“CLASSIC KGB TACTIC”
New Yorker writer Masha Gessen said it was also in 2015 — when Secureworks first detected attempts to break into her Gmail — that she began noticing people who seemed to materialize next to her in public places in New York and speak loudly in Russian into their phones, as if trying to be overheard. She said this only happened when she put appointments into the online calendar linked to her Google account.
Gessen, the author of a book about Russian President Vladimir Putin’s rise to power, said she saw the incidents as threats.
“It was really obvious,” she said. “It was a classic KGB intimidation tactic.”
Other US-based journalists targeted include Josh Rogin, a Washington Post columnist, and Shane Harris, who was covering the intelligence community for The Daily Beast in 2015. Harris said he dodged the phishing attempt, forwarding the email to a source in the security industry who told him almost immediately that Fancy Bear was involved.
In Russia, the majority of journalists targeted by the hackers worked for independent news outlets like Novaya Gazeta or Vedomosti, though a few — such as Tina Kandelaki and Ksenia Sobchak — are more mainstream. Sobchak has even launched an improbable bid for the Russian presidency.
Investigative reporter Roman Shleynov noted that the Gmail hackers targeted was the one he used while working on the Panama Papers, the expose of international tax avoidance that implicated members of Putin’s inner circle.
Fancy Bear also pursued more than 30 media targets in Ukraine, including many journalists at the Kyiv Post and others who have reported from the front lines of the Russia-backed war in the country’s east.
Nataliya Gumenyuk, co-founder of Ukrainian internet news site Hromadske, said the hackers were hunting for compromising information.
“The idea was to discredit the independent Ukrainian voices,” she said.
The hackers also tried to break into the personal Gmail account of Ellen Barry, The New York Times’ former Moscow bureau chief.
Her newspaper appears to have been a favorite target. Fancy Bear sent phishing emails to roughly 50 of Barry’s colleagues at The Times in late 2014, according to two people familiar with the matter. They spoke on condition of anonymity to discuss confidential data.
The Times confirmed in a brief statement that its employees received the malicious messages, but the newspaper declined to comment further.
Some journalists saw their presence on the hackers’ hit list as vindication. Among them were CNN security analyst Michael Weiss and Brookings Institution visiting fellow Jamie Kirchick, who took the news as a badge of honor.
“I’m very proud to hear that,” Kirchick said.
The Committee to Protect Journalists said the wide net cast by Fancy Bear underscores efforts by governments worldwide to use hacking against journalists.
“It’s about gaining access to sources and intimidating those journalists,” said Courtney C. Radsch, the group’s advocacy director.
In Russia, the stakes are particularly high. The committee has counted 38 murders of journalists there since 1992.
Many journalists told the AP they knew they were under threat, explaining that they had added a second layer of password protection to their emails and only chatted over encrypted messaging apps like Telegram, WhatsApp or Signal.
Fancy Bear target Ekaterina Vinokurova, who works for regional media outlet Znak, said she routinely deletes her emails.
“I understand that my accounts may be hacked at any time,” she said in a telephone interview. “I’m ready for them.”
“I’VE SEEN WHAT THEY COULD DO”
It’s not just whom the hackers tried to spy on that points to the Russian government.
Maria Titizian, an Armenian journalist, immediately found significance in the date she was targeted: June 26, 2015.
“It was Electric Yerevan,” she said, referring to protests over rising energy bills that she reported on. The protests that rocked Armenia’s capital that summer were initially seen by some in Moscow as a threat to Russian influence.
Titizian said her outspoken criticism of the Kremlin’s “colonial attitude” toward Armenia could have made her a target.
Eliot Higgins, whose open source journalism site Bellingcat repeatedly crops up on the target list, said the phishing attempts seemed to begin “once we started really making strong statements about MH17,” the Malaysian airliner shot out of the sky over eastern Ukraine in 2014, killing 298 people. Bellingcat played a key role in marshaling the evidence that the plane was destroyed by a Russian missile — Moscow’s denials notwithstanding.
The clearest timing for a hacking attempt may have been that of Adrian Chen.
On June 2, 2015, Chen published a prescient expose of the Internet Research Agency, the Russian “troll factory” that won fresh infamy in October over revelations that it had manufactured make-believe Americans to pollute social media with toxic rhetoric.
Eight days after Chen published his big story, Fancy Bear tried to break into his account.
Chen, who has regularly written about the darker recesses of the internet, said having a lifetime of private messages exposed to the internet could be devastating.
“I’ve covered a lot of these leaks,” he said. “I’ve seen what they could do.”
Donn reported from Plymouth, Massachusetts. Vasilyeva reported from Moscow. Kate de Pury in Moscow contributed.