Sign in

The July 13, 2018 indictment of 12 GRU operatives provided extraordinary insight into how Fancy Bear operates. But it left several mysteries unresolved— and even injected a few new ones into the mix.

Here follows a point-by-point attempt to add some missing pieces to indictment’s puzzle, drawing on my past reporting and the data supplied to me by Secureworks in 2017. At the bottom is a diagram providing a granular look at how the Fancy Bear phishing operation worked in 2016. I may update this post if and when new information comes to light. …


I’ve recently left The Associated Press, where I had the opportunity to write a series of articles about Russia’s “Fancy Bear” group of hackers. The articles tracked a range of activity, from the 2016 election interference campaign to attempts to hack journalists, defense contractors and even senior Orthodox priests. The series, which drew on Secureworks’ Gmail target list, covered a lot of ground, but I didn’t have space for everything. One of the more interesting detours I took went through the world of aging leak sites and defunct hacktivist groups. …


Over the past couple of months, Citizen Lab researcher John Scott-Railton and I have been navigating the hall of mirrors created by a mysterious group of undercover operatives, one of whom — a former Israeli intelligence officer named Aharon Almog-Assouline — we ambushed at a Manhattan restaurant in January while he was masquerading as a French consultant.

AP video piece on how undercover operatives have been targeting civil society

I have a new story out today about how another undercover operative — using a very similar modus operandi — has been discovered targeting opponents of Kaspersky Lab, the Russian anti-virus…


I write about cybersecurity for The Associated Press, but like other reporters I pitch in on other investigative tracks too. That includes occasional forays into covering the fallout from Russia’s 2016 election interference. On Monday, I published a story on Joseph Mifsud, the enigmatic Maltese academic who is alleged to have dropped publicly known hint of Russian interference in the 2016 vote. Mifsud has since gone to ground and, while I couldn’t locate him, I did speak to his lawyer, whose office supplied me with a photo of the man.

The picture shows Mifsud in what appears to be an…


I have a new story out today about yet another of Fancy Bear’s targets: The Ecumenical Patriarchate in Istanbul. It shows that even men and women of the cloth aren’t beyond the reach of digital spies. But there’s a subplot I didn’t fully explore and a lingering mystery I’d like to clear up.

As I was examining Fancy Bear’s 2015–2016 attempts to break into senior church officials’ inboxes, I came across an October 16, 2017 email written, it seemed, by church spokesman Nikos-Giorgos Papachristou and addressed to members of the Orthodox community. …


When Russia-backed forces overran Crimea and eastern Ukraine in 2014, Yuri Dobronravin quit his job.

Dobronravin had been working as a developer, designing military simulation programs for a client in Kazakhstan. But Kiev’s poorly funded forces were reeling from the Russian-backed onslaught and Dobronravin became one of many Ukrainian volunteers who pitched in, providing food, clothes, materiel and — in Dobronravin’s case — tech support.

“The Ukrainian military, in 2014, didn’t have even the basic equipment — helmets, equipment, body armor,” he told me recently. “There was a huge civil effort to prepare the army.”

Dobronravin began providing the military…


Recently a government official in Ukraine forwarded me this message he received over WhatsApp:

A Feb. 23, 2018 WhatsApp message offering free airline tickets

The official recognized the message as phishing (mispellings such as “Airine” & “ticets” were immediate giveaways) but he was concerned both because he had previously been targeted by the Russian government-aligned hacking group known as Fancy Bear and because the date the message was sent — Feb. 23, 2018 — corresponded not to the 100th anniversary of the Dutch airline KLM but to the 100th anniversary of the Soviet Red Army. …


For the past four months, the world’s most popular video sharing site has been trying to get me to believe in aliens.

At least 200,000 of them are secretly walking among us, “getting married and producing alien-human hybrids,” says one rambling video recommended to me by YouTube in February. The aliens are running out of patience, the video warns, and unless Earth’s “super elites” change their corrupt ways, “a very powerful cosmic entity” is preparing “to deliver a massive worldwide final judgment.”

YouTube had been urging me to check out videos of this ilk for weeks. In January, it…


The past couple of months have felt like running the line at a cyberespionage-themed nightclub, with former government officials, investigative journalists and sundry concerned citizens gathering to ask me: “Am I on the list?”

The list in question is about 19,000 lines of targeting data compiled by cybersecurity company Secureworks and shared with the AP last year. Out of the 2,400 targets on the list that the AP has been able to identify, my colleagues and I have so far notified or attempted to notify nearly 500, interviewing more than 180 of them in the process. That reporting has fed…


Today the AP has another story — part of our months-long investigation into Fancy Bear — that explores how the group has spent years hunting journalists across the world. Previous stories have shown how the group has gone after Kremlin opponents and how it pried into Hillary Clinton’s campaign. But there’s something else I’ve noticed about the hackers as we combed through 19,000 lines of Fancy Bear targeting data supplied to us by cybersecurity firm Secureworks.

They’re not all that good.

Russian hackers are often described as sophisticated, but the Secureworks data and interviews with more than 40 media targets…

Raphael

Journalist

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store