Cozy Bear is thought to be affiliated with the Russian government
Cozy Bear is thought to be affiliated with the Russian government

Russian hackers, possibly state associated, are reportedly going after left-wing groups in the US in a campaign of blackmail and extortion.

Bloomberg reported on 6 March that “at least a dozen” groups have been hit with blackmail threats since the US presidential elections, according to sources.

Some of the groups are known to have paid the ransoms, ranging from £24,600 to £123,000. They were  presented with sensitive information taken from inside the organisation and told to pay if they wanted to keep it private. The information itself is supposedly stolen through email account and web-based apps which allow multiple people to work on the same document from disparate locations.

Whether these extortion campaigns have some kind of political intent matters less than that they're happening in the first place, Norman Shaw, CEO of ExactTrak, told SC: “Does it really matter who the hackers are, other than to help identify them for ongoing investigations? Clearly the purpose is political destabilisation with a cash bonus thrown in.”

A non-profit might not have the resources to get itself protected against a big threat, added Shaw, “but regardless of whether the targets are non-profits, healthcare or any other sector, these hackers are attacking known vulnerabilities that in most cases have a remedial solution”.

Bloomberg's source names two liberal groups – The Centre for American Progress and Arabella Advisors – which were targeted. The Centre for American Progress claimed not to have evidence of such activity, but Arabella acknowledged being affected by “financially motivated” cyber-crime.

While state-backed groups are not commonly financially motivated, some feel that these hacks bear a resemblance to operations carried out by Cozy Bear, a group that is well known for hacking a variety of US think tanks and political groups. Moreover, Cozy Bear and  a separate group called Fancy Bear are meant to be the two main culprits in the ‘election hacking' of last year's presidential race.

Russian operations against the Democratic Party are widely suspected. During the 2016 election season, what are alleged to be Russian hacking groups breached the Democratic National Committee and the Hillary Clinton Presidential campaign.

After  taking a bounty of information from both bodies, those groups then gave it to Wikileaks. The resulting publication of those documents embarrassed the Democratic party and its candidate for president, Hillary Clinton, who was then locked in an intense race with outsider Republican candidate Donald Trump. The operation was undertaken, according to some commentators, with the intention of moving Donald Trump into the White House.

While that version of the story has been the subject of intense contention, it is also the version of the story that the US intelligence community and many others have endorsed.

Ewan Lawson, senior fellow for military influence at the Royal United Services Institute told SC that if one is inclined to believe that the Russian government uses non-state groups to carry out its offensive operations, this makes sense. If Cozy Bear is one such proxy, “it is likely that they will have come across material that the state did not wish to use but which provided an opportunity to make a little money. If those individuals/groups were previously cyber criminals then it is perhaps even less surprising.”

In the personal opinion of Morey J. Haber, vice president of technology, office of the CTO at BeyondTrust, this seems to fit. He told SC, “The attacks, ransomware, blackmail and extortion of liberal groups continues to discredit, defund and emphasise the demise of the Democratic Party.”

Targeting these groups, said Haber, “places a strain on their resources and not the groups that would be supportive to Russia and their agenda. It is unknown whether the contents of leaked documents would cause damage or not, but the sheer fact groups are willing to pay to halt their release indicates a fear of their contents.”