly evaluated and would have coloured the perception of ministers and senior officials”.
Revenge for Johnson’s support for Ukraine
Dearlove told Computer Weekly that he did not have anything to add to statements he had already made or published himself. “You would also be wise to treat the Proton email content and the interpretation of it with caution. Both are subject to Russian manipulation,” he said.
Asked if he had any specific comments on the authenticity or factual accuracy of specific emails and documents hacked from his Protonmail accounts and reported here, Dearlove did not respond, saying only that interpretation of the material was “misplaced or simply incorrect”.
Professor Prins confirmed that he had been a victim of a “hack and leak” attack by the Russian FSB (Federal Security Service). The attack, he said, was a “serious criminal offence … I cannot comment”. He urged Computer Weekly to “continue to probe the technical nature of Russian cyber warfare”.
The presumed Russian website framed the documents as representing a conspiracy for a “Very English Coup d’Etat” intended to get Boris Johnson into Downing Street. “What would you say if they tell you that the country you live in is governed by the coup plotters?” it asked, adding that “hoaxers control their puppet – sneaky strawhead”.
The name was a derisive dig at Johnson – and pointed clearly to why Russian intelligence would suddenly reveal its cyber successes.
Ten days before the hacking operation, on 10 April 2022, Johnson had suddenly left London to appear on a televised walkabout in Kyiv with Ukraine President Volodymyr Zelensky. The Kremlin secretariat and spokespersons expressed fury. Previously the recipient of funding and largesse from government-linked Russian nationals, Johnson was now a demon figure, who immediately became actively and soon literally persona non grata in Moscow and banned from Russia.
The speed with which Russian intelligence apparatus were then able to assemble, curate, present and publish the hacked material to attack Johnson strongly suggests that hacking political figures in the UK did not start after his unwelcome (to Moscow) jaunt to Kyiv.
The leak website was not publicised or reported for over six weeks. There is evidence that it was promoted on Reddit, but then failed to get traction or attention. The Reddit post was deleted. On 15 May 2022, the story of the hack and leak was scooped on Grayzone, a US website that, according to Wikipedia, published “pro-Russian propaganda during the Russian invasion of Ukraine”.
Kit Klarenberg, the author, worked until 2019 for Russia Today’s radio outlet Sputnik. Klarenberg said he was not told about the Russian Sneakystrawhead website when writing his story, or even afterwards. He said the email copies and files he used in his Grayzone article were passed to him anonymously over cloud sites. He said his report initially had little impact or perceived credibility because of Grayzone’s reputation.
When journalists (including the author of this article) then searched Google for language used in some of the documents in Klarenburg’s story, they turned up in a Google cache file pointing to the Sneakystrawhead site. After being approached by Reuters and other publications, Dearlove, Prins and Tombs said they had become aware of the hack. They and others have not challenged the authenticity or accuracy of the emails and documents.
In a subsequent story in June 2022, Klarenberg and Grayzone published extensive details of emails hacked and leaked from left-wing freelance journalist Paul Mason, who has frequently savagely criticised Putin’s war in Ukraine. There was no evidence at the time of writing that the contents of Mason’s hacked mailbox had been more widely publicised or placed on the internet.
Targeting Nato countries
According to multiple cyber security companies, the as-yet unidentified Russian Federation intelligence agency behind these attacks began targeting users in Nato countries, including Britain, by late 2015. The group also attacked Russian neighbouring countries Georgia, Armenia and Azerbaijan.
The group has been dubbed Seaborgium by Microsoft, ColdRiver by Google, TA446 by Proofpoint, and Callisto by F-Secure. F-Secure was the first to identify the main attack methods and targets. These involve careful and selective target reconnaissance followed by phishing or spearphishing emails. They are also reported to use spoofed correspondence from email accounts to which they had acquired credentials.
The Sneakystrawhead operation has all the hallmarks of classic Russian intelligence hack-and-leak operations, such as were used extensively and effectively in 2016 in the months leading up to the election of Donald Trump. Computer Weekly previously reported on how British and US actors became part of a subsequent deception strategy to hide and obfuscate Russian involvement.
Subsequently, in the reports by the Robert Mueller investigation into Russian interference in the 2016 US elections, the FBI was able to identify the agency and agents concerned, and to name and shame and indict the individual officers concerned as members of units of the GRU, Russian’s military intelligence service.
The 2016 Russian attacks were initially attributed to cyber attack groups called Fancy Bear and Cosy Bear by the cyber security group Crowdstrike, and other names by other companies. The Security Service of Ukraine has suggested a possible connection between Cosy Bear and the group behind the Sneakystrawhead hacking, and thus to the GRU. But this attribution is not confirmed by the majority of cyber security companies. The obvious alternative agencies are the SVR, the Russian foreign intelligence service, and FSB, the federal security service which Putin headed before becoming president.
Security researchers say the group they call Callisto is continuing to set up new phishing infrastructure every week. Microsoft said that up to mid-September 2022, the group had targeted over 30 organisations since the start of the year.
The security companies report that the group’s consistent methodology has been social engineering to gain credibility to persuade targets to click on malicious URLs or open PDF files containing malicious executable files. They “slowly [infiltrate] targeted organisations’ social networks through constant impersonation, rapport building and phishing to deepen their intrusion”.
They have “successfully compromised organisations and people of interest in consistent campaigns for several years, rarely changing methodologies”. One proven method is to scan LinkedIn for staff and targets using fake profiles. The group has subjected the UK to at least three hack-and-leak operations to date.
To facilitate wide-ranging attacks, the attackers have registered many dozens of spoof phishing addresses, some of which appear likely to have been used to bag Dearlove’s network as it began and grew.
Encrypted emails failed to protect former MI6 head
From its inception in August 2018, Prins and Dearlove urged participants and co-plotters to sign up to and only use Protonmail, the Swiss-based end-to-end encrypted email service. By the end of 2018, the group were in touch with 36 users on Protonmail, one of whom was a woman who had been used to obtain confidential papers from inside the civil service.
By the time the emails were leaked, almost 100 were communicating on Protonmail. Dearlove initially signed up as “dickbilling”. When this account was mysteriously disabled for no apparent cause, according to the leaked emails, the former top spy and cyber security company director expressed no concern. He created and circulated a new account, “richardteller”. The Russians copied and have published mail from both accounts.
The hacked emails also show that Dearlove then gave advice, also copied by the Russian attackers, which if true will have given them information about how UK secret service staff communicate. On 5 September 2018, Dearlove told the group to use WhatsApp for calls. “WhatsApp is secure,” he wrote. “Takes 30 seconds to set up. Means we really can talk without threat of interception… The system is widely used by all my former colleagues when they need privacy.”
The problem, well known to cyber security experts, is that encryption of emails or other communications in transit does not protect them or their users against attacks on “endpoints” – such as mobile phones and devices used incautiously or by the incautious, allowing them to be taken over by phishing attacks.
History shows that Dearlove, who was and is the non-executive chairman of Crossword Cybersecurity, was not giving good advice. Whether his misadvice also exposed his former service SIS is not known. WhatsApp was, at the time, vulnerable to interception, according to WhatsApp itself.
In October 2019, WhatsApp filed a suit against Israel-based NSO Group claiming damages and a restraint order for having implanted Pegasus spyware exploiting a WhatsApp operating system vulnerability to intercept calls. The nature of the attack did not require targeted users to answer the calls they received. NSO, said WhatsApp, had implanted the spyware on the mobile phones of 1,400 human rights activists, lawyers, religious figures and others.
In November 2019, according to research by Microsoft and F-Secure, the Russian group added new Protonmail spoof sites to their portfolio: proton-reader.com and proton-viewer.com. Both were registered anonymously by Namecheap in Iceland. On launch, they displayed the fake Protonmail web page shown below.
On 20 April 2022, the same day as publishing the Sneakystrawhead documents, they added a third: proton-docs.com. This is not now in use and goes to a Russian registry page.
The Sneakystrawhead website was constructed to give the impression that the only individuals targeted and exposed were Dearlove and Prins. Emails were placed in folders said to be the inbox or outbox of one of the two. Some emails were broken out on the site, including some concerning the group’s civil service informant who used the false name Caroline Bell and the email Ian Moone – an anagram for “I am no one”.
Database analysis of the emails shows that some appear not to have been sent by or received from the email account attributed to it by the Sneakystrawhead website. They do not appear to belong in the caches disclosed. One possibility is that these are the disguised products of other interception or phishing attacks. Among the up to 20 potentially targeted email addresses which may have been added are Protonmail addresses used by Professor Tombs, “bootneck40” (Brigadier Julian Thomson) and “contrarymz” (Tim and Mary Clode, wealthy Jersey residents who financed the campaigns). Another address on a different email service identifies journalist William Shawcross.
The 22,000 leaked emails also reveal more activities by Dearlove, Prins and collaborators then attempting to unseat Prime Minister May or achieve an ultra-hard Brexit. The group went on to foster plots and theories and to try to foist them on successive governments. Many are mentioned on Dearlove’s Wikipedia page, including attacks on mobile manufacturer Huawei, 5G, and theories that China engineered Covid-19.
Earlier this year, Prins and Dearlove launched a new operation to attack climate safety precautions, which they dubbed as “Green catastrophist”. On 22 January 2020, Dearlove told Prins that “Darkullen” would be “the code word for our China project”. He added, “I intend to separate out all our Proton exchanges that are marked with this title”.
For security, members arranged new Protonmail email addresses that included “Darkullen in the address – such as princepsdarkullen”. Naturally, the Russians copied and published the Darkullen mails.
Among these emails is a Darkullen PowerPoint file dated 21 February 2022, which Prins took to a private meeting he was delighted to get with then home secretary Priti Patel. He urged her, too, to get going on Protonmail and WhatsApp. The PowerPoint said “net zero” targets amounted to the “coerced deformation of the UK energy systems” and needed to be addressed as a “conventional secret intelligence operation”. The problem, the PowerPoint claimed, was that “the proponents of these ideas and policies … hold encapsulated cult-like beliefs which makes them impervious to rational evidence”. Prins reported back that he thought the meeting went well.
Prins and an academic colleague wanted to persuade Patel to radically reform the UK’s energy policy. In an “urgent energy security briefing for the home secretary”, they argued the UK’s focus on renewable energy and climate policies threatened the UK’s ability to survive as an independent nation post-Brexit.
In Churchillian tones, the briefing paper called for the government to overturn the moratorium on shale gas fracking, that would allow Australian fracking company Quadrilla to resume work immediately. That was to be coupled with government backing to remove red tape to open up the North Sea oil and gas fields.
“Action this day: an immediate executive over-ride of the Oil & Gas Agency instruction to Quadrilla to cap and destroy the two viable shale gas wells in Lancashire and allowing exploitation to resume. Production will not flow for up to 24 months, therefore.”
“Immediate executive over-ride of administrative obstacles to the exploitation of North Sea gas and oil fields now viable with rising gas and oil prices.”
The former home secretary’s views remain unknown.
But reports suggest this is now indeed the plan. On 8 September, the new prime minister, Liz Truss, overturned the advice of her predecessor, Boris Johnson, by vowing to lift the fracking ban, claiming it could get gas flowing as soon as six months.
Truss announced a new programme for drilling for oil and gas in the North Sea, more nuclear energy and renewables. And a review of the UK’s 2050 net-zero emissions targets to make sure it can be achieved without placing “undue burdens on businesses or consumers”.
More technical reports about these and other events in the exposed trove of influence planning and conspiracy thinking will be covered soon by Computer Weekly.
Reporting by Duncan Campbell, Bill Goodwin, Crina Boros and Meike Eijsberg.