By Raphael Satter, James Pearson and Christopher Bing
WASHINGTON/LONDON, May 25 (Reuters) – A new website that published leaked emails from several leading proponents of Britain’s exit from the European Union is tied to Russian hackers, according to a Google cybersecurity official and the former head of UK foreign intelligence.
The website – titled “Very English Coop d’Etat” – says it has published private emails from former British spymaster Richard Dearlove, leading Brexit campaigner Gisela Stuart, pro-Brexit historian Robert Tombs, and other supporters of Britain’s divorce from the EU, which was finalized in January 2020.
The site contends that they are part of a group of hardline pro-Brexit figures secretly calling the shots in the United Kingdom.
Reuters could not immediately verify the authenticity of the emails, but two victims of the leak on Wednesday confirmed that they had been targeted by hackers and blamed the Russian government.
“I am well aware of a Russian operation against a Proton account which contained emails to and from me,” said Dearlove, referring to the privacy-focused email service ProtonMail.
Dearlove, who led Britain’s foreign spy service – known as MI6 – between 1999 and 2004, told Reuters the leaked material should be treated with caution given “the context of the present crisis in relations with Russia.”
Tombs said in an email he and his colleagues were “aware of this Russian disinformation based on illegal hacking.” He declined further comment. Stuart, who chaired Britain’s Vote Leave campaign in 2016, did not return emails.
Shane Huntley, who directs Google’s Threat Analysis Group, told Reuters that the “English Coop” website was linked to what the Alphabet Inc-owned company knew as “Cold River,” a Russia-based hacking group.
“We’re able to see that through technical indicators,” Huntley said.
Huntley said that the entire operation – from Cold River’s hacking attempts to publicizing the leaks – had “clear technical links” between one another.
The Russian embassies in London and Washington did not return emails seeking comment.
Britain’s Foreign Office, which handles media queries for MI6, declined comment. Other Brexit supporters whose emails were suspected of being disseminated on the website also did not respond to emails.
‘LOOKS VERY FAMILIAR’
How the emails were obtained is unknown and the website hosting them made no effort to explain who was behind the leak. The leaked messages mainly appear to have been exchanged using ProtonMail. ProtonMail declined comment.
Reuters was unable to independently verify Google’s assessment about a Russian link to the website, but Thomas Rid, a cybersecurity expert at Johns Hopkins University, said the site was reminiscent of past hack-and-leak operations attributed to Russian hackers.
“What jumps out at me is how similar the M.O. is to Guccifer 2 and DCLeaks,” he said, referring to two of the sites that disseminated leaked emails stolen from Democrats in the run-up to the 2016 U.S. presidential election.
“It looks very familiar in some ways, including the sloppiness,” he said.
If the leaked messages are in fact authentic it would mark the second time in three years that suspected Kremlin spies have stolen private emails from a senior British national security official and published them online.
In 2019, classified U.S.-UK trade documents were leaked ahead of Britain’s election after being stolen from the email account of former trade minister Liam Fox, Reuters previously reported. UK officials never confirmed the specifics of the operation, but then-British foreign minister Dominic Raab said the hack-and-leak was an effort by the Kremlin to interfere in the Britain’s election, a charge that Moscow denied.
The “English Coop” site makes a variety of allegations, including one that Dearlove was at the center of a conspiracy by Brexit hardliners to oust former British Prime Minister Theresa May, who had negotiated a withdrawal agreement with the European Union in early 2019, and replace her with Johnson, who took a more uncompromising position.
Dearlove said that the emails captured a “legitimate lobbying exercise which, seen through this antagonistic optic, is now subject to distortion.”
He declined further comment.
Johnson, who took over from May later in 2019, has staked out a tough stance on Russia’s invasion of Ukraine, committing hundreds of millions of dollars of military equipment to the government in Kyiv. In April, Johnson visited the capital for a televised walkabout with Ukrainian President Volodymyr Zelenskiy.
Johnson was officially banned from Russian soil on April 16. Internet domain records show the “Coop” website was registered three days later. Its URL included the words “sneaky strawhead” in an apparent knock at Johnson’s tousled hairstyle.
Rid said that while journalists should not shy away from covering authenticated material exposed by the leak, they should still tread very carefully.
“If the leak has newsworthy detail, then it is also newsworthy to point out that the material comes from an adversarial intelligence agency, especially in a time of war,” said Rid. (Reporting by Raphael Satter and Christopher Bing in Washington and James Pearson in London; editing by Chris Sanders and Grant McCool)