In this Jan. 3 photo, the Capitol is seen in Washington. (AP Photo/J. Scott Applewhite)

In this Jan. 3 photo, the Capitol is seen in Washington. (AP Photo/J. Scott Applewhite)

Report: Fancy Bear is coming for the U.S. Senate

The Russian-aligned hackers have spent the past few months preparing an espionage campaign.

  • By RAPHAEL SATTER Cybersecurity Writer
  • Friday, January 12, 2018 9:06am
  • Nation-World

By Raphael Satter / Associated Press

PARIS — The same Russian government-aligned hackers who penetrated the Democratic Party have spent the past few months laying the groundwork for an espionage campaign against the U.S. Senate, a cybersecurity firm said Friday.

The revelation suggests the group often nicknamed Fancy Bear, whose hacking campaign scrambled the 2016 U.S. electoral contest, is still busy trying to gather the emails of America’s political elite.

“They’re still very active — in making preparations at least — to influence public opinion again,” said Feike Hacquebord, a security researcher at Trend Micro Inc., which published the report. “They are looking for information they might leak later.”

The Senate Sergeant at Arms office, which is responsible for the upper house’s security, declined to comment.

Hacquebord said he based his report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate’s internal email system. He then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which his Tokyo-based firm dubs “Pawn Storm.”

Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron’s campaign in April 2017. The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.

Hacquebord said the rogue Senate sites — which were set up in June and September of 2017 — matched their French counterparts.

“That is exactly the way they attacked the Macron campaign in France,” he said.

Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt.

“We are 100 percent sure that it can attributed to the Pawn Storm group,” said Rik Ferguson, one of the Hacquebord’s colleagues.

Like many cybersecurity companies, Trend Micro refuses to speculate publicly on who is behind such groups, referring to Pawn Storm only as having “Russia-related interests.” But the U.S. intelligence community alleges that Russia’s military intelligence service pulls the hackers’ strings and a months-long Associated Press investigation into the group, drawing on a vast database of targets supplied by the cybersecurity firm Secureworks, has determined that the group is closely attuned to the Kremlin’s objectives.

If Fancy Bear has targeted the Senate over the past few months, it wouldn’t be the first time. An AP analysis of Secureworks’ list shows that several staffers there were targeted between 2015 and 2016.

Among them: Robert Zarate, now the foreign policy adviser to Florida Senator Marco Rubio; Josh Holmes, a former chief of staff to Senate Majority Leader Mitch McConnell who now runs a Washington consultancy; and Jason Thielman, the chief of staff to Montana Senator Steve Daines. A Congressional researcher specializing in national security issues was also targeted.

Fancy Bear’s interests aren’t limited to U.S. politics; the group also appears to have the Olympics in mind.

Trend Micro’s report said the group had set up infrastructure aimed at collecting emails from a series of Olympic winter sports federations, including the International Ski Federation, the International Ice Hockey Federation, the International Bobsleigh & Skeleton Federation, the International Luge Federation and the International Biathlon Union.

The targeting of Olympic groups comes as relations between Russia and the International Olympic Committee are particularly fraught. Russian athletes are being forced to compete under a neutral flag in the upcoming Pyeongchang Olympics following an extraordinary doping scandal that has seen 43 athletes and several Russian officials banned for life. Amid speculation that Russia could retaliate by orchestrating the leak of prominent Olympic officials’ emails, cybersecurity firms including McAfee and ThreatConnect have picked up on signs that state-backed hackers are making moves against winter sports staff and anti-doping officials.

On Wednesday, a group that has brazenly adopted the Fancy Bear nickname began publishing what appeared to be Olympics and doping-related emails from between September 2016 and March 2017. The contents were largely unremarkable but their publication was covered extensively by Russian state media and some read the leak as a warning to Olympic officials not to press Moscow too hard over the doping scandal.

Whether any Senate emails could be published in such a way isn’t clear. Previous warnings that German lawmakers’ correspondence might be leaked by Fancy Bear ahead of last year’s election there appear to have come to nothing.

On the other hand, the group has previously dumped at least one U.S. legislator’s correspondence onto the web.

One of the targets on Secureworks’ list was Colorado State Senator Andy Kerr, who said thousands of his emails were posted to an obscure section of the website DCLeaks — a web portal better known for publishing emails belonging to retired Gen. Colin Powell and various members of Hillary Clinton’s campaign — in late 2016.

Kerr said he was still bewildered as to why he was targeted. He said that while he supported transparency, “there should be some process and some system to it.

“It shouldn’t be up to a foreign government or some hacker to say what gets released and what shouldn’t.”

James Ellingworth in Moscow contributed to this report.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Nation-World

FILE - Britain's Queen Elizabeth II looks on during a visit to officially open the new building at Thames Hospice, Maidenhead, England July 15, 2022. Buckingham Palace says Queen Elizabeth II is under medical supervision as doctors are “concerned for Her Majesty’s health.” The announcement comes a day after the 96-year-old monarch canceled a meeting of her Privy Council and was told to rest. (Kirsty O'Connor/Pool Photo via AP, File)
Queen Elizabeth II dead at 96 after 70 years on the throne

Britain’s longest-reigning monarch and a rock of stability across much of a turbulent century died Thursday.

A woman reacts as she prepares to leave an area for relatives of the passengers aboard China Eastern's flight MU5735 at the Guangzhou Baiyun International Airport, Tuesday, March 22, 2022, in Guangzhou. No survivors have been found as rescuers on Tuesday searched the scattered wreckage of a China Eastern plane carrying 132 people that crashed a day earlier on a wooded mountainside in China's worst air disaster in more than a decade. (AP Photo/Ng Han Guan)
No survivors found in crash of Boeing 737 in China

What caused the plane to drop out of the sky shortly before it was to being its descent remained a mystery.

In this photo taken by mobile phone released by Xinhua News Agency, a piece of wreckage of the China Eastern's flight MU5735 are seen after it crashed on the mountain in Tengxian County, south China's Guangxi Zhuang Autonomous Region on Monday, March 21, 2022. A China Eastern Boeing 737-800 with 132 people on board crashed in a remote mountainous area of southern China on Monday, officials said, setting off a forest fire visible from space in the country's worst air disaster in nearly a decade. (Xinhua via AP)
Boeing 737 crashes in southern China with 132 aboard

More than 15 hours after communication was lost with the plane, there was still no word of survivors.

Former Rep. Matt Gaetz, R-Fla., center, arrives at the U.S. Capitol in Washington D.C. with Sen. JD Vance, R-Ohio, right, the vice president-elect, on Wednesday morning. Gaetz withdrew from consideration Thursday, saying he was an unfair distraction to the transition. (Haiyun Jiang / The New York Times)
Matt Gaetz withdraws from consideration as attorney general

“It is clear that my confirmation was unfairly becoming a distraction,” Gaetz wrote Thursday on X.

Attendees react after Fox News called the presidential race for Former President Donald Trump, during an election night event at the Palm Beach County Convention Center in West Palm Beach, Fla., on Wednesday. Trump made gains in every corner of the country and with nearly every demographic group. (Haiyun Jiang / The New York Times)
Donald Trump returns to power, ushering in new era of uncertainty

Despite criminal convictions and fears of authoritarianism, Trump rode frustrations over the economy and immigration.

Voters cast their ballots at a polling place inside the Weisman Art Museum at the University of Minnesota in Minneapolis on Election Day, Tuesday, Nov. 5 2024. Voters headed into polling stations on Tuesday in the closing hours of a presidential contest that both major parties said would take the country in dramatically different directions, capping a contentious and exhausting 107-day sprint that began when President Joe Biden abandoned his bid for a second term. (Caroline Yang/The New York Times)
Live updates: Georgia called for Trump

The Daily Herald will be providing live updates on national election developments throughout Tuesday.

Liam Payne performs during the Jingle Ball at Madison Square Garden in New York in 2017. Payne, who rose to fame as a singer and songwriter for the British group One Direction, one of the best-selling boy bands of all time, died after falling from the third floor of a hotel in Buenos Aires on Wednesday. He was 31. (Chad Batka / The New York Times)
Liam Payne, 31, former One Direction singer, dies in fall in Argentina

Payne rose to fame as a member of one of the bestselling boy bands of all time before embarking upon a solo career.

In this photo taken from video provided by the Ukrainian Presidential Press Office, Ukrainian President Volodymyr Zelenskyy speaks to the nation in Kyiv, Ukraine, Sunday, Feb. 27, 2022. Street fighting broke out in Ukraine's second-largest city Sunday and Russian troops put increasing pressure on strategic ports in the country's south following a wave of attacks on airfields and fuel facilities elsewhere that appeared to mark a new phase of Russia's invasion. (Ukrainian Presidential Press Office via AP)
Ukraine wants EU membership, but accession often takes years

President Volodymyr Zelenskyy’s request has enthusiastic support from several member states.

FILE - Ukrainian servicemen walk by fragments of a downed aircraft, in in Kyiv, Ukraine, Friday, Feb. 25, 2022. The International Criminal Court's prosecutor has put combatants and their commanders on notice that he is monitoring Russia's invasion of Ukraine and has jurisdiction to prosecute war crimes and crimes against humanity. But, at the same time, Prosecutor Karim Khan acknowledges that he cannot investigate the crime of aggression. (AP Photo/Oleksandr Ratushniak, File)
ICC prosecutor to open probe into war crimes in Ukraine

U.N. human rights chief Michelle Bachelet confirmed that 102 civilians have been killed.

FILE - Refugees fleeing conflict from neighboring Ukraine arrive to Zahony, Hungary, Sunday, Feb. 27, 2022. As hundreds of thousands of Ukrainians seek refuge in neighboring countries, cradling children in one arm and clutching belongings in the other, leaders in Poland, Hungary, Bulgaria, Moldova and Romania are offering a hearty welcome. (AP Photo/Anna Szilagyi, File)
Europe welcomes Ukrainian refugees — others, less so

It is a stark difference from treatment given to migrants and refugees from the Middle East and Africa.

Afghan evacuees disembark the plane and board a bus after landing at Skopje International Airport, North Macedonia, on Wednesday, Sept. 15, 2021. North Macedonia has hosted another group of 44 Afghan evacuees on Wednesday where they will be sheltered temporarily till their transfer to final destinations. (AP Photo/Boris Grdanoski)
‘They are safe here.’ Snohomish County welcomes hundreds of Afghans

The county’s welcoming center has been a hub of services and assistance for migrants fleeing Afghanistan since October.

FILE - In this April 15, 2019, file photo, a vendor makes change for a marijuana customer at a cannabis marketplace in Los Angeles. An unwelcome trend is emerging in California, as the nation's most populous state enters its fifth year of broad legal marijuana sales. Industry experts say a growing number of license holders are secretly operating in the illegal market — working both sides of the economy to make ends meet. (AP Photo/Richard Vogel, File)
In California pot market, a hazy line between legal and not

Industry insiders say the practice of working simultaneously in the legal and illicit markets is a financial reality.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.