Who Are the Russian-Backed Hackers Attacking the U.S. Political System?
Two teams of highly skilled hackers directed and protected by the Russian state are on the offensive.
Cybersecurity experts and intelligence officials tell NBC News the same hackers who broke into the Democratic Party’s computers, the World Anti-Doping Agency’s Administration System and who are implicated in the leaks of the personal emails of former Secretary of State Colin Powell and the health documents of Olympians are executing a Kremlin-backed campaign of cyber-espionage and sabotage.
Their target: Western democratic institutions and Russia’s political opponents.
“They are starting to figure out the way to apply the power they have in terms of technical capabilities into the geopolitical aspect,” Italian cyber security investigator Stefano Maccaglia told NBC News.
At a small square in Rome on a recent summer day, Maccaglia explained how he came to know most of these hackers in the early 2000s, when he was one himself. Having since crossed to the other side, Maccaglia’s job now is to investigate — sometimes for the Italian government — the Russian hackers’ cyber-attacks.
Maccaglia, who is now an advisory consultant for the network security company RSA, explained that the two teams of Russian hackers vary from trained researchers with a mathematical background to “the very funny person” skilled in computer programming languages and are turned into “gangs of cyber-mercenaries” who offer their “brilliance” to the highest bidder.
“They obviously have a very good life now,” Maccaglia said of the privileges they enjoy for their services.
Their relationship to the Russian state, he explained, is a win-win: The cyber gangsters are allowed to keep stealing — their traditional hacking work — as long as they do the bidding of Russian intelligence services.
In exchange, they receive state protection.
“They are above the law and are obviously protected,” Maccaglia said. “That’s why nobody can prosecute them. There is no way to reach them anymore.”
Cybersecurity experts and intelligence officials said that the tools and methods the Russian hackers use against American and other targets are at times extremely sophisticated and that their attacks adapt immediately every time a target attempts to secure its system during the attack.
“Russian operators are among the most impressive and disciplined operators that we know of,” said Thomas Rid, a securities studies professor at the Kings College of London.
Maccaglia believes that the cyber-espionage army at the Kremlin’s disposal is “a couple of thousand” strong. He added that analysis shows that there are only a few layers of hierarchy between the hackers and the Russian government — explained by their immediate shift of interest in targets every time the Kremlin changes its foreign policy alliances.
“What you see here is the typical kind of attacks we are seeing … with origin BEAR,” said Andreas Koenen, pointing to a graphic outlining the Russian cyber-attacks against Germany’s institutions.
Intelligence officials like Koenen and cybersecurity experts often dub all Russia-backed hackers as “BEARS.”
The two teams responsible for the DNC break-in and other recent attacks are called FANCY BEAR and COZY BEAR.
Koenen is the man overlooking the Federal Office for Information Security (BSI), the German equivalent of the NSA. The graphic he was pointing to stands prominently on the wall of the agency’s Situation Room at its headquarters in Bonn, where NBC News was granted rare access.
From here, Germany’s emergency response teams monitor all cybersecurity threats against state computer systems and key infrastructure, such as water, gas, energy and telecommunications, in real time.
Koenen said the Russian hackers responsible for infiltrating the DNC are a “really, really advanced group of hackers,” as they have exhibited during previous occasions.
One such hit was the 2015 hack of the computer system of the German parliament — the Bundestag — used by all German lawmakers, which Koenen called an act of “state sabotage.”
“Data was flowing out of the German parliament and the attackers were able to get access to several email accounts,” Koenen said
Once inside the German parliament’s internal network, the hackers were able to completely take over the lawmakers’ computers, to steal information, alter data and to fully operate their machines by remote control, much in the same way IT support technicians can move your mouse from anywhere in the world if you give them permission.
In the U.S., it would be the equivalent of Congress being hacked and the contagion spreading to political parties and the offices of the congressmen and senators in their home states.
“They got very deep. In addition, they were able to hop to other networks and dive in those too, if those networks were connected,” Koenen said.
During the subsequent investigation, Germany’s intelligence agencies determined that the hackers prepared the attack against the Bundestag on Moscow time with long pauses during Russian state holidays. In addition, they were able to identify digital fingerprints that pointed to Russia and to link the perpetrators to the Kremlin’s intelligence apparatus.
A year earlier, some of the same Russian hackers got into the office of a founding member of the German Green Party.
Parliamentarian Marieluise Beck — described by the German press as “a woman despised by the Kremlin” — has long been vocal about Putin’s “managed democracy,” while keeping close contact and working with Russian opposition groups. That is probably why she was particularly worried when in May 2014 she was notified that the hackers had gained access to her office’s contacts and private communications.
“We have to be aware that there are clearly Russian interests who are trying to find out what our politicians are doing and so we have to prepare ourselves against the threats,” Koenen said.
The Russian hacking groups that broke into the DNC are not only after political targets. According to several security experts, the same Russian-backed groups are heavily interested in western military targets, as is apparent by a never-before reported incident that alarmed NATO officials.
Held in the birthplace of British Aviation, the U.K.’s Farnborough Airshow is considered one of the most important events in the calendar of the aviation and defense industries. Every two years it is attended by military delegations from all over the world, including high-ranking U.S. officials.
But in 2014, half of the Russian delegation was reportedly denied visas, leading to a protest note by the Russian Embassy in London and an angry tweet by the Russian Deputy Prime Minister calling his country’s delegates to “return home.”
A few months later, FANCY BEAR sent an innocent looking email to several military commanders who attended the show. It included a link that was supposed to provide information about the next airshow.
Some of the recipients clicked on it.
“This escalated into a spread of infection into different military environments,” said Maccaglia, who investigated the hack and uncovered a breach into the unclassified systems of at least three NATO member countries.
Experts warn that Russian cyber-attacks have gone far beyond stealing secrets — they threaten to cripple the political institutions of target countries, including the U.S.
Americans saw that with COZY BEAR and FANCY BEAR after the leaked emails, which appeared to show that supposedly neutral Democratic Party officials were conspiring against then-candidate Bernie Sanders and his legions of young supporters.
“For literally two decades, we’ve seen espionage operations. Stealing information only,” Rid, the securities studies professor, said. “What we’ve seen happen for the first time late last year was sabotage. Not just espionage, but sabotage, where targets were affected by the hack.”
But the uproar caused by the two Russian groups’ hacks and leaks aren’t the end of this. Maccaglia believes that governments aren’t even close to seeing the end of the “BEARS” activities.
“It’s only the beginning,” he said, explaining that the Russian hackers are going to escalate their attacks against targets of global importance and critical key infrastructures.
“We’ll probably see attacks in places and environments we don’t expect to face such threat right now,” he said.
Russia isn’t alone in its efforts to spy on and manipulate the political processes of its adversaries, experts say.
The United States, after all, invaded Iraq and helped to reform its government, and during the Cold War, political interference by any means possible was the norm for both Washington and Moscow. The game has now changed, the experts say, with computer codes used as weapons and malware deployed as secret agents.
“It’s espionage in modern surrounding; it’s using the internet, it’s using cyber as a new weapon,” Koenen said.