As concerns about cyberattacks grow, hackers are going after Russia wonks.
- By Jenna McLaughlinJenna McLaughlin is an intelligence reporter for Foreign Policy, focusing on the culture, dynamics, and events happening in the National Security Agency, the Central Intelligence Agency, and the other 15 members of the intelligence community—plus the way the sensitive information they gather and analyze informs and directs the White House and policy makers on the Hill. Previously, McLaughlin was a national security reporter for the Intercept where she covered everything from the FBI’s secretive subpoena powers to cybersecurity companies in the Middle East. Before that, she covered similar topics including the rise of the Islamic State at Mother Jones Magazine. You can reach her with tips and responses securely through Signal or WhatsApp at 203-537-3949, or through her email, firstname.lastname@example.org., Robbie GramerRobbie Gramer is a staff writer at Foreign Policy. He writes for The Cable, FP’s real-time take on all things, well, foreign policy. Before he joined FP in 2016, he used to think in a tank, managing the NATO portfolio at the Atlantic Council for three years. He’s a graduate of American University’s School of International Service, where he studied international relations and European affairs. He has lived in both Washington and Brussels, though he grew up in Idaho and Oregon, so he’s a West Coaster at heart. When he’s not busy reporting, he’s probably busy starting three new books before he has finished the last one or planning a trip to a national park he hasn’t visited yet., Jana WinterJana Winter is an investigative reporter based in Washington DC. She worked previously as a national security reporter at The Intercept and breaking news/investigative reporter for FoxNews.com.
On Tuesday morning, a hacker going by the name Johnnie Walker sent a group email to an unknown number of recipients claiming to have a trove of emails from the private account of a U.S. intelligence official.
“The U.S. State Department officer’s email has been hacked,” the email announced, and included at least two years’ worth of personal emails from the private Gmail account of a State Department official working in the secretive intelligence arm of the State Department focusing on Russia.
The sender said the archive included exchanges between the official and “CIA officers and other intelligence agencies, mainstream media, NGOs, and international funds” that would “give you evidence of who is responsible for agenda formation in many countries worldwide, especially where the situation is insecure.”
The official involved is in a senior position in the State Department’s Bureau of Intelligence and Research, according to a 2017 department directory. Even though the official’s name is public, Foreign Policy is not identifying him at the department’s request, citing security concerns.
The emails, from a nongovernment account, include personal information.
The State Department did not confirm or deny the authenticity of the emails. “The Department of State is well aware that malicious actors often target email accounts of government and business leaders across the United States. As a matter of policy, we do not discuss specific attempts or incidents,” a State Department spokesman said.
But the official’s expertise in Russian politics and organized crime makes him a significant target.
“He’s probably the top intelligence guy in the entire U.S. government on Russia. He knows more than anybody about what’s going on there,” said one source whose correspondence with the official was revealed in the hack.
While it’s unclear whether the hack is an isolated incident or part of a broader campaign, it comes amid a widening investigation into Russian cyberattacks that included interference in the 2016 U.S. presidential election. Those attacks, according to officials and documents, go beyond high-level political operatives and include experts and think tanks, particularly those working on Russia issues.
A 2016 document from the Department of Homeland Security Office of Intelligence and Analysis, and obtained by FP, warned that there have been more than a dozen recent cases of U.S. think tanks being hacked, including one breach that involved stealing data on Russia-Turkey relations. The document, which is marked “For Official Use Only,” says, “Cyber actors likely will continue to target think tanks and similar organizations, as many maintain significant connections to US government information and personnel, especially foreign policy officials.” The DHS did not respond to a request for comment.
James Comey, then the FBI director, testified that Russian interference in the U.S. election included a wide array of people and institutions and began well ahead of time.
“The Russian active measures campaign may have begun as early as 2015, when Russian intelligence services launched a series of spear phishing attacks designed to penetrate the computers of a broad array of Washington-based Democratic and Republican party organizations, think tanks, and other entities,” he testified in March. “This continued at least through the winter of 2016.”
The official’s emails were primarily conversations among Russia experts in government, including the intelligence community, exchanging articles, newsletters, and thoughts on current events. The official corresponded frequently with other Russia experts in academia and the think-tank world.
While several of his colleagues contacted by FP said they were unaware of the hack, they were not surprised, given recent events.
According to a second source whose correspondence showed up in the hacked emails, at least one other Russia expert was recently hacked — an Australian academic with a history of government service, although the emails appear not to have been released. The source said it was interesting that the hacker framed the official as an intelligence agent, a common tactic reserved for Putin’s enemies. “The Kremlin’s standard line is that its opponents are pawns of foreign intelligence services,” the source wrote in a message to FP.
“One must always assume all of one’s messages can be read, stolen, distributed, and used,” wrote Celeste Wallander, the former special assistant to the president and senior director for Russia and Eurasia at the National Security Council in the Obama administration, when informed by FP that some of her correspondence was in the email trove. “I do.”
Wallander and others participated in a “Russia working group” with Arizona State University, hosting off-the-record sessions to discuss Russia policy. The official was in regular touch with think-tank experts like Fiona Hill, then at the Brookings Institution and now in charge of Russia policy at the National Security Council.
There’s no evidence proving Russian hackers targeted the official, but the first media outlet to pick up on the hack was an obscure website in Crimea, which published specific emails and provided a link to the cache. A former employee of the news agency had claimed in an article that the website is financed by the Russian secret service, and its topics assigned by top political leadership in Moscow.
A Donetsk, Ukraine-based editor for the website, who declined to provide his name, said allegations of Russian government funding were untrue and “funny,” then denied that website had published the article, which appeared to have been taken down from the site. The article on the hack was republished later in the day.
Intelligence experts say it wouldn’t be surprising if Russians carried out the hack.
“The Russians are probably the most aggressive intelligence service in the world,” said John Sipher, a 38-year veteran of the CIA’s National Clandestine Service in a phone interview with FP. “The fact that they did go after State Department officials is completely consistent with the way the Russians behave.”
Intelligence officers are regular targets of attacks from all kinds of state and criminal enemies, according to Sipher. “It’s probably a lot wider than we know,” he said.
The CIA declined to comment.
“This smells like exactly something Russia would do,” said one government official, who spoke on condition of anonymity.
President Donald Trump continues to deny that Russia meddled in the U.S. elections, despite findings by U.S. intelligence agencies and revelations about his son Donald Trump Jr.’s meetings with a Kremlin-linked lawyer in which he and other advisors explicitly cited the Russian government’s support for Trump’s campaign.
Even if the hackers appear to be Russian, cybersecurity experts cautioned against jumping to conclusions.
These sorts of hacks are “not unusual,” said Jeffrey Carr, a cybersecurity expert and author, told FP. Hacking a personal email doesn’t require sophistication, and the person or people involved could simply be looking for “glory” or “street cred,” he said.
“I’ve had hackers send me some of these in the hopes I would write about it,” Carr added. “Sometimes the story is just, he’s been hacked.”
Russians, or even state actors, aren’t the only ones who may want to hack a government official’s account.
“Clearly Russia would be interested in hacking a Russia expert,” said Jon Nichols, a cyberinformation operations expert. “But any kid would also be interested in hacking a Russia expert for the optics of it.”
Nichols, who’s tracked hackers for years, recalled when Lizard Squad, a hacking group known for disrupting gaming services and websites, pretended to be the Islamic State to garner fame, posting an Islamic State flag on Sony’s servers. Depending on the sophistication of the attack, it could’ve been an amateur or an expert who is part of an advanced persistent threat, or APT, a term used for known networks of hackers.
“The only difference between a Nigerian prince and a Russian APT is spell check,” he joked.
Photo credit: Foreign Policy illustration/Getty Images