Russian Hacking Went Far Beyond US Election

The hackers who upended the US presidential election had ambitions well beyond Hillary Clinton’s campaign, targeting the emails of Ukrainian officers, Russian opposition figures, US defense contractors and thousands of others of interest to the Kremlin, according to a previously unpublished digital hit-list obtained by the Associated Press.

The news comes as US prosecutors are reportedly considering charges against six members of the Russian government accused of hacking into the Democratic national committee’s computers.

The list obtained by the AP provides the most detailed forensic evidence yet of the close alignment between the hackers and the Russian government, exposing an operation that stretched back years and tried to break into the inboxes of 4,700 Gmail users across the globe, from the pope’s representative in Kiev to the punk band Pussy Riot in Moscow.

“It’s a wish-list of who you’d want to target to further Russian interests,” said Keir Giles, director of the Conflict Studies Research Center in Cambridge, England, and one of five outside experts who reviewed the AP’s findings. He said the data was “a master list of individuals whom Russia would like to spy on, embarrass, discredit or silence”.

The AP findings draw on a database of 19,000 malicious links collected by cybersecurity firm Secureworks, dozens of rogue emails, and interviews with more than 100 hacking targets.

Secureworks stumbled upon the data after a hacking group known as Fancy Bear accidentally exposed part of its phishing operation to the Internet. The list revealed a direct line between the hackers and the leaks that rocked the presidential contest in its final stages, most notably the private emails of Clinton’s campaign chairman, John Podesta.

The issue of who hacked the Democrats is back in the national spotlight following the revelation that a Donald Trump campaign official, George Papadopoulos, was briefed early last year that the Russians had “dirt” on Clinton, including “thousands of emails”.

The Kremlin spokesman, Dmitry Peskov, called the notion that Russia interfered “unfounded”. But the list examined by AP provides powerful evidence that the Kremlin did just that.

“This is the Kremlin and the general staff,” said Andras Racz, a specialist in Russian security policy at Pazmany Peter Catholic University in Hungary, as he examined the data.

“I have no doubts.”

The New Evidence

Secureworks’ list covers the period between March 2015 and May 2016. Most of the identified targets were in the United States, Ukraine, Russia, Georgia and Syria.

In the United States, Fancy Bear tried to pry open at least 573 inboxes belonging to those in the top echelons of the country’s diplomatic and security services: then secretary of state John Kerry, former secretary of state Colin Powell, US air force general Philip Breedlove, and one of his predecessors, Wesley Clark.

The list skewed toward workers for defense contractors such as Boeing, Raytheon and Lockheed Martin or senior intelligence figures, prominent Russia watchers and, especially, Democrats. More than 130 party workers, campaign staffers and supporters of the party were targeted, including Podesta and other members of Clinton’s inner circle.

The AP also found a handful of Republican targets.

Podesta, Powell, Breedlove and more than a dozen Democratic targets besides Podesta would soon find their private correspondence dumped on to the web. The AP has determined that all had been targeted by Fancy Bear, most of them three to seven months before the leaks.

“They got two years of email,” Powell recently told AP. He said that while he couldn’t know for sure who was responsible, “I always suspected some Russian connection.”

In Ukraine, which is fighting a grinding war against Russia-backed separatists, Fancy Bear attempted to break into at least 545 accounts, including those of President Petro Poroshenko and his son Alexei, half a dozen current and former ministers such as the interior minister, Arsen Avakov, and as many as two dozen current and former lawmakers.

The list includes Serhiy Leshchenko, an opposition parliamentarian who helped uncover the off-the-books payments allegedly made to Trump’s one-time campaign chairman, Paul Manafort – whose indictment was unsealed on Monday in Washington.

In Russia, Fancy Bear focused on government opponents and dozens of journalists. Among the targets were oil tycoon-turned-Kremlin foe Mikhail Khodorkovsky, who spent a decade in prison and now lives in exile, and Pussy Riot’s Maria Alekhina. Along with them were 100 more civil society figures, including anti-corruption campaigner Alexei Navalny and his lieutenants.

“Everything on this list fits,” said Vasily Gatov, a Russian media analyst who was himself among the targets. He said Russian authorities would have been particularly interested in Navalny, one of the few opposition leaders with a national following.

Many of the targets have little in common except that they would have been crossing the Kremlin’s radar: an environmental activist in the remote Russian port city of Murmansk; a small political magazine in Armenia; the Vatican’s representative in Kiev; an adult education organization in Kazakhstan.

“It’s simply hard to see how any other country would be particularly interested in their activities,” said Michael Kofman, an expert on Russian military affairs at the Woodrow Wilson International Center in Washington. He was also on the list. “If you’re not Russia,” he said, “hacking these people is a colossal waste of time.”

Working 9 to 6 Moscow time

Allegations that Fancy Bear works for Russia aren’t new. But raw data has been hard to come by.

Researchers have been documenting the group’s activities for more than a decade and many have accused it of being an extension of Russia’s intelligence services. The “Fancy Bear” nickname is a none-too-subtle reference to Russia’s national symbol.

In the wake of the 2016 election, US intelligence agencies publicly endorsed the consensus view, saying what American spooks had long alleged privately: Fancy Bear is a creature of the Kremlin.

But the US intelligence community provided little proof, and even media-friendly cybersecurity companies typically publish only summaries of their data.

That makes the Secureworks’ database a key piece of public evidence – all the more remarkable because it’s the result of a careless mistake.

Secureworks effectively stumbled across it when a researcher began working backward from a server tied to one of Fancy Bear’s signature pieces of malicious software.

He found a hyperactive Bitly account Fancy Bear was using to sneak thousands of malicious links past Google’s spam filter. Because Fancy Bear forgot to set the account to private, Secureworks spent the next few months hovering over the group’s shoulder, quietly copying down the details of the thousands of emails it was targeting.

The AP obtained the data recently, boiling it down to 4,700 individual email addresses, and then connecting roughly half to account holders. The AP validated the list by running it against a sample of phishing emails obtained from people targeted and comparing it to similar rosters gathered independently by other cybersecurity companies, such as Tokyo-based Trend Micro and the Slovakian firm Eset.

The Secureworks data allowed reporters to determine that more than 95% of the malicious links were generated during Moscow office hours, between 9 am and 6pm Monday to Friday.

The AP’s findings also track with a report that first brought Fancy Bear to the attention of American voters. In 2016, a cybersecurity company known as CrowdStrike said the Democratic national committee had been compromised by Russian hackers, including Fancy Bear.

Secureworks’ roster shows Fancy Bear making aggressive attempts to hack into DNC technical staffers’ emails in early April 2016 – exactly when CrowdStrike says the hackers broke in.

And the raw data enabled the AP to speak directly to the people who were targeted, many of whom pointed the finger at the Kremlin.

“We have no doubts about who is behind these attacks,” said Artem Torchinskiy, a project coordinator with Navalny’s Anti-Corruption Foundation who was targeted three times in 2015. “I am sure these are hackers controlled by Russian secret services.”

The myth of the 400lb man

Even if only a small fraction of the 4,700 Gmail accounts targeted by Fancy Bear were hacked successfully, the data drawn from them could run into terabytes, easily rivaling the biggest known leaks in journalistic history.

For the hackers to have made sense of that mountain of messages, in English, Ukrainian, Russian, Georgian, Arabic and many other languages, they would have needed a substantial team of analysts and translators. Merely identifying and sorting the targets took six AP reporters eight weeks of work.

The AP’s effort offers “a little feel for how much labor went into this,” said Thomas Rid, a professor of strategic studies at Johns Hopkins University.

He said the investigation should put to rest any theories like the one then-candidate Donald Trump floated last year that the hacks could be the work of “someone sitting on their bed that weighs 400 pounds”.

“The notion that it’s just a lone hacker somewhere is utterly absurd,” Rid said.

Guardian:     Associated Press

You Might Also Read: 

Hillary Clinton’s Cyber Warfare Warning:

Facebook's Algorithm And Russian Ads:

Putin Applauds Patriotic Russian Hackers:

 

 

 

 

« Bermuda Super Rich Hack
NotPetya Much Worse Than WannaCry »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

SharkGate

SharkGate

SharGate provide a cloud-based website security solution to protect websites from being hacked.

PartnerRe

PartnerRe

PartnerRe Ltd. provides multi-line reinsurance to insurance companies on a worldwide basis. Services include Cyber Risk.

Sasa Software

Sasa Software

Sasa Software is a cybersecurity software developer specializing in the prevention of file-based network attacks.

Solana Networks

Solana Networks

Solana Networks is a specialist in IT networking and security.

NAVEX Global

NAVEX Global

NAVEX Global’s compliance management system consolidates your entire GRC program onto a scalable cloud-based platform.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

Veritas Technologies

Veritas Technologies

Veritas provide industry-leading solutions that cover all platforms with backup and recovery, business continuity, software-defined storage and information governance.

Reed

Reed

reed.co.uk is a leading job site in the UK, providing a full online service for anyone looking for a new job.

Newberry Group

Newberry Group

The Newberry Group provides comprehensive IT services and solutions that optimize operations, minimize risk and deliver measurable business value.

Illuma Labs

Illuma Labs

Illuma Labs delivers real-time voice authentication and fraud prevention solutions.

Sentor Managed Security Services

Sentor Managed Security Services

Sentor Managed Security Services is a cybersecurity company that enables organizations to exist in a digitally connected world.

Kubus Hitam

Kubus Hitam

Kubus Hitam are a research-based company focused on cyber security. we strongly believe that innovation and safety are the two keywords for the future business market.

Focus on Security

Focus on Security

Focus on Security are Cyber Security recruitment specialists. We’re dedicated to connecting you with the top Cyber Security talent across the globe. We focus on partnerships and results.

CI-ISAC Australia

CI-ISAC Australia

CI-ISAC has been designed to support and promote existing legislation and Government initiatives that are working to uplift cyber resilience across critical infrastructure sectors.

OccamSec

OccamSec

OccamSec is a leading provider in the world of cybersecurity. We provide accurate, actionable information to reduce risk and enable better informed decisions.

Backslash Security

Backslash Security

With Backslash, AppSec teams gain visibility into critical risks in their apps based on reachability and exploitability.