Days before the 2016 presidential election, Dmitri Alperovitch stood on a stage in Washington, D.C. and delivered a speech he called “how to win elections.”
Several months earlier, the Soviet-born Alperovitch had shot to fame as the first person to accuse Russia of being behind the cyber hack of the Democratic National Committee (DNC) that uncovered emails that proved embarrassing to the Hillary Clinton campaign.
His speech went well beyond just hacking, arguing that Russia had sowed the seeds of distrust in the election ahead of President Donald Trump’s victory.
“This is not a cyber problem, this is an attempt by Russia to influence our election,” he said.
While showing a picture of a grinning Russian President Vladimir Putin, he added, “You can tell that he’s particularly proud of this operation, I’m sure medals have already been given out to various operatives involved.”
Alperovitch was speaking at CyCon, a cybersecurity conference put together by research groups connected to the U.S. Army and NATO. He has become one of the most vocal proponents of a more agressive stance against hackers, and is often hired to help through the company he founded, CrowdStrike. Alperovitch and CrowdStrike had direct experience with the DNC attack, having been called in to clean up the mess the hack created in the DNC’s systems.
The conference draws military officials from several NATO countries, in addition to diplomatic staffers in Washington, academics and industry cyber experts, making it an enticing target for Russian intelligence.
It seems the Russian hackers named by Alperovitch didn’t take kindly to his talk: Almost exactly a year later, one of the groups that was behind the DNC breach has taken aim at those interested in the 2017 CyCon conference that starts Monday.
Labeled Fancy Bear by Alperovitch’s firm CrowdStrike, the group has been creating fake invitations to the conference that are loaded with dangerous computer code, according to researchers. The types of people interested in the conference frequently have access to sensitive and even highly classified material, often working on cybersecurity issues for NATO governments. A hack of their systems could expose important secrets.
“It is an interesting development that Dmitri would call them out at the very last session of our CyCon conference last year, and then this year they appear to be inviting people to come to our conference,” said Colonel Andrew Hall, director of the Army Cyber Institute at West Point, which co-sponsors the conference.
Just as Fancy Bear made it into the DNC system using fake emails—a process cybersecurity experts call spear phishing—they’ve been at it again with CyCon.
In October, researchers tracked a string of emails being sent to cybersecurity experts that were designed to look like they were from conference organizers. The emails included an attached Microsoft Word document containing content copied and pasted from CyCon’s website that was injected with code to give the attackers access to their victims’ computers.
“With this piece of malware an attacker is capable of spying on the user by stealing information such as screenshots,” Warren Mercer, a security researcher with Cisco Talos who traced the infected emails, told Newsweek via email.
“It’s certainly a different methodology for this attacker,” he added. “They reverted to something a little more rudimentary, scripting languages within Office documents. We do not know the specific reasoning for this but this could be that they did not want to risk losing any of their currently owned exploits should this attack be detected.”
That Fancy Bear would target a conference where it was so publicly identified shows that very little has changed for Russia’s hacking efforts.
“You mean they’re still doing operations? Absolutely. Why shouldn’t they?” said Peter Singer, a senior fellow at the New America think tank and a speaker at this year’s CyCon. “What did they learn from the U.S. election? It’s that it’s low cost and high yield.”
CyCon organizers believe that their systems have not been breached. They see the conference as an important effort to gather cyber experts to figure out what cyber conflict might look like and to try to help prevent cyber war.
“Cyber conflict is obviously taking place, but [the fake emails are] a great example of the very nature and challenges of cyber conflict, and I think one of the goals of the conference is not just exploring the nature of cyber conflict but establishing stability,” said Edward Sobiesk, a professor at West Point who is helping to run the conference.
Copying the documents from CyCon, with its draw in the cybersecurity community, would be a good technique to gain access to some interesting computer systems, Hall said: “I completely understand why they did it.”
Singer said that until some kind of strong message is sent, Russia and other countries are likely to keep up the hacking.
“We have not changed their cost calculation—that’s the lesson that every other actor out there is taking from this,” he said.
Alperovitch’s assessment of the Russian intent and effort to tilt the election would be backed several months after his speech, in December, by a report the CIA sent to Congress, as well as a month later in a broader report made public by U.S. intelligence agencies.
At the end of his speech, he had a warning regarding the breadth of Russian hacking efforts.
“I can tell you the Democrats are not the only ones getting hacked in this election,” he said.