Most Fancy Bear hacking targets weren’t warned by FBI

An investigation by the Associated Press has revealed that the FBI never got around to telling a majority of US officials that they’d been targeted by “Fancy Bear” Russian hackers who tried to pry open their email accounts.

At all. Whatsoever. In some cases, that includes not being contacted by the FBI even after their emails had been stolen and published online.

Working off a hit list of the Russian government-linked cyberespionage group that was provided by the security firm SecureWorks, the AP identified more than 500 US-based people or groups that were targeted. Over the course of two months, relying on the work of a “small team of reporters,” the AP reached out to more than 190 of those targets.

The FBI had informed only two of them that their Gmail accounts had been targeted. The FBI reached out to a few more after their emails were leaked during last year’s presidential election.

Many of the officials were long-retired, but about a quarter were still working in government positions or held security clearances when they were targeted.

The AP did more than simply call those people: it also sent reporters to knock on doors in the countries where websites associated with breached information were hosted.

One such site was DCLeaks.com, which published caches of emails that were stolen during the Fancy Bear-linked hacking of Hillary Clinton campaign chairman John Podesta and other members of the Democratic National Committee (DNC).

DCLeaks was registered at THCServers.com: what the AP describes as “a brightly lit, family-run internet company on the former grounds of a communist-era chicken farm outside the Romanian city of Craiova.”

THC founder Catalin Florica’s response when the AP’s two reporters started asking questions? Nope, haven’t seen any FBI agents ’round these parts. Or law enforcement agents of any flavor, for that matter:

It’s curious. You are the first ones that contact us.

The AP got a similar reaction from the Kuala Lumpur offices of the Malaysian web company Shinjiru Technology, which it says hosted DCLeaks’ stolen files for the duration of the electoral campaign. Shinjiru CEO Terence Choong said he hadn’t heard of DCLeaks until the AP contacted him:

What is the issue with it?

The FBI, which launched its investigation into Russian meddling in the 2016 US election two months ago, declined to publicly comment on Fancy Bear’s spying. It did, though, provide the AP with a statement that said in part that yes, we do give people a head’s-up:

The FBI routinely notifies individuals and organizations of potential threat information.

But sources familiar with the matter, including one former and one current government official, told the AP that the FBI has known for more than a year about Fancy Bear’s attempts to break into the US officials’ Gmail accounts. A third, senior FBI official noted that the bureau was “overwhelmed by the sheer number of attempted hacks.”

It’s a matter of triaging to the best of our ability the volume of the targets who are out there.

Oh, that is so not cutting it, said Philip Reiner, a former senior director at the National Security Council who first heard from the AP that he’d been targeted in 2015.

It’s utterly confounding. You’ve got to tell your people. You’ve got to protect your people.

Another targeted official was Charles Sowell, who previously worked as a senior administrator in the Office of the Director of National Intelligence. He was targeted by Fancy Bear two years ago and told the AP that there’s no reason why the FBI couldn’t have done the same outreach and research that the news agency conducted:

It’s absolutely not OK for them to use an excuse that there’s too much data. Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, ‘It’s too much’? That’s ridiculous.

When the AP contacted the 190 officials, many were saddened at the FBI’s failure to inform them of the hacking attempts. They were also mystified as to what they should do about it, or what the ramifications of the attacks are. One such was retired Maj. Gen. Brian Keller, a former director of military support at the Geospatial Intelligence Agency. The FBI didn’t call Keller, even after DCLeaks posted his emails to the internet. He told the AP that he wasn’t clear on “what had happened, who had hacked him or whether his data was still at risk.”

Should I be worried or alarmed or anything?

Not everybody’s miffed at the Bureau. The AP talked to Nicholas Eftimiades, a retired senior technical officer at the Defense Intelligence Agency who teaches homeland security at Pennsylvania State University in Harrisburg and who was himself among the targets:

The expectation that the government is going to protect everyone and go back to everyone is false.

At any rate, beyond questions of why the FBI didn’t reach out to the hacking targets and what responsibility it has to at least try, there’s the question of how successful Fancy Bear attacks were. According to the AP’s analysis:

Out of 312 US military and government figures targeted by Fancy Bear, 131 clicked the links sent to them. That could mean that as many as 2 in 5 came perilously close to handing over their passwords.

Ouch. That’s a lot of people, in sensitive government positions, clicking where we’re all (hopefully) trained not to click. How could they?

Unfortunately, it’s far too easy to fall for phishing attempts. That was made clear by the New York Times when it explained how Podesta’s credentials were given up because of the simplest of errors: a mere two missing letters. Yes, he was caught out by a typo.

Not his typo, mind you. Rather, an aide forwarded a phishing email sent to Podesta, sending it to the campaign’s IT staff to ask if the notice was for real. The email, purportedly from Google, said that hackers had tried to infiltrate Podesta’s Gmail account.

Clinton campaign aide Charles Delavan replied that yes, the message was “a legitimate email” and that Podesta should “change his password immediately”.

There were two missing letters – “i” and “l” – that should have preceded the word “legitimate”.

As Delavan told the NYT, he knew the email was a phishing attack, given that the Clinton campaign was getting a steady stream of them. He meant to reply that the email was “illegitimate”.

What he should have told the aide was that the password should be changed immediately, directly through Google’s site and not by clicking on the link in the phishing email.

But instead, he inadvertently told the aide to click on the phishing link, and that’s how the attackers got Podesta’s Gmail login, enabling them to get into Podesta’s account and to about 60,000 emails stored therein.

Ouch, ouch, ouch.

You know, it would be great if we could rely on the FBI to inform all espionage targets of phishing attacks like that. Hell, it would be great if we could rely on the FBI to inform all of us about phishing attacks, particularly now that we’re knee-deep in Christmas retail glee and the fraud that it drags in.

But cybersecurity helps those who help themselves. And Naked Security – being all about helping those who help themselves (as well as family and friends!) – has put together 3 simple tips to stay off the hook this phishing season.

May they help you stay in the “didn’t click” percentage!