An extensive, Russian-backed hacking operation targeted the email accounts of thousands of perceived Kremlin adversaries in 2015 and 2016, an Associated Press investigation has learned.
The effort, broadly referred to as “Iron Twilight” by security researchers, sought to compromise 4,700 Gmail accounts worldwide, belonging to everyone from high-profile U.S. politicians ― including Hillary Clinton, John Podesta and Colin Powell, who were all hacked ― to academics, journalists, political activists and military personnel.
Who they targeted
According to information provided by Secureworks, the cybersecurity firm whose data underpins much of the AP report, there’s a clear link between the targeted email accounts and Russia’s targets in the real world.
A spokesperson for the prime minister of Ukraine, for instance ― where Russian forces are currently engaged in a military conflict ― was targeted nine times, Secureworks said.
Other targeted individuals identified by the AP include former Secretary of State John Kerry, former NATO Supreme Commander U.S. Air Force Gen. Philip Breedlove, and Serhiy Leshchenko, a Ukranian politician who helped reveal alleged financial crimes of Paul Manafort, who was indicted Monday.
Experts on Ukrainian and Russian subject matters, as well as aerospace researchers and engineers were also among those targeted.
Military spouses and family members also constituted a surprisingly large portion of those targeted, which Secureworks speculates may be an attempt to learn about broader military issues in the U.S., or to gain information about the target’s spouse.
Of the military and government personnel who were targeted, the vast majority are either in the U.S. or a member of NATO:
Given the specific range of targets, experts said the hacks almost undoubtedly originated from within the Kremlin.
“It’s simply hard to see how any other country would be particularly interested in their activities,” Michael Kofman, a Russian military affairs expert at the Woodrow Wilson International Center who had his email targeted, told the AP.
“If you’re not Russia,” he said, “hacking these people is a colossal waste of time.”
Secureworks told HuffPost other, non-Gmail email providers were also targeted in the effort, though they don’t have data on the particulars of the campaign. While the firm only has data spanning March 2015 through May 2016, there’s no reason to believe Russia has ceased its hacking operations.
“This type of operation supports an ongoing intelligence objective,” Rafe Pilling, a senior security researcher with Secureworks’ Counter Threat Unit team said. “The activity is still underway via similar methods and likely will continue while the hackers behind this activity continue to be successful.”
“The targeting we saw (of 4,700 Gmail accounts) was just a fragment of a larger campaign from Iron Twilight.”
How they did it
Data provided by Secureworks shows Russian-linked groups operating under the names APT28, Sofacy, Sednit, Fancy Bear, and Pawn Storm sent emails to targets that mimicked authentic login pages from Google Accounts.
Instead of being directed to the real Google Accounts page, however, the emails directed recipients to a highly-convincing fake page, which then recorded the user’s login and password information:
Russian hackers disguised the website address of the fake page via Bitly, a link-shortening and web analytics service, which is ultimately what tipped Secureworks off to the hacking campaign.
By working backward from a compromised login page, Secureworks was able to decipher the publicly-accessible Bitly account associated with it. That account served as a window into all of the group’s other activity, which, the AP found out, was used 95 percent of the time Monday-Friday, during Moscow’s regular business hours.
Bitly representatives told HuffPost they took quick action once they learned of the activity, noting the operation itself involved little in the way of conventional “hacking” ― all the login information was unwittingly supplied by the targets themselves.
“The links and accounts related to this situation were blocked as soon as we were informed,” Bitly CTO Rob Platzer explained in email. “This isn’t really an exploit of Bitly, but it’s an unfortunate exploit of internet users through social engineering.”
“It serves as a reminder that even the savviest, most skeptical users can be vulnerable to opening unsolicited emails. It can’t always be helped, but we advise everyone to be extra cautious about emails and links related to passwords and other sensitive information, and to employ safety measures such as unique passwords and two-factor authentication.”
What to do if you think you’ve been hacked
Unless your information has been published online, there’s a decent chance you wouldn’t know you’ve been hacked.
“If a target was compromised,” said Pilling, “it’s entirely feasible that the compromise could go undetected for an extended period of time.”
Given the wide range of those targeted and Russia’s continued hacking efforts, Secureworks recommends those who suspect they could be a target ― and use Gmail or any other web mail service ― to regularly change their passwords.
Other commonsense steps, like enabling “two-factor” or “two-step” authentication on your email account, can also go a long way, Pilling said.
He also recommended readers check to see what applications and devices they’ve authorized to access their account, information that’s often found under “settings.”
“If there are any apps or devices they don’t recognize, they should disable or delete the access right away,” he said.
And finally, don’t open attachments or click links in an email unless you’re sure the email was actually ― and intentionally ― sent to you by the sender.