Today the AP has another story — part of our months-long investigation into Fancy Bear — that explores how the group has spent years hunting journalists across the world. Previous stories have shown how the group has gone after Kremlin opponents and how it pried into Hillary Clinton’s campaign. But there’s something else I’ve noticed about the hackers as we combed through 19,000 lines of Fancy Bear targeting data supplied to us by cybersecurity firm Secureworks.
They’re not all that good.
Russian hackers are often described as sophisticated, but the Secureworks data and interviews with more than 40 media targets point to an error-prone campaign that hit obsolete email addresses and sometimes flubbed targets or tipped them off through repetitive break-in attempts.
The hackers occasionally appeared to be behind on the news, missing information that would have easily been available through a basic Google search.
For example, the data shows that Fancy Bear repeatedly tried to break into the Gmail account of The New York Times’ Ellen Barry, who shared a Pulitzer Prize for her reporting on Russia’s corruption-ridden justice system in 2011. But by the time the hackers tried to jimmy open her inbox in 2015, Barry was long gone from Moscow; she had taken up a role as the Times’ South Asia bureau chief two years earlier.
Fancy Bear had a similar mix-up with Max Seddon, who wrote one of the earliest exposes of Russia’s notorious troll farm for BuzzFeed News. By the time hackers targeted Seddon at his BuzzFeed email in May 2016, it was inactive. He’d already left for a job as the Moscow correspondent for the Financial Times several months earlier.
In another case, Fancy Bear repeatedly tried to break into the email account of European defense researcher (who has asked me to keep his name confidential.) But the group got the researcher’s address wrong, sending phishing emails to an identically named 25-year-old electrician instead.
Even presumably high-profile aspects of Fancy Bear’s espionage campaign — like the attempt to compromise the Clinton campaign and the DNC — suffered from sloppiness.
As we’ve previously reported, the hackers began by scooping up emails from Clinton’s 2008 run which just so happened to be online, such as charleston@hillaryclinton.com, txpress@hillaryclinton.com, and nytravelers@hillaryclinton.com.* In the case of one of the group’s first targets, former Clinton ’08 staffer Rahul Sreenivasan, they might simply have checked his publicly available LinkedIn profile to realize he hadn’t worked for Clinton in nearly a decade. More obvious emails, like those of Clinton fixer Philippe Reines (who they eventually targeted, presumably after breaking into other staffers’ accounts) were just a Google search away— if only they had bothered.
There’re many other examples I could invoke — Fancy Bear’s phishing emails often contain wooden English and its too-repetitive targeting of journalism collective Bellingcat ultimately led to the repeat exposure of its infrastructure by internet intelligence firm ThreatConnect, for example—but just the very fact that the AP even has their targeting data (courtesy of Secureworks) suggests a certain inattention to detail.
None of this is to say that Fancy Bear doesn’t do its job. Its methods may be basic and the group may make clumsy mistakes, but the nature of digital security means the bar is relatively low for state-backed hackers.
Sometimes, a good enough job is simply good enough.
___
*These email addresses are obsolete.
