Ever since the U.S. government hit Russia with economic sanctions last year, Russian hackers have started new cyberspying campaigns to steal information from U.S. government agencies and corporations, according to current and former American intelligence officials and cybersecurity experts.
Now, American officials are fighting back—by outing the hackers and issuing what some see as veiled threats to Moscow.
Three former U.S. intelligence officers who worked on counterintelligence and cyber operations told The Daily Beast that a new report this week accusing Russia of infiltrating unclassified networks at the White House was apparently designed to send a message to the Kremlin: We know what you’re up to, and how you’re doing it.
“We are seeing a dramatic rise in cyber intrusion activity from the Russian government since the sanctions regime was put in place against them last year,” Dmitri Alperovitch, the co-founder of cybersecurity company CrowdStrike, told The Daily Beast. Beginning in March 2014, the Obama administration imposed a series of sanctions designed to punish Russia for its invasion of Crimea and subsequent military incursions in eastern Ukraine, and U.S. officials have said they’re helping to depress Russia’s economy, already hurting because of falling oil prices.
Alperovitch said there was “no indication that [the cyberintrusions] are retaliatory.” Rather, as Russia finds itself struggling to stay afloat, “they are using cyber espionage to at least in part compensate for loss of competitiveness they are experiencing.” Alperovitch said the hacking has been tied to a single source, or “actor,” that CrowdStrike refers to as Cozy Bear.
In the past year, researchers have also linked Russian hackers believed to be working for the government to other spying campaigns, including against NATO, the Ukrainian government, energy companies in Poland, and an academic at an American university who was targeted because he studies Ukraine.
On Tuesday, CNN reported that according to U.S. officials, Russian hackers had penetrated portions of the White House computer network by gaining access from another “perch,” at the State Department, where intruders had gotten inside the unclassified email system.
The intrusion reported by CNN is not “a new incident,” a spokesman for the National Security Council said. Rather, it was acknowledged by the White House last year after intruders accessed an unclassified network used by the Executive Office of the President.
Disclosing the new details posed little risk to ongoing operations, the former officials said, because the hack had already been disclosed and it concerned sensitive materials—such as President Obama’s travel schedule—but not any classified information.
One former intelligence official read the information in the new report as “a veiled threat” to Russia that there could be further consequences for malicious hacking. Last week, Obama signed an executive order that allows the U.S. to impose sanctions on individuals and entities for hacking that poses a “significant” threat to U.S. national security, including economic and financial stability.
A former senior U.S. intelligence official told The Daily Beast that Russian hackers are among the best at posing as U.S. government employees or other trusted parties and then tricking others into disclosing login credentials that allow the hackers to get access to more computer networks.
In recent months, U.S. intelligence officials have been sounding the alarm about Russian hackers, who they see as more sophisticated and harder to track than their cohort in China, the other major source of cyberspying on the U.S. government and companies.
Director of National Intelligence James Clapper told a Senate committee in February that “the Russian cyberthreat is more severe than we have previously assessed.” And last year, he twice singled out Russian hackers as among the most significant cyberthreats to the United States.
Russia is “going to town on us and exploiting our information, our intellectual property,” Clapper said after a speech at the University of Texas in Austin last October. “We know a lot about the Chinese only because they’re a lot noisier about it,” Clapper said, echoing remarks by other U.S. officials and experts who say that Chinese hackers seem not to care if they’re detected.
“I worry, frankly, more about the Russians, who are a lot more subtle and a lot more sophisticated about purloining our information,” Clapper said. The spy chief had previously identified the Russian government as a source of cyberspying, telling the House Intelligence Committee, “Russian intelligence services continue to target U.S. and allied personnel with access to sensitive computer network information.”
A spokesperson for Clapper’s office told The Daily Beast that the director’s warnings about Russia were “deliberate” and intended to ensure that a “broader audience of Americans,” and not just cybersecurity experts, know that China wasn’t the only significant threat. Chinese cyberspying has tended to grab headlines, particularly after the Justice Department last year indicted five Chinese military officers for an espionage campaign targeting U.S. industries, including aluminum processors and solar-panel manufacturers.
CrowdStrike’s Alperovitch said Russian hacking over the past year has been targeting a broad range of industries, but all ones that are important to Russia’s economy. “We are literally tracking hundreds of breaches that they’ve been initiating against both government and commercial targets and have been battling and stopping their intrusion attempts at a number of our customers,” Alperovitch said. “We are seeing them across energy, finance and defense sectors, as well government agencies and national-security nonprofits.”
Clapper has spoken approvingly of the current sanctions regime and credits it with helping to depress the Russian economy and inflate the value of the ruble. But, Clapper told the Senate Armed Services Committee in February, those measures still haven’t changed President Vladimir Putin’s strategy in Ukraine. Russian military forces continue to back separatist rebels who have threatened to take more territory in the eastern portion of the country.
Clapper also said the bigger threat to Russia’s financial stability was the low price of oil on the global market. “The greater impact frankly on the economy has been the drop in oil prices,” Clapper said.
That could be another motivator for Russia to ramp up spying on U.S. energy companies. In that respect, they may be borrowing a page from the Chinese playbook. A report in 2013 by the security research firm Critical Intelligence concluded that “Chinese adversaries” have infiltrated the networks of U.S. energy companies to steal information about fracking and gas extraction. The report said Chinese hackers had also targeted companies that make petrochemicals, such as plastics, for which natural gas is a precursor ingredient.
Alperovitch said it wasn’t clear whether the Russian hackers are working directly for the government or are contractors. (U.S. intelligence officials have noted that Moscow uses both its own hacking teams and outsources some work, as well.)
“We are confident they are working on behalf of the Russian intelligence agencies,” he said.
Alperovitch didn’t provide any technical details about the case. Nor have current U.S. officials offered any technical evidence that could support their claims of Russian hacking and be independently examined.
And not everyone agrees that Moscow is behind the recent assaults. In an interview with the Russian state-owned RIA Novotsi, Aleksandr Gostev of the Russian security company Kaspersky Labs said it would be “extremely difficult” to pin the activity on Russia, and noted that circumstantial evidence could be used to fabricate a case.
Similar doubts about attributing hacks to foreign governments emerged when U.S. officials blamed North Korea for an attack on Sony last year. Ultimately, President Obama and FBI Director James Comey publicly asserted that they were confident that North Korea was to blame. At the time, current and former officials told The Daily Beast that their confidence was based in large part on intelligence operations against North Korea that showed hackers in the Hermit Kingdom were hitting U.S. targets.
With regards to attributing hacks to Russia, one of the former U.S. intelligence officials said that analysts have catalogued the specific tools Russian hackers use and have developed signatures that, he said, give analysts across the intelligence community confidence that Russia is a major source of cyber espionage.
Certainly Clapper shares that view. “It is a serious, serious problem,” he said during his remarks in Austin. “We are not configured collectively as as government and as a nation to defend against this as we should.”