Hackers are stepping up efforts to steal and manipulate emails from critics of the Russian government, security researchers say, using techniques that were hallmarks of a cyber attack on Emmanuel Macron's campaign on the eve of France's presidential election.
The hackers have attempted to trick more than 200 confirmed targets from 39 countries into surrendering their email login details through phishing attacks, according to a report by the Citizen Lab at the University of Toronto's Munk School of Global Affairs published on Thursday.
The attackers then released carefully falsified documents from one of the victims, which pro-Kremlin media reported on as if true.
While the leaking was tailored for a Russian domestic audience in an apparent attempt to discredit the anti-Kremlin opposition, the scope and technique of the attack have potential wider consequences, said John Scott-Railton, a senior researcher at the Citizen Lab.
"Tainted leaks plant fakes in a forest of facts in an attempt to make them credible by association with genuine, stolen documents," Mr Scott-Railton said. "It gets around the problems you would have if you were to release a single falsified document. It allows you to subtly shape a narrative that an organisation may have difficulty directly confronting."
As well as having similarities with the interference in Mr Macron's election campaign, the attacks used a phishing method similar to the hacks on the Democratic party that coloured last year's US election. Intelligence officials and cyber security researchers say Russia's secret services were behind those leaks.
Citizen Lab says the targets included Mikhail Kasyanov, a former Russian prime minister now in opposition; cabinet members, ambassadors and military officers from 28 countries; senior corporate executives; and journalists and activists in Russia.
"Of course, governments spy on journalists and read all their emails," said Eva Galperin, director of cyber security at the Electronic Frontier Foundation in San Francisco. "The notion that they should do all of this and make the contents public — with or without changes — is a fairly new thing from the last couple of years in Russian information tactics."
CyberBerkut, an ostensibly independent hacking group that the US and Germany have said is a Russian intelligence operation, posted emails from one of the victims, former US journalist David Satter, alongside fake documents alleging a US government plot to undermine Russia. The same site previously posted fakes added to hacked documents from the Open Society Foundations, billionaire George Soros' philanthropy arm.
The range of targets, as well as significant resources required to process the information, suggests the hackers were acting in Russia's interests, said Ron Deibert, director of the Citizen Lab.
"We have no conclusive evidence that links these operations to a particular Russian government agency; however, there is clear overlap between our evidence and that presented by numerous industry and government reports concerning Russian-affiliated threat actors," the organisation said.
Researchers discovered the attack while investigating a hack of Mr Satter, a prominent western critic of the Russian government. Hackers gained access to Mr Satter's email account when he clicked on a phishing link — the technique used in the attacks on the Democratic party.
Researchers compared the malicious link sent to Mr Satter with similar emails sent to Bellingcat, an open-source investigative journalism site.
ThreatConnect, a security firm, attributed them to APT 28, a group that US intelligence and security researchers say is a Russian intelligence operation behind hacks on the Democratic party, Mr Macron's campaign, the White House and Nato.
Researchers at the Citizen Lab identified patterns in the URLs to find that they had been sent to 198 other targets.
The documents that appeared on CyberBerkut's website included several forgeries, created by altering documents hacked from Mr Satter's emails. In the fake documents, Mr Satter, who advises an investigative journalism programme funded by the National Endowment for Democracy, was depicted as orchestrating a campaign to plant articles against Russian president Vladimir Putin in the Russian press.
Mr Satter believes the hack was aimed at discrediting Russia's opposition by association with him. "They're trying to create these bogeymen to link the opposition to undesirable people — me being the undesirable in this case," he said.