Russian hackers move to new political targets

Russia’s cyber operations against the United States are showing signs of accelerating even as lawmakers grapple with how to deter and respond to the threat.

Moscow-linked hackers have expanded to new political targets, including the U.S. Senate, in the wake of the hacking and disinformation campaign during the 2016 presidential race.

The hackers, said to have links to Russia’s GRU military intelligence unit, are part of the same group that was implicated in the 2016 hacks of the Democratic National Committee (DNC) and Hillary Clinton’s campaign.

The cybersecurity firm Trend Micro revealed last week that the cyber espionage group known as APT 28, “Fancy Bear” or “Pawn Storm” had begun targeting the Senate in June, orchestrating a phishing campaign using fake websites to steal official credentials for the Senate’s email system.

Fancy Bear has been active since the mid-2000s, conducting cyber espionage operations that have been widespread across the globe, with a particular eye to members of NATO.

{mosads}“By and large, we see global coverage,” said Adam Meyers, vice president of intelligence at CrowdStrike, a cyber firm that tracks a number of Russian state-sponsored cyber groups. “We haven’t really seen them stop or slow down.”

Some cybersecurity experts who have tracked the group’s operations for years say they saw an increase in activity in 2016, particularly with regards to the targeting of political organizations.

“It’s definitely going more political, and their activity has increased,” said Ed Cabrera, chief cybersecurity officer at Trend Micro. “We definitely saw a marked increase in volume in 2016.”

While experts say it is too early to give a full accounting of the group’s activity in 2017, early signs suggest that Moscow’s hackers are expanding their list of targets to fit Russia’s broader geopolitical objectives.  

Fancy Bear is among a number of cyber groups that experts assess are sponsored by the Russian state. Some are focused on espionage operations, while others work on more destructive attacks, such as those targeting critical infrastructure.

“There’s a lot of activity associated with Russian threat actors that are conducted globally,” Meyers said.

The U.S. intelligence community has concluded that the Russian hacking campaign in 2016 was partially aimed at helping President Trump win the White House, highlighting how such efforts have evolved from mere espionage to active influence campaigns.

“The Russians have been breaking into our networks for espionage reasons for decades,” said James Lewis, a former State Department official and cybersecurity expert at the Center for Strategic and International Studies. “In 2016, they went on the offensive.”

Both the Obama and Trump administrations’ responses to Russian interference have been met with criticism, with some Democrats arguing that Obama should have sooner gone public with the details of Russia’s cyber operation.

“Starting with President Obama’s initial response, I’ve always felt the response was insufficient,” Rep. Jim Himes (D-Conn.), a member of the House Intelligence Committee, said Wednesday. “I kind of felt like we gave them a slap on the wrist and I think we continue to, sadly, encourage them, for example, with the president’s refusal to speak very clearly about what the Russians did to us.”

Last August, Trump begrudgingly signed legislation sanctioning Russia for interfering in the election. The law also put limits on his own ability to lift sanctions on Russia while adding to the penalties unveiled by the Obama administration in late December 2016, after the election.

Trump’s national security strategy released in December called Russia out for waging “offensive cyber efforts to influence public opinion” and promised to impose “swift and costly consequences” on actors that target the U.S. in cyberspace. It made no specific mention of Russian interference in the election. 

“The Trump administration says they’re going to adopt a new policy that will impose new consequences in cyberspace. That’s exactly the right thing to do, but they haven’t done it yet,” said Lewis.

“It’s all just paper unless you actually do something. That was the Obama problem, and that’s the problem so far for these guys.”

Meanwhile, reports of Russia’s operations targeting the Senate have ignited worries on Capitol Hill. On Friday, Sen. Ben Sasse (R-Neb.) demanded a briefing from Attorney General Jeff Sessions on what steps the administration has taken to counter Russian hackers. 

“Russia is just getting started and the hacks, forgeries and influence campaigns are going to get more and more sophisticated,” Sasse said.

When it comes to Fancy Bear, the hacker group’s tactics, experts say, have largely remained the same — leveraging spear-phishing emails, credential phishing and others means of compromising their targets to pilfer sensitive information.

In recent years, the group has coupled its intelligence collection with information operations, using “faketivist” or hacker personas to release the information.

The group, for instance, used the hacker persona Guccifer 2.0 and DCLeaks to release hacked information from the DNC ahead of the election.

New evidence emerged this month that Fancy Bear has launched a cyber campaign targeting Olympic organizations following Russia’s ouster from the 2018 Winter Olympics for state-sponsored doping.

A hacker persona linked to the group released purported emails and documents from the International Olympic Committee earlier this month. Meanwhile, the cyber firm ThreatConnect has identified spoofed domains imitating the World Anti-Doping Agency (WADA), the U.S. Anti-Doping Agency and the Olympic Council of Asia that have the markings of prior Fancy Bear hacking campaigns.

In 2016, Russian hackers targeted WADA, releasing confidential information about U.S. and other Olympic athletes through the same hacker persona that calls itself “Fancy Bears’ international hack team.”

“In all of these different attacks and influence operations, beyond it there is a geopolitical motivation that certainly fits with the Russian state’s motivations,” said Kyle Ehmke, senior intelligence researcher at ThreatConnect.

Olivia Beavers contributed.