In the span of fourteen months between March 2015 and May 2016, hackers likely working for Russia's military intelligence agency, the GRU, tried to hack 6,730 people all over the world, sending them around 19,315 malicious links. Their targets were several members of the US military, diplomats all over the world, Russian government critics, Hillary Clinton campaign staffers, and even Hillary Clinton herself, according to a new analysis.
We know about the full extent of their wide-ranging espionage operation because the hackers made a fatal mistake. The group, who is known to security experts as APT28, Sofacy, or Fancy Bear, was using the link shortener service Bitly to send out the phishing links, but they left their Bitly accounts public. That let researchers from the security firm SecureWorks track their phishing operation day by day, and figure out who they were trying to hack, including former National Security Advisor Colin Powell and Clinton's campaign chairman John Podesta, as Motherboard reported in October.
Thomas Rid, a professor at King's College, has now analyzed the the long list of targets collected by SecureWorks, unearthing even more evidence that the hacks against the Democratic National Committee and the Clinton campaign, as well as the subsequent leaks of stolen data were all part of the same disinformation operation from the Russian government. Rid's analysis also reveals that the hackers, and are widely believed to be working for the GRU, targeted the official campaign email address of Hillary Clinton herself.
By scrolling through the datasheet with the 19,315 links, "you just get a feeling for how much work it went into this," Rid told Motherboard during a phone interview.
"Even if some of it was partly automated, the selection of individuals, the regional distribution, it just looks like what you'd expect from a military intelligence agency," he added.
Clinton was one of at least 109 campaign staffers targeted between March 10 and April 7, 2016. The hackers sent them 214 individual phishing emails, tricking 36 staffers into clicking. Clinton's email address received two phishing links, but they weren't clicked, according to Rid.
"It just looks like what you'd expect from a military intelligence agency."
The Clinton campaign repeatedly said in the lead up to the election that their internal systems had not been breached. A former Clinton campaign spokesperson declined to comment. Motherboard also reached out to the Clinton Foundation via email and phone, but did not receive response in time for this article's publication.
For Rid, there's little doubt this was all part of a Russian government hacking-and-leaking disinformation campaign, what the Soviets used to call "active measure"—or "aktivniye meropriyatiye" in Russian.
"The publicly available evidence that implicates Russian intelligence agencies in the 2016 active measures campaign is extraordinarily strong," Rid said in a prepared statement for a hearing before the US Senate Intelligence Committee on Thursday. "The DNC hack can be compared to a carefully executed physical break-in in which the intruders used uniquely identical listening devices; uniquely identical envelopes to carry the stolen files past security; and uniquely identical getaway vehicles."
Twelve out of the hundreds of people who clicked on the links sent by the hackers eventually ended having their emails published on the site DCLeaks, showing the connection between the Russian hacking campaign, and the subsequent leaking, which was done on that dedicated site, as well as through the Guccifer 2.0 persona, as well as WikiLeaks.
Overall, during the campaign, of the 6,730 people targeted, 3,134 (around 16%) clicked on the phishing links, which often led to fake Gmail login pages. Of those, around 470 gave away their password, according to Rid, who shared his analysis with Motherboard ahead of the hearing.
While that might seem a low success rate—around 2% of the total people targeted—SecureWorks' researcher Tom Finney warned that it's possible more people clicked. The researchers were tracking the hackers' operations with an automated script that only recorded whether someone clicked on the links on the same day they were sent, Finney told Motherboard. That leaves open the possibility that people may have clicked on phishing links several days after they received an email.
Still, even that 2% was enough for the operation to be a success. Some of the victims, such as John Podesta, were so high-profile that the leak of their data attracted considerable media attention. Moreover, the Russians used unwitting agents, which in spy speak means instruments that unknowingly carry out the agenda of an intelligence agency, to spread the news.
In this case, the unwitting agents were the media organizations who covered the news, as well as WikiLeaks, which published troves of emails from Podesta's inbox, staggering them over the span of weeks.
"Julian Assange can be completely convinced he's just doing the right thing," Rid told me during a phone interview. "And at the same time he can boost this Russian operation—even without wanting to do so. That is the beauty of it from the perspective of an active measure operator."
Russia has consistently denied any involvement in the hacking of the DNC, the Clinton campaign and the disinformation campaign that followed. During a panel on Thursday, when asked if Russia interfered in the US elections, President Vladimir Putin theatrically pointed at his mouth and said: "Watch my lips—no."
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.