Dayton Daily News

Russian hackers pursued Putin foes, too

Digital hit list shows ambitions spanning across globe.

It wasn’t WASHINGTON — just Hillary Clinton’s emails they went after.

The hackers who disrupted the U.S. presidenti­al election last year had ambitions that stretched across the globe, targeting the emails of Ukrainian officers, Russian opposition figures, U.S. defense contractor­s and thousands of others of interest to the Kremlin, according to a previously unpublishe­d digital hit list obtained by The Associated Press.

The list provides the most detailed forensic evidence yet of the close alignment between the hackers and the Russian government, exposing an operation that went back years and tried to break into the inboxes of 4,700 Gmail users — from the pope’s representa­tive in Kiev to the punk band Pussy Riot in Moscow. The targets were spread among 116 countries.

“It’s a wish list of who you’d want to target to further Russian interests,” said Keir Giles, director of the Conflict Studies Research Center in Cambridge, England, and one of five outside experts who reviewed the AP’s findings. He said the data was “a master list of individual­swhom Russia would like to spy on, embarrass, discredit or silence.”

The AP findings drawon a database of 19,000malicio­us links collected by cybersecur­ity firm Securework­s, dozens of rogue emails, and interviews with more than 100 hacking targets.

Securework­s stumbled uponthe data after ahacking group known as Fancy Bear accidental­ly exposed part of its phishing operation to the internet. The list revealed a direct line between the hackers and the leaks that rocked the presidenti­al contest in its final stages, most notably the private emails of Clinton campaign chairman John Podesta.

The issue of who hacked the Democrats is back in the national spotlight following the revelation Monday that a Donald Trump campaign official, George Papadopoul­os, was briefed early last year that the Russians had “dirt” on Clinton, including “thousands of emails.”

Kremlin spokesman Dmitry Peskov called the notion thatRussia interfered “unfounded.” But the list examined by AP provides powerful evidence that the Kremlin did just that.

“This is the Kremlin and the general staff,” said Andras Racz, a specialist in Russian security policy at Pazmany Peter Catholic University in Hungary, as he examined the data.

“I have no doubts.”

The new evidence

Securework­s’ list covers the period between March 2015 andMay 2016. Most of the identified targetswer­e in the United States, Ukraine, Russia, Georgia and Syria.

In theUnited States, which was Russia’s ColdWar rival, Fancy Bear tried to pry open at least 573 inboxes belonging to those in the top echelons of the country’s diplomatic and security services: then-Secretary of State John Kerry, former Secretary of State Colin Powell, then-NATO Supreme Commander, U.S. Air Force Gen. Philip Breedlove, and one of his predecesso­rs, U.S. Army Gen. Wesley Clark.

The list skewed toward workers for defense contractor­s such as Boeing, Raytheon and Lockheed Martin or senior intelligen­ce figures, prominent Russia watchers and — especially — Democrats. More than 130 party workers, campaign staffers and supporters of the partywere targeted, including Podesta and other members of Clinton’s inner circle.

TheAP also found a handful of Republican targets.

Podesta, Powell, Breedlove and more than a dozen Democratic targets besides Podesta would soon find theirpriva­te correspond­ence dumped to theweb. The AP has determined that all had been targeted byFancyBea­r, most of them three to seven months before the leaks.

“They got two years of email,” Powell recently told AP. He said that while he couldn’t knowfor surewho was responsibl­e, “I always suspected some Russian connection .”

In Ukraine, which is fighting a grinding war against Russia-backed separatist­s, Fancy Bear attempted to break into at least 545 accounts, including those of President Petro Poroshenko and his son Alexei, half a dozen current and former ministers such as Interior Minister Arsen Avakov and as many as two dozen current and former lawmakers.

The list includes Serhiy Leshchenko, an opposition parliament­arian who helped uncover the off-the-books payments allegedly made to Trump campaign chairman PaulManafo­rt — whose indictment was unsealed Monday in Washington.

In Russia, Fancy Bear focused on government opponents and dozens of journalist­s. Among the targets were oil tycoonturn­ed-Kremlin foe Mikhail Khodorkovs­ky, who spent a decade in prison and now lives inexile, andPussy Riot’s Maria Alekhina. Along with them were 100 more civil society figures, including anti-corruption campaigner Alexei Navalny and his lieutenant­s.

“Everything on this list fits,” saidVasily­Gatov, aRussian media analystwho­was himself among the targets. He said Russian authoritie­s would have been particular­ly interested in Navalny, one of the few opposition leaders with a national following.

Many of the targets have little in common except that theywould have been crossing the Kremlin’s radar: an environmen­tal activist in the remote Russian port city of Murmansk; a small political magazine in Armenia; the Vatican’s representa­tive in Kiev; an adult education organizati­on in Kazakhstan.

“It’s simply hard to see how any other country would be particular­ly interested in their activities,” said Michael Kofman, an expert on Russian military affairs at the Woodrow Wilson Internatio­nal Center in Washington. He was also on the list.

“If you’re not Russia,” he said, “hacking these people is a colossal waste of time.”

Working 9 to 6 Moscow time

Allegation­s that Fancy Bear works for Russia aren’t new. But raw data has been hard to come by.

Researcher­s have been documentin­g the group’s activities for more than a decade and many have accused it of being an extension of Russia’s intelligen­ce services. The “Fancy Bear” nickname is a none-too-subtle reference to Russia’s national symbol.

In the wake of the 2016 election, U.S. intelligen­ce agencies publicly endorsed the consensus view, saying what American spooks had long alleged privately: Fancy Bear is a creature of the Kremlin.

But the U.S. intelligen­ce community provided little proof, and even mediafrien­dly cybersecur­ity companies typically publish only summaries of their data.

That makes the Securework­s’ database a key piece of public evidence — all the more remarkable because it’s the result of a careless mistake.

Securework­s effectivel­y stumbled across it when a researcher began working backward froma server tied to one of Fancy Bear’s signature pieces of malicious software.

He found a hyperactiv­e Bitly account thatFancyB­ear (which Securework­s calls “Iron Twilight”) was using to sneak thousands of malicious links past Google’s spam filter. Because Fancy Bear forgot to set the account to private, Securework­s spent the next few months hovering over the group’s shoulder, quietly copying down the details of the thousands of emails it was targeting.

The AP obtained the data recently, boiling it down to 4,700 individual email addresses, andthen connecting roughly half to account holders. The AP validated the list by running it against a sample of phishing emails obtained from people targeted and comparing it to similar rosters gathered independen­tly by other cy ber security companies, such as Tokyo-based Trend Micro and the Slovak ian firm ES ET.

The Securework­s data allowed reporters to determine that more than 95 percent of the malicious links were generated during Moscow office hours—between 9 a.m. and 6 p.m. Monday to Friday.

The AP’s findings also track with a report that first brought Fancy Bear to the attention of American voters. In 2016, a cybersecur­ity company known as CrowdStrik­e said the Democratic National Committee had been compromise­d by Russian hackers, including Fancy Bear.

Securework­s’ roster shows Fancy Bear making aggressive attempts to hack into D NC technical staffers’ emails in early April 2016 — exactly when CrowdStrik­e says the hackers broke in.

And the rawdata enabled theAPto speak directly to the people who were targeted, many of whom pointed the finger at the Kremlin.

“We have no doubts about whoisbehin­d these attacks,” said Artem Torchinski­y, a project coordinato­r with Navalny’s Anti-Corruption Fundwhowas targetedth­ree times in 2015. “I am sure these are hackers controlled by Russian secret services.”

The myth of the 400-pound man

Even if only a small fraction of the 4,700 Gmail accounts targeted by Fancy Bear were hacked successful­ly, the data drawn from them could run into terabytes — easily rivaling the biggest known leaks in journalist­ic history.

For the hackers to have made sense of that mountain ofmessages— inEnglish, Ukrainian, Russian, Georgian, Arabic andmany other languages— theywould have needed a substantia­l team of analysts and translator­s. Merely identifyin­g and sorting the targets took six AP reporters eight weeks of work.

TheAP’s effort offers “a little feel for howmuch labor went into this,” said Thomas Rid, a professor of strategic studies at Johns Hopkins University’ s School of Advanced Internatio­nal Studies.

In response to the AP’s investigat­ion, theDNCissu­ed a statement saying the evidence that Russia had interfered in the election was “irrefutabl­e.”

Rid said the investigat­ion should put to rest any theories like the one then-candidate Donald Trump floated last year that the hacks could be thework of “someone sitting on their bed thatweighs 400 pounds.”

“The notion that it’s just a lone hacker somewhere is utterly absurd,” Rid said.