Malaysia Airlines Flight 17 investigation shows Russian disinformation campaigns have global reach

Malaysia Airlines Flight 17 investigation shows Russian disinformation campaigns have global reach

A little background: on July 17, 2014, Malaysia Airlines Flight 17 was shot from the sky on its way from Amsterdam to Kuala Lumpur above the Ukraine. The plane was hit by a surface-to-air missile, and as a result, all 298 people on board were killed.

At that time, there was a revolt of pro-Russian militants against the Ukrainian government. Both the Ukrainian military and the separatists denied responsibility for the incident. After investigation of the crash site and reconstruction of the plane wreck, it was determined that the missile was fired from a BUK air defense missile system.

The BUK systems originated from the former Soviet Union but are in use by several countries. Three military presences in the region possessed the weaponry identified as behind the damage. (There were also Russian forces in the region as “advisors” for the separatists.) For this reason, it was difficult to investigate who was responsible for the attack.

Here’s where cybersecurity comes into play. Social media and leaked data played an important role in this investigation. And they also play an important role in the propaganda that the Russians used, and are continuing to use, to invalidate the methods and results of the investigation.

By following the cybersecurity breadcrumbs, we can determine which information released online is legitimate and which is a deliberate disinformation. However, most casual readers don’t go that far—or can’t—as they don’t have the technical capability to validate information sources.

How can they (we) sort out fiction from fact? Here’s what we know about the investigation into MH17, Russian disinformation, and which countermeasures can be put in place to fight online propaganda.

The investigation

On June 19, 2019, the Joint Investigation Team (JIT) that was set up to investigate this incident issued warrants for four individuals that they hold responsible: They are three Ukrainian nationals and one Russian national. They were not the crew of the BUK missile launcher, but the men believed to be behind the transport and deployment of the Russian BUK missile launcher.

The Netherlands had already held Russia responsible at an earlier stage of the investigation because they found sufficient information to show that the BUK launcher originated from Russia and was manned by Russian soldiers. Both the Ukraine and Russia have laws against extradition of their nationals, so the chances of hearing from the suspects are slim-to-none. So how can we learn exactly what happened?

Finding information

Immediately after the incident, the JIT started to save 350 million webpages with information about the region where the incident took place. These pages were saved because otherwise important information could be lost or removed. By using photos and videos that were posted on social media, they were able to track back the route that the BUK system took to reach the place from which the fatal missile was launched.

Dashcams are immensely popular in Russia and surrounding countries, because they provide evidence in insurance claims. So there was a lot of material available to work with. And the multitude of independent sources made it hard to contradict the conclusions. Also, part the route could be confirmed by using satellite images made by Digital Globe for Google Earth.

By using VKontakte (a Russian social media platform much like Facebook), a Bellingcat researcher was able to reconstruct the crew that manned the BUK system at the time of the incident. And the Ukrainian secret security service (SBU) gladly provided wiretaps of pro-Russian separatists “ordering” a BUK system and coordinating the transport to the Ukraine. Bellingcat was even able to retrieve a traffic violation record confirming the location of one of the vehicles accompanying the BUK system.

Because Bellingcat is a private organization, it has fewer rules and regulations to follow as the official investigation team (JIT), which gives them an edge when it comes to using certain sources of information. If you are interested in the information they found and especially how they found it, you really should read their full report.

If nothing else, it shows how a determined group of people can use all the little pieces of information you leave behind online to draw a pretty comprehensive picture. In fact, researchers have reasons to believe that Bellingcat was stirring up enough dirt to become the target of a spear-phishing attack attributed to the Russian group Fancy Bear APT.

These attacks are suspected to have been attempts to take over Bellingcat accounts enabling the Russians to create even more confusion. The Dutch team that investigated the incident scene reported phishing and hacking attempts as well.

Creating disinformation

Russia has a special department of disinformation called the Internet Research Agency (IRA) which headquarters in St.Petersburg. They started an orchestrated campaign to put the blame for the incident with the Ukrainian military.

While the IRA would love to influence international opinion about what happened to MH17, there’s way too information (aka facts) out there that would prove them wrong. Instead, they are focusing on their domestic audience to influence the country’s own public opinion. Knowing that their government shot down a commercial airliner would not go down well. So, blogs were written that blamed the Ukrainian military and many thousands of fake accounts started pointing to those blogs. In the first two days after the disaster alone, this amounted to 66,000 Tweets. 

Every time the JIT issued new information about their findings, the IRA started a new campaign with “alternative” information. This prolonged campaign and the sheer mass of disinformation did have one advantage. The platforms that the IRA used were able to gather a lot of information about the operation and link the social media accounts that were involved.

In 2018, Twitter issued an update mentioning the IRA as they removed almost 4,000 Russian accounts believed to be associated with the group, which amassed:

10 million Tweets and 2 million images, GIFs, videos, and Periscope broadcasts

Twitter certainly wasn’t the only platform the IRA used to spread disinformation, but it’s the only platform that disclosed their information about the “fake news factory.” You can find the same disinformation posted on Facebook, VKontakte, and in the comments sections of many websites.

Their goal is simple. When the public reads 20 different stories about the same news item, they no longer know which one to believe. An interesting version promoted by the IRA was that the BUK missile must have been intended for a plane that Russian president Putin was traveling in and which had presumably passed shortly before the incident. It’s easy to track down information proving that this wasn’t true, but most readers won’t go that far.

Yet another conspiracy theory linked the Ukrainian military with Western governments. Russia has a long history of conspiracy theories that are used both to entertain the audience and to lead them away from reality.

Countermeasures against disinformation

Since 2016, the US has become aware of Russian interference in online information, communications, and even elections—but we haven’t found a surefire fix for fake news. Europe caught on a bit earlier, but in the interest of undermining democracies, a simple piece of disinformation can unravel hundreds of years of progress.

Before the United States figured out how to respond and while Europe was cautiously evaluating the online landscape, their adversaries were able to evolve and advance their disinformation techniques. Russia is not alone: there are other nations that would like to see democratic societies upended. Iran, North Korea, and China are learning from the Russians how to play the game of disinformation.

Obvious methods to counter the possible influence of disinformation are education, finding trusted sources, and transparency. But even in a democracy, these are not always the first resort for those in powerful positions.

Education empowers people to make up their own mind based on gathered information. Transparency gives them the tools to make decisions based on facts and not fiction. And finding trusted sources means first digging deep into their backgrounds, learning whether their methods of reporting are honorable, and establishing a consistent pattern of truth-telling.

You can ask yourself whether it is a good strategy to rely on the self-moderation that has been imposed on social media platform, but at the moment this is our first line of defense. US Congress has prepared legislation that would increase ad transparency, govern data use, and establish an interagency fusion cell to coordinate government responses against disinformation, but these are all laws waiting to be passed for now.

Unlimited research

Another question that is reflexively brought up by this matter is how we can increase the effectiveness of official investigators like JIT to the level of Bellingcat without giving them a free pass to hack their way into every imaginable system.

An official international “police force” might be needed to conduct investigations for the international courts that already are in place, with warrants to demand information from any source that might have it. However, this doesn’t work when suspects, such as those in the MH17 investigation, are protected from the law if they stay in their own country.

We know the courts and investigators should be provided with more adequate ways to gather evidence, but this is no easy matter to solve without jeopardizing the very free will we are trying to protect. It will require a lot of diplomacy and negotiation if we ever want to achieve this.

Allow notifications to play content

A little warning

Since the interest in this incident has risen again after the official disclosure of some of the main suspects, we may see a revival of MH17-related phishing campaigns. Previous campaigns pretended to be memorial sites for the victims but lead victims to fake sites that seduced visitors to allow push notifications or to download video players infected with PUPs or malware.

Stay on the lookout, as cybercriminals—whether of Russian origin or not—are always looking to capitalize on tantalizing news stories or moments of public confusion.

And when in doubt, the best advice we can give is to be cautious when exploring the Internet and view any information you read through the lens of caution. Find your trusted sources, educate yourself, and look for those who are transparent.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.