Am I on the list?

The past couple of months have felt like running the line at a cyberespionage-themed nightclub, with former government officials, investigative journalists and sundry concerned citizens gathering to ask me: “Am I on the list?”

The list in question is about 19,000 lines of targeting data compiled by cybersecurity company Secureworks and shared with the AP last year. Out of the 2,400 targets on the list that the AP has been able to identify, my colleagues and I have so far notified or attempted to notify nearly 500, interviewing more than 180 of them in the process. That reporting has fed stories about the hacking of Kremlin critics, of the U.S. Democrats, of journalists, of top U.S. national security figures and — most recently — of U.S. Senate staffers and Olympic officials.

The reporting has also repeatedly raised questions from targets about who we are & what we’re doing. That’s only natural; many of those we speak to aren’t computer-savvy and very few are even aware they were ever at risk.

Here is my attempt to answer some of the most commonly asked questions.

Q: Who are you?

A: I am a journalist with The Associated Press; I often write about hacking and espionage. My colleagues — among them Jeff Donn, Desmond Butler, Chad Day and many others — are experienced investigative reporters.

Q: Why are you contacting me?

A: Because your email address or the email address of someone you may know is on Secureworks’ list of hacking targets. This list holds more than 4,700 Gmail addresses that were targeted by the group commonly known as Fancy Bear between March 2015 and May 2016.

Q: What is Fancy Bear?

A: The U.S. intelligence community says that Fancy Bear — a venerable and prolific group also known as APT28, Pawn Storm, Sednit, Strontium, Grizzly Steppe or Iron Twilight — acts on behalf of Russian military intelligence. The Kremlin has denied this, but a series of AP stories has concluded that the group acts in close alignment with the Russian government’s interests.

Q: Where did you get this list?

The list comes from Secureworks, an Atlanta, Georgia-based subsidiary of Dell Technologies that specializes in cybersecurity. More information on how they obtained the list is available here. Details about how the AP is going through the list are available here.

Q: What do you want from me?

We’d like to warn you that you have been targeted, brief you on the details of the operation, and gather your reaction to what has happened. We may also be seeking forensic details from your Gmail inbox or your computer that could aid our investigation. Finally we’d like to know whether anyone else — for example at a law enforcement organization or at Google — has been in touch with you about the spying. For example, have you ever received a pop-up warning like this?

A screenshot of a Google warning served to Bellingcat contributor Aric Toler on October 11, 2016.

Or perhaps seen a red bar across your Gmail account, like so?

A screenshot of a Google warning served to journalist Natasha Bertrand on January 10, 2018

Q: Have I been hacked?

It’s often hard to say. Sometimes, as in the case of high-profile victims such as John Podesta, it’s clear that the hackers were successful. In most other cases, the data is ambiguous.

Q: I think I was targeted. Can you help?

Please contact me. There are indicators we can search for that may help us determine whether you were targeted. Your first step might be keep an eye out for emails that look like they come from Google or another webmail provider and prompt you to change your password.

They might look, in part, like this:

This is an example of a phishing email sent by Fancy Bear to Democratic National Committee official on March 25, 2016

Or perhaps like this:

This is an example of a phishing email sent to journalist Adrian Chen on July 28, 2015.

Or maybe like this:

This is an example of a phishing email sent to a DC-area analyst on December 24, 2015.

Or even like this:

This is an example of a phishing email sent to a DC-area analyst on November 9, 2017.

Many of these emails use link shorteners, such as bit.ly and tinyurl, to mask the malicious nature of the embedded URLs. Lately, Fancy Bear has been using blogspot addresses to obfuscate their activity. Searching your Gmail inbox for “bit.ly” or “tinyurl” or “blogspot” may help you locate the malicious messages. If you speak to me, I can suggest other search terms as well.

Bear in mind that while Secureworks’ data only pertains to Gmail, Fancy Bear is known to imitate other webmail services too, including those provided by Microsoft, Yahoo, Ukr.net and even Chmail, which is popular in Iran.

Any further questions? Feel free to leave them in the comments, or contact me directly.