Concluding an exhaustive review of evidence, the Associated Press presented a powerful case Thursday morning that further ties the perpetrators of the DNC breach to a Kremlin-directed plot.
For eight weeks, AP reporters pored over a database of roughly 4,700 Gmail accounts targeted by the hackers who also leaked more than two thousand confidential files last year, stolen from the Democratic National Committee. The findings, which build on numerous prior reports—including those of the security researchers who succeeded in tracking the threat—confirm once again the existence of a covert operation that, for at least more than a year, aimed at compromising top adversaries of President Vladimir Putin.
The cybersecurity firm Secureworks disclosed the link between the hackers targeting the Democrats and an immense phishing campaign in June 2016, roughly 48 hours after The Washington Post first reported the fateful breach at Democratic Party headquarters. By then, the attackers had been identified by the cybersecurity firm CrowdStrike, which was hired by the DNC, as an “advanced persistent threat”—a term applied to stealthy and sophisticated hackers able to infiltrate a system and remain undetected for an extended period of time.
Secureworks calls them Group-4127, but today CrowdStrike’s moniker—Fancy Bear—is the most widely known. They are also known by the names APT 28, Pawn Team, Sednit, Sofacy, Tsar Team, and Strontium.
What they are called is of little importance. In the wild, they are distinguished alone by the weapons and techniques they employ; an array of malware and exploit tools considered the group’s trademark. This is how CrowdStrike determined that a second threat, which it dubbed Cozy Bear, was also present in the DNC’s servers. And while it appeared the two groups were operating independently, neither aware of the other’s activities, US authorities provided them with a single name: Grizzly Steppe.
The Secureworks research—confirmation of which the AP tasked to a team of six reporters—reveals that between March 2015 and May 2016, Fancy Bear conducted a broad operation targeting 575 Gmail accounts in the US alone. Those accounts belonged to senior State and intelligence officials, defense contractor employees, and high-ranking US military officers, among other political figures, including then-Secretary of State John Kerry and former Secretary of State Colin Powell.
More than 130 Democratic party and campaign staffers reportedly were targeted—several top Clinton political advisors among them—yet only a handful of Republicans.
Further, according to the AP, the group chose for attack at least 545 Gmail accounts belonging to Ukrainians, including those of President Petro Poroshenko and his son, a half dozen current and former ministers, and as many as two dozen current and former lawmakers. In Russia, it was a proverbial who’s who among Putin’s foes: investigative reporters and media figures critical of the administration, activists, organizers, anti-corruption campaigners.
Maria Alyokhina of the anti-Putinist punk rock band Pussy Riot naturally made the cut.
The AP referred to the database of Fancy Bear targets using the term “digital hit list.” After reviewing the data, a slew of Russian experts concurred; combined, the particular targets only make sense in the context of a roster of individuals whom, as one expert put forth, “Russia would like to spy on, embarrass, discredit or silence.”
The origin of the database traces back more than two years to ongoing Secureworks research into Fancy Bear’s phishing campaigns. In the past, the hackers have used links to fake Google account login pages, sent to victims in phony, but realistic-looking email messages, to seize credentials and gain unauthorized access to prominent figures’ Gmail accounts.
But somewhere, somehow, Fancy Bear fucked up: The group had been using multiple Bitly accounts to shorten malicious URLs—and on some, they had apparently forgotten to activate the privacy settings. After Secureworks discovered the Bitly accounts, they quietly monitored the group, surveillance which allowed them to amass a huge database of the hackers’ targets. According to the AP, the database eventually grew to roughly 19,000 malicious links targeting 4,700 unique accounts.
Among those on the hit list is Ukrainian journalist and politician Serhiy Leshchenko, who spearheaded an investigation into millions of dollars in secret cash allegedly given by a pro-Russian Ukrainian party to Paul Manafort, the former Trump campaign chairman whose grand jury indictment was announced this week and includes, among other charges, “conspiracy to launder money” and “failure to file reports of foreign bank and financial accounts.”
The AP report comes the same week that charges were announced against three Trump campaign officials, including Manafort and his business associate Rick Gates, who have both pleaded not guilty. Trump advisor George Papadopoulos, who has claimed the campaign agreed to a sit-down between Putin and Trump, pleaded guilty after he was caught lying to federal agents, a felony that carries up to a five year prison sentence. What’s more, Facebook, Google, and Twitter have spent the past two days on Capitol Hill, responding to lawmakers’ questions over Russian-bought propaganda that pervaded social media throughout the election.
While the US Intelligence Community has asserted that the Kremlin, backed by an army of hackers and trolls, toiled on behalf of the Trump campaign, intent on keeping Hillary Clinton out of the White House, these are accusations Moscow has vehemently denied. This June, President Putin even floated the idea that perhaps some “patriotically minded” hackers took it upon themselves to carry out the attacks.
President Trump, meanwhile, has characterized the allegations of collusion between his campaign and Kremlin officials as part of the “single greatest witch hunt of a politician in American history.” Continually attacking the press for a year now, and even at one point comparing his own intelligence agencies to Nazis, Trump has painted every inquiry into Russian election interference as the fantasies of vengeful Democrats and of a biased liberal media, whom he claims are solely motivated to degrade the legitimacy of his presidency.