WASHINGTON — The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin’s crosshairs, The Associated Press has found.
Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting.
“It’s utterly confounding,” said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. “You’ve got to tell your people. You’ve got to protect your people.”
FBI policy calls for notifying victims, whether individuals or groups, to help thwart both ongoing and future hacking attempts. The policy, which was disclosed in a lawsuit filed earlier this year against the FBI by the nonprofit Electronic Privacy Information Center, says that notification should be considered “even when it may interfere with another investigation or (intelligence) operation.”
Last week, the FBI declined to discuss its investigation into Fancy Bear’s spying campaign, but did provide a statement that said in part: “The FBI routinely notifies individuals and organizations of potential threat information.”
Three people familiar with the matter – including a current and a former government official – said the FBI has known for more than a year the details of Fancy Bear’s attempts to break into Gmail inboxes. A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, declined to comment on when it received the target list, but said that the bureau was overwhelmed by the sheer number of attempted hacks.
“It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” he said.
In the face of a tidal wave of malicious phishing attempts, the FBI sometimes passes on information about the attacks to service providers and companies, who can then relay information to clients or employees, he added.
The AP did its own triage, dedicating two months and a small team of reporters to go through a hit list of Fancy Bear targets provided by the cybersecurity firm Secureworks.
Previous AP investigations based on the list have shown how Fancy Bear worked in close alignment with the Kremlin’s interests to steal tens of thousands of emails from the Democratic Party. The hacking campaign disrupted the 2016 U.S. election and cast a shadow over the presidency of Donald Trump, whom U.S. intelligence agencies say the hackers were trying to help. The Russian government has denied interfering in the American election.
The Secureworks list comprises 19,000 lines of targeting data. Going through it, the AP identified more than 500 U.S.-based people or groups and reached out to more than 190 of them, interviewing nearly 80 about their experiences.
Many were long-retired, but about one-quarter were still in government or held security clearances at the time they were targeted. Only two told the AP they learned of the hacking attempts on their personal Gmail accounts from the FBI. A few more were contacted by the FBI after their emails were published in the torrent of leaks that coursed through last year’s electoral contest. But to this day, some leak victims have not heard from the bureau at all.
Charles Sowell, who previously worked as a senior administrator in the Office of the Director of National Intelligence and was targeted by Fancy Bear two years ago, said there was no reason the FBI couldn’t do the same work the AP did.
“It’s absolutely not OK for them to use an excuse that there’s too much data,” Sowell said. “Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, ‘It’s too much’? That’s ridiculous.”
The AP found few traces of the bureau’s inquiry as it launched its own investigation two months ago.
In October, two AP journalists visited THCServers.com, a brightly lit, family-run internet company on the former grounds of a communist-era chicken farm outside the Romanian city of Craiova. That’s where someone registered DCLeaks.com, the first of three websites to publish caches of emails belonging to Democrats and other U.S. officials in mid-2016.
DCLeaks was clearly linked to Fancy Bear. Previous AP reporting found that all but one of the site’s victims had been targeted by the hacking group before their emails were dumped online.
Yet THC founder Catalin Florica said he was never approached by law enforcement.
“It’s curious,” Florica said. “You are the first ones that contact us.”
THC merely registered the site, a simple process that typically takes only a few minutes. But the reaction was similar at the Kuala Lumpur offices of the Malaysian web company Shinjiru Technology, which hosted DCLeaks’ stolen files for the duration of the electoral campaign.
The company’s chief executive, Terence Choong, said he had never heard of DCLeaks until the AP contacted him.
“What is the issue with it?” he asked.
Questions over the FBI’s handling of Fancy Bear’s broad hacking sweep date to March 2016, when agents arrived unannounced at Hillary Clinton’s headquarters in Brooklyn to warn her campaign about a surge of rogue, password-stealing emails.
The agents offered little more than generic security tips the campaign had already put into practice and refused to say who they thought was behind the attempted intrusions, according to a person who was there and spoke on condition of anonymity because the conversation was meant to be confidential.
Questions emerged again after it was revealed that the FBI never took custody of the Democratic National Committee’s computer server after it was penetrated by Fancy Bear in April 2016. Former FBI Director James Comey testified this year that the FBI worked off a copy of the server, which he described as an “appropriate substitute.”
“Makes Me Sad”
Retired Maj. James Phillips was one of the first people to have the contents of his inbox published by DCLeaks when the website made its June 2016 debut.
But the Army veteran said he didn’t realize his personal emails were “flapping in the breeze” until a journalist phoned him two months later.
“The fact that a reporter told me about DCLeaks kind of makes me sad,” he said. “I wish it had been a government source.”
Phillips’ story would be repeated again and again as the AP spoke to officials from the National Defense University in Washington to the North American Aerospace Defense Command in Colorado.
Among them: a former head of the Defense Intelligence Agency, retired Lt. Gen. Patrick Hughes; a former head of Air Force Intelligence, retired Lt. Gen. David Deptula; a former defense undersecretary, Eric Edelman; and a former director of cybersecurity for the Air Force, retired Lt. Gen. Mark Schissler.
Retired Maj. Gen. Brian Keller, a former director of military support at the Geospatial Intelligence Agency, was not informed, even after DCLeaks posted his emails to the internet. In a telephone call with AP, Keller said he still wasn’t clear on what had happened, who had hacked him or whether his data was still at risk.
“Should I be worried or alarmed or anything?” asked Keller, who left the spy satellite agency in 2010 and now works in private industry.
Not all the interviewees felt the FBI had a responsibility to alert them.
“Perhaps optimistically, I have to conclude that a risk analysis was done and I was not considered a high enough risk to justify making contact,” said a former Air Force chief of staff, retired Gen. Norton Schwartz, who was targeted by Fancy Bear in 2015.
Others argued that the FBI may have wanted to avoid tipping the hackers off or that there were too many people to notify.
“The expectation that the government is going to protect everyone and go back to everyone is false,” said Nicholas Eftimiades, a retired senior technical officer at the Defense Intelligence Agency who teaches homeland security at Pennsylvania State University in Harrisburg and was himself among the targets.
But the government is supposed to try, said Michael Daniel, who served as President Barack Obama’s White House cybersecurity coordinator.
Daniel wouldn’t comment directly on why so many Fancy Bear targets weren’t warned in this case, but he said the issue of how and when to notify people “frankly still needs more work.”
In the absence of any official warning, some of those contacted by AP brushed off the idea that they were taken in by a foreign power’s intelligence service.
“I don’t open anything I don’t recognize,” said Joseph Barnard, who headed the personnel recovery branch of the Air Force’s Air Combat Command.
That may well be true of Barnard; Secureworks’ data suggests he never clicked the malicious link sent to him in June 2015. But it isn’t true of everyone.
An AP analysis of the data suggests that out of 312 U.S. military and government figures targeted by Fancy Bear, 131 clicked the links sent to them. That could mean that as many as 2 in 5 came perilously close to handing over their passwords.
It’s not clear how many gave up their credentials in the end or what the hackers may have acquired.
Some of those accounts hold emails that go back years, when even many of the retired officials still occupied sensitive posts.
Overwhelmingly, interviewees told AP they kept classified material out of their Gmail inboxes, but intelligence experts said Russian spies could use personal correspondence as a springboard for further hacking, recruitment or even blackmail.
“You start to have information you might be able to leverage against that person,” said Sina Beaghley, a researcher at the RAND Corp. who served on the NSC until 2014.
In the few cases where the FBI did warn targets, they were sometimes left little wiser about what was going on or what to do.
Rob “Butch” Bracknell, a 20-year military veteran who now works in Norfolk, Virginia, said an FBI agent visited him about a year ago to examine his emails and warn him that a “foreign actor” was trying to break into his account.
“He was real cloak-and-dagger about it,” Bracknell said. “He came here to my work, wrote in his little notebook and away he went.”
Left to fend for themselves, some targets have been improvising their cybersecurity.
Retired Gen. Roger A. Brady, who was responsible for American nuclear weapons in Europe as part of his past role as commander of the U.S. Air Force there, turned to Apple support this year when he noticed something suspicious on his computer. Hughes, a former DIA head, said he had his hard drive replaced by the “Geek Squad” at a Best Buy in Florida after his machine began behaving strangely. Keller, the former senior spy satellite official, said it was his son who told him his emails had been posted to the web after getting a Google alert in June 2016.
A former U.S. ambassador to Russia, Michael McFaul, who like many others was repeatedly targeted by Fancy Bear but has yet to receive any warning from the FBI, said the lackluster response risked something worse than last year’s parade of leaks.
“Our government needs to be taking greater responsibility to defend its citizens in both the physical and cyber worlds, now, before a cyberattack produces an even more catastrophic outcome than we have already experienced,” McFaul said.
Story: Raphael Satter, Jeff Donn, Desmond Butler