The FBI neglected to inform dozens of U.S. officials that they were the targets of a Kremlin-aligned cyberespionage group called Fancy Bear, even though the bureau had evidence of the planned attacks for at least a year, an Associated Press investigation revealed on Monday.
After interviewing almost 80 officials whose personal Gmail accounts Fancy Bear was attempting to breach with phishing hacks, reporters found only two cases in which the FBI alerted the potential victims. Some senior policymakers said they were not aware they were targets until contacted by the AP.
Fancy Bear was responsible for employing a phishing ruse to hack into a Gmail account belonging to John Podesta, who at the time was the chairman of Hillary Clinton’s presidential campaign. The group obtained around 60,000 of his emails in March of last year. The cache made its way to Wikileaks, which in turn publicized the messages in a constant trickle aimed at crippling Clinton. The FBI did advise Clinton staffers to look out for a spate of phishing attacks that same month, but agents only offered broad security tips that the campaign was implementing anyways and refused to disclose any information regarding the identity of the hackers.
According to the AP’s report, however, the bureau neglected to extend that same warning to many other intended government and military targets who appeared on a list of Fancy Bear targets compiled by a cybersecurity firm called Secureworks. The investigation revealed that 131 officials clicked on phishing links from Fancy Bear, though it’s not clear if the hackers were ultimately able to acquire passwords or other information. Most officials also told the AP that they do not store classified information in their personal Gmail inboxes, but security experts suggest this initial access could have served as fingerhold for additional hacking or blackmail.
Philip Reiner, a former senior director at the National Security Council and target of Fancy Bear, told the AP, “It’s utterly confounding. You’ve got to tell your people. You’ve got to protect your people.”
And beyond the matter of providing warnings, the FBI also offered little technical assistance. Several of the targets had to consult consumer IT services. A former air force commander who oversaw American nuclear weapons in Europe went to Apple when he saw strange activity on his computer, and a former Defense Intelligence Agency head had Best Buy’s Geek Squad replace his hard drive after his computer started acting suspiciously.
The bureau declined to speak with the AP on the matter, instead providing reporters with a statement that read, in part: “The FBI routinely notifies individuals and organizations of potential threat information.” An anonymous senior FBI official also informed the AP that the bureau struggled to handle the situation because of the high volume of attempted attacks. Some of the targets also suggested that notifying so many people could have tipped off the hackers.
Google for its part has moved to make Gmail more secure in light of the high-profile Russian phishing attacks that sowed so much discord in 2016. The company introduced the Advanced Protection Program in October, which caters to campaign staffers, journalists, and other people whose accounts could be particularly appealing prey for hackers. At-risk users can now buy a device that acts as a physical key to access an account. A potential phisher would then need to steal both the target’s password and device in order execute a breach. The program further enhances other Gmail security features, such as making the account recovery process more robust. However, as Slate technology writer Christina Bonnington points out, Podesta hadn’t even bothered to enable two-factor authentication on his account, so it’s unlikely he would’ve sprung for this more rigorous service.
