WASHINGTON – The Associated Press revealed a baffling FBI silence about spear phishing attacks by Russian hackers on US officials like the former head of cybersecurity for the U.S. Air Force, an ex-director at the National Security Council and a former head of the Defense Intelligence Agency.
All were caught up in Russia's Military Intelligence (GRU) hacking team Fancy Bear's cyberespionage campaign.
None was warned by the FBI, let alone told to step through security awareness training so that they would be armed against email-based social engineering attacks. Here's an interesting statistic from the AP's analysis. "Out of 312 U.S. military and government figures targeted by Fancy Bear, 131 clicked the links sent to them." That is a whopping .38 CTR rate.
The FBI repeatedly failed to alert targets of the Russian hacking group also known as APT28, despite knowing for more than a year that their personal emails were in the Kremlin’s crosshairs.
"It's utterly confounding," said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. "You've got to tell your people. You've got to protect your people."
The FBI declined to discuss its investigation into Fancy Bear’s spying campaign, but did provide a statement that said in part: “The FBI routinely notifies individuals and organizations of potential threat information.”
Three people familiar with the matter – including a current and a former government official – said the FBI has known the details of Fancy Bear’s attempts to break into Gmail inboxes for more than a year. A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, said the bureau had been overwhelmed by an “almost insurmountable problem.”
The AP did its own triage, dedicating two months and a small team of reporters to go through a hit list of Fancy Bear targets provided by the cybersecurity firm Secureworks.
The list showed how Fancy Bear worked in close alignment with Kremlin interests to steal tens of thousands of emails from the Democratic Party, the AP reported this month.
But it wasn’t only Democrats who the hackers were after.
The AP identified more than 500 U.S.-based targets in the data, reached out to more than 190 of them and interviewed nearly 80 people, including current or former military personnel, Democratic operatives, diplomats or ex-intelligence workers such as Mazzafro.
Many were long-retired, but about one-third were still in government or held security clearances at the time of the hacking attempts. Only two told the AP they learned of the hacking attempts from the FBI. A few more were contacted by the FBI after their emails were published in the torrent of leaks that coursed through last year’s electoral contest. To this day, some leak victims have not heard from the bureau.
One was retired Maj. James Phillips, who was one of the first people exposed by the website DCLeaks in mid-2016. A year later, Philips has yet to hear anything from the FBI. In fact he didn’t learn his emails were “flapping in the breeze” until two months after the fact, when a journalist called him to ask for comment.
Phillips’ story would be repeated again and again as the AP spoke to officials from the National Defense University in Washington to the North American Aerospace Defense Command in Colorado.
Charles Sowell, who previously worked as a senior administrator in the Office of the Director of National Intelligence and was targeted by Fancy Bear two years ago, said there was no reason the FBI couldn’t do the same work the AP did.
“It’s absolutely not OK for them to use an excuse that there’s too much data,” Sowell said. “Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, ‘It’s too much’? “That’s ridiculous.”
Free Phishing Security Test
Did you know that 91% of successful data breaches started with a spear-phishing attack?
Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our free test. Did you know that KnowBe4 also supports "Vishing" where you can actually send your users simulated voice mail attacks, and "Smshing" to their smart phones?
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: