The FBI failed to notify hundreds of Americans, including “scores” of U.S. officials, that Russian hackers were trying to break into their personal Gmail accounts despite knowing for more than a year that they were targets, according to a new report.
The Associated Press identified more than 500 individuals and groups in the U.S. targeted by an espionage group aligned with Russian government interests named “Fancy Bear.” The group first gained notoriety in the United States after cybersecurity firm Crowdstrike said in June 2016 that it hacked the Democratic National Committee.
The FBI told the AP in a statement: “The FBI routinely notifies individuals and organizations of potential threat information.”
However, the AP reached out to more than 190 of the 500 who were targeted, and interviewed nearly 80 of them. Only two of them said they had been notified by the FBI that they were targets.
An AP analysis suggests that out of 312 U.S. military and government figures targeted by Fancy Bear, 131 clicked the links sent to them.
It’s not clear how many of the attempts were successful. Some of the accounts hold emails that go back years, when many of the retired officials still occupied sensitive posts, the report said.
A senior FBI official said the bureau was “overwhelmed” by the sheer number of attempted hacks. “It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” he said.
The FBI had reportedly tried to let the DNC know its server had been hacked as far back as 2015, but was ignored and rebuffed by an IT contractor until April 2016.
The FBI did arrive unannounced at Hillary Clinton’s headquarters in Brooklyn in March 2016 to warn her campaign about “a surge of rogue, password-stealing emails.” But they “offered little more than generic security tips the campaign had already put into practice and refused to say who they thought was behind the attempted intrusions,” according to the AP.
Beginning late July 2016, the FBI began investigating Russian meddling in the 2016 elections and potential collusion with the Trump campaign, which was later turned over to Special Counsel Robert Mueller.
Meanwhile, hundreds of other attempted hacks were ignored, according to the AP.
Of the more than 500 people or groups targeted, about one-quarter were still in government or held security clearances at the time they were targeted.
Of those 80 contacted by the AP, beside the two who were told they were targets, the FBI contacted “a few more” after their emails were already published last year.
The targets included officials from the National Defense University, North American Aerospace Defense Command, former Air Force Chief of Staff Retired Gen. Norton Schwartz, former head of the Defense Intelligence Agency Retired Lt. Gen. Patrick Hughes, former head of Air Force Intelligence Retired Lt. Gen. David Deptula, former defense undersecretary Eric Edelman; and former director of cybersecurity for the Air Force, Retired Lt. Gen. Mark Schissler.
Hughes had his hard drive replaced by the “Geek Squad” at a Best Buy in Florida after his machine began behaving strangely, he told the AP.
Keller, the former senior spy satellite official, said his son told him his emails had been posted to the web, after getting a Google alert in June 2016.
Retired Air Force Gen. Roger A. Brady, who was responsible for American nuclear weapons in Europe, turned to Apple support this year when he noticed something suspicious on his computer.
The AP also conducted its own investigation and did not find much in the way of FBI tracks. In October, two AP journalists visited Internet company THCServers.com in the Romanian city of Craiova, where someone registered DCLeaks.com, the first of three websites that published emails belonging to the DNC and other officials in mid-2016.
The company’s founder, Catalin Florica, said he was never approached by law enforcement. “You are the first ones that contact us,” he said.
The AP also contacted another web company, Shinjiru Technology, in Kuala Lumpur in Malaysia, which hosted DCLeaks’ stolen files during the rest of the election. The company’s chief executive said he had never heard of DCLeaks until the AP contacted him. “What is the issue with it?” he asked.
“It’s utterly confounding,” Philip Reiner, a former senior director at the National Security Council who was notified by the AP that he was targeted in 2015, said. “You’ve got to tell your people. You’ve got to protect your people.”
“It’s absolutely not OK for them to use an excuse that there’s too much data,” said former senior administrator in the Office of the Director of National Intelligence Charles Sowell, who was targeted by Fancy Bear two years ago.
“Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, ‘It’s too much’? That’s ridiculous,” he added.
Retired Army Maj. James Phillips did not know his personal emails were published on DCLeaks in June 2016, until a journalist phoned him two months later. “The fact that a reporter told me about DCLeaks kind of makes me sad,” he said. “I wish it had been a government source.”
Retired Maj. Gen. Brian Keller, former director of military support at the Geospatial Intelligence Agency, said he was not informed either, even after DCLeaks posted his emails to the internet. “Should I be worried or alarmed or anything?” he asked.
Some argued to the AP that the FBI may have wanted to avoid tipping off the hackers, or that there were just too many people to notify. However, former White House cybersecurity coordinator Michael Daniel said it is supposed to try.
The issue of how and when to notify people “frankly still needs more work,” he said.