WASHINGTON – Russian hackers are targeting U.S. progressive groups in a new wave of attacks, scouring the organizations’ emails for embarrassing details and attempting to extract hush money, according to two people familiar with probes being conducted by the FBI and private security firms.
At least a dozen groups have faced extortion attempts since last year’s U.S. presidential election, said the people, who provided broad outlines of the campaign. The ransom demands are accompanied by samples of sensitive data in the hackers’ possession.
In one case, a nonprofit group and a prominent liberal donor discussed how to use grant money to cover some costs for anti-Trump protesters. The identities were not disclosed, and it’s unclear if the protesters were paid.
At least some groups have paid the ransoms even though there is little guarantee the documents won’t be made public anyway. Demands have ranged from about $30,000 to $150,000, payable in untraceable bitcoins, according to one of the people familiar with the probe.
Attribution is notoriously difficult in a computer attack. The hackers have used some of the techniques that security experts consider hallmarks of Cozy Bear, one of the Russian government groups identified as behind last year’s attack on the Democratic National Committee during the presidential election and which is under continuing investigation. Cozy Bear has not been accused of using extortion in the past, though separating government and criminal actors in Russia can be murky as security experts say some people have a foot in both worlds.
The Center for American Progress, a Washington think tank with strong links to both the Clinton and Obama administrations, and Arabella Advisors, which guides liberal donors who want to invest in progressive causes, have been asked to pay ransoms, according to people familiar with the probes.
The Center for American Progress declined a pre-publication request for comment. “CAP has no evidence we have been hacked, no knowledge of it and no reason to believe it to be true. CAP has never been subject to ransom,” Allison Preiss, a spokeswoman for the center, said in a statement Monday morning.
It is unclear whether Arabella is part of the same campaign as the other dozen groups, according to one of the people familiar with the probes, but the tactics and approach are similar.
If the Arabella attack came from a different group, multiple criminals could be lifting a page from Russia’s hacking of the 2016 campaign, attempting to leverage the reputational damage that could be inflicted on political organizations by exposing their secrets.
“Arabella Advisors was affected by cybercrime,” said Steve Sampson, a spokesman for the firm, which lists 150 employees operating in four offices. “All facts indicate this was financially motivated.”
During the election Russian hackers heavily targeted the personal email accounts of staffers associated with the Clinton campaign. One of the people who described the current campaign said that in some cases, web-based email accounts are also being targeted because of their heavy use among nonprofits.
Along with emails, the hackers are stealing documents from popular web-based applications like SharePoint, which lets people in different locations work on Microsoft Office files, one of the people said.
The Federal Bureau of Investigation declined to comment when asked about the latest hacks. It is continuing to investigate Russia’s attempts to influence the election and any possible connections to Trump campaign aides. Russian officials have repeatedly denied any attempt to influence the election or any role in related computer break-ins.
“I would be cautious concluding that this has any sort of Russian government backing,” said John Hultquist, director of cyberespionage analysis at FireEye Inc., after the outline of the attacks was described to him. “Russian government hackers have aggressively targeted think tanks, and even masqueraded as ransomware operations, but it’s always possible it is just another shakedown.”
The hackers’ targeting of left-leaning groups — and the sifting of emails for sensitive or discrediting information — has set off alarms that the attacks could constitute a fresh wave of Russian government meddling in the U.S. political system. The attacks could be designed to look like a criminal caper or they could have the tacit support of Russian intelligence agencies, the people said.
Russia’s intelligence agencies maintain close relationships with criminal hackers in the country, according to several U.S. government investigations.
None of the possible explanations for the attacks are particularly comforting to the victimized groups, few of which are household names but are part of the foundation of liberal politics in the U.S.
Some of the groups are associated with causes now under attack by the Trump administration.
Arabella’s founder, Eric Kessler, and its senior managing director, Bruce Boyd, worked for national environmental groups early in their careers. Arabella declined to make Kessler or Boyd available for comment.
The Center for American Progress is a fierce critic of the Trump administration and its policies, and has called for a deeper investigation into contacts by Trump’s inner circle with Russian officials.
It’s unclear if Trump or his top aides have been briefed on the investigation.
The president has accused liberal groups of sending protesters to congressional town halls, mocking his opponents in a tweet on Feb. 21. “The so-called angry crowds in home districts of some Republicans are actually, in numerous cases, planned out by liberal activists. Sad!,” Trump tweeted from his personal account.
Regardless of who is behind the latest round of hacks and ransom requests, there is also an indication that state-sponsored hackers continue a broader targeting of liberal groups in the U.S.
The day after the election, the FSB, Russia’s main intelligence agency, targeted the personal emails of hundreds of people, including national security experts, military officers and former White House officials, according to data provided by cyber security researchers who are tracking the spying and who asked not to be identified because of the risks of retaliation. The list was weighted toward people who have worked in Democratic administrations or who are linked with liberal causes.
Among those targets was Kate Albright-Hanna. She worked for Barack Obama in his first presidential campaign in 2008 and then briefly in the White House Office of Health Care Reform.
That was eight years ago. Since then she has worked on a documentary about corruption in New York and developed a network of investigative journalists and activists, not the most obvious target for Russian espionage.
“I have no idea why I would be targeted,” said Albright-Hanna, who now lives in New York. “It’s super weird.”