Russian hackers are targeting U.S. progressive groups in a new wave of attacks, scouring the organizations’ emails for embarrassing details and attempting to extract hush money, according to two people familiar with probes being conducted by the FBI and private security firms.
At least a dozen groups have faced extortion attempts since the U.S. presidential election, said the people, who provided broad outlines of the campaign. The ransom demands are accompanied by samples of sensitive data in the hackers’ possession.
In one case, a non-profit group and a prominent liberal donor discussed how to use grant money to cover some costs for anti-Trump protesters. The identities were not disclosed, and it’s unclear if the protesters were paid.
At least some groups have paid the ransoms even though there is little guarantee the documents won’t be made public anyway. Demands have ranged from about $30,000 to $150,000, payable in untraceable bitcoins, according to one of the people familiar with the probe.
Cozy Bear
Attribution is notoriously difficult in a computer attack. The hackers have used some of the techniques that security experts consider hallmarks of Cozy Bear, one of the Russian government groups identified as behind last year’s attack on the Democratic National Committee during the presidential election and which is under continuing investigation. Cozy Bear has not been accused of using extortion in the past, though separating government and criminal actors in Russia can be murky as security experts say some people have a foot in both worlds.
The Center for American Progress, a Washington think tank with strong links to both the Clinton and Obama administrations, and Arabella Advisors, which guides liberal donors who want to invest in progressive causes, have been asked to pay ransoms, according to people familiar with the probes.
The Center for American Progress declined a pre-publication request for comment. "CAP has no evidence we have been hacked, no knowledge of it and no reason to believe it to be true. CAP has never been subject to ransom,” Allison Preiss, a spokeswoman for the center, said in a statement Monday morning.
It’s unclear whether Arabella is part of the same campaign as the other dozen groups, according to one of the people familiar with the probes, but the tactics and approach are similar.
If the Arabella attack came from a different group, multiple criminals could be lifting a page from Russia’s hacking of the 2016 campaign, attempting to leverage the reputational damage that could be inflicted on political organizations by exposing their secrets.