One of the security companies that claimed Russian hackers were responsible for the Democratic National Committee (DNC) email leaks has now suggested that the same hackers attacked journalists investigating the MH17 crash.
Multiple investigations have now found that Malaysia Airlines flight 17 was shot down in 2014 by a Russian-made missile, fired from a village in eastern Ukraine that was held by pro-Russian rebels. The Russian government maintained that Ukrainian troops downed the passenger jet, which was en route from Amsterdam to Kuala Lumpur.
No journalists dived deeper into the MH17 mystery than an “open source” citizen-journalist outfit called Bellingcat, founded by one Eliot Higgins. And someone has been trying very hard to hack Bellingcat, presumably to gain access to the operation’s sources.
Higgins went for help to the security firm ThreatConnect, which along with Crowdstrike had previously attributed the attacks on the DNC to Russian hacking groups dubbed “Cozy Bear” and “Fancy Bear.”
Get Data Sheet, Fortune’s technology newsletter.
Attributing hacks is a notoriously tricky business, as it’s quite possible to make an attack look like it comes from one place when it really comes from another. However, both cybersecurity firms as well as U.S. intelligence agencies have pointed to the Russians for the DNC leaks, which hugely embarrassed the Democratic Party shortly before its convention. Russia denies the claims.
Anyhow, ThreatConnect thinks Fancy Bear tried to hack Bellingcat as well.
Throughout much of 2015 and some of 2016, somebody sent multiple “spearphishing” emails to Bellingcat’s researchers. These are emails that are specially crafted to dupe a particular target into entering their credentials on a fake webpage, allowing the hackers to access their accounts. In this case, they were dummy Gmail security notices.
ThreatConnect noted that the techniques used in crafting the malicious web addresses were “consistent” with those used to sucker “a DNC staffer whose files were leaked on DCLeaks.” Bellingcat writer Aric Toler was also targeted with emails emanating from a Yandex webmail account (Yandex is Russia’s answer to Google). Again, this is similar to what happened with Clinton campaign staffer William Rinehart.
Web domains and IP addresses used in the Bellingcat spearphishing campaign apparently also match or “closely resemble” those used by Fancy Bear, and ThreatConnect said there were other overlaps with Fancy Bear’s hacking infrastructure.
For more on the DNC hack, watch our video.
ThreatConnect also detailed how Bellingcat’s website had been attacked by CyberBerkut, a notorious group of pro-Russian hacktivists. Again, conclusively tying CyberBerkut to the Russian government is difficult.
“The campaign against Bellingcat provides yet another example of sustained targeting against an organization that shines a light on Russian perfidy,” ThreatConnect wrote. “The spearphishing campaign is classic Fancy Bear activity while CyberBerkut’s role raises yet more questions about the group’s ties to Moscow.”
“If Russia is willing to go to these lengths to compromise a small journalist organization and its contributors, consider what they are willing to do to major news and media outlets that publish similar articles.”