FBI reportedly failed to warn US officials they were targets of Russian hackers

The FBI was aware that the Kremlin-linked hacking group Fancy Bear was trying to breach the email accounts of hundreds of U.S. officials and former military personnel, but it reportedly failed to notify them of the threat.

The Associated Press (AP) took a Secureworks list with 19,000 lines of targeting data and identified more than 500-U.S.-based people on that list. Then the AP contacted 190 of them and interviewed nearly 80. According to the AP’s investigation, the FBI notified only two of them that the Russians were trying to break into their email. In fact, in some cases, the first time the victims heard about being targets was when the AP told them.

AP reporter Raphael Satter told PBS that the news agency talked to “all kinds of people — former Navy SEALs, people who are in NATO, ex-generals, former ambassadors, former policymakers. It’s a lot of people who retired from the military or who retired from the State Department. But we’ve also spoken to some active duty soldiers and some of the people who haven’t spoken to us include people who are still active in government work to this day.”

After analyzing the data, the AP said “that out of 312 U.S. military and government figures targeted by Fancy Bear, 131 clicked the links sent to them. That could mean that as many as 2 in 5 came perilously close to handing over their passwords.”

It’s not known how many accidentally handed their credentials to the Russian hackers, but the inboxes of some of the victims ended up being published by DCLeaks.

FBI going dark?

The FBI likes to say it is “going dark” — that the intelligence agency can’t do its job, can’t ascertain threats due to the use of encryption or other privacy-enhancing technologies. But in this case, the FBI knew these people had been targeted by the Russian Fancy Bear team; the bureau reportedly had evidence of the officials being targets for over a year.

The FBI didn’t want to talk with the AP about its own investigation into Fancy Bear’s spying campaign, but it did say that the bureau “routinely notifies individuals and organizations of potential threat information.”

The FBI declined to say how long it had the target list, but three current and former government sources told the AP that the FBI was aware that Russian hackers were trying to break into the targets’ Gmail accounts for more than a year.

An unnamed senior FBI official said the bureau was “overwhelmed” by the number of attempted hacks. He said, “It’s a matter of triaging to the best of our ability the volume of the targets who are out there.”

As for explaining why the bureau did not alert people targeted by the hackers, Satter told PBS: “We didn’t get very much on the record. The FBI gave us a statement which said that they make every effort to contact people who are affected. And that didn’t really match up with what we’ve seen on the ground where we saw that the overwhelming majority of the people just hadn’t heard from the FBI.”

FBI could have done more

Charles Sowell, a former senior administrator in the Office of the Director of National Intelligence, was previously targeted by Fancy Bear. He believes the FBI could have done at least as much work as the AP did.

“It’s absolutely not OK for them to use an excuse that there’s too much data,” Sowell said. “Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, ‘It’s too much’? That’s ridiculous.”