Before most Americans woke up last Wednesday and learned Donald Trump had won the presidential election, hackers linked to Russian intelligence had already launched a sweeping cyberespionage campaign to find out what his victory meant for Vladimir Putin’s government.
Russia has always placed a top priority on vacuuming up whatever intelligence it can about a new American president and their top advisors and plans, to gain strategic advantage, Sean Kanuck, the nation’s first National Intelligence Officer for Cyber Issues from 2011 to 2016 told NBC News.
"And especially after the largest electoral upset in recent American history, it would be all the more important to collect as much information as possible on the new administration and its probable policies," said Kanuck, now an affiliate with the Center for International Security and Cooperation at Stanford University.
As Team Trump ramps up the transition and then takes over the levers of power, Kanuck said, "I would expect it will only increase against all of his close confidants and advisors."
The Nov. 9 attack especially targeted "people who are or will be associated with the incoming administration," according to Steven Adair, founder of Volexity, the cyber security firm that first disclosed the campaign.
"They want an early view of what happens before it becomes policy or law."
Cybersecurity experts and current and former U.S. officials said they would have been surprised only if they did not see an aggressive post-election intel-gathering campaign by Russia."I assume the need for intelligence is greater than normal right now. Nobody knows what’s going to be, what’s going to happen," under Trump, said John Hultquist, director of cyberespionage analysis at the security firm iSIGHT Partners.
The attack came from the hacking crew known as Cozy Bear that U.S. officials have linked to earlier attacks on the Democratic National Committee, the White House, State Department and Joint Chiefs of Staff.
What’s noteworthy, some said, was how quickly and aggressively the Russian-linked group is moving, especially when the new president-elect is the candidate Putin favored during the campaign.
Even though Trump and Putin have expressed support for improved U.S.-Russia relations, via his win Trump has suddenly become an opponent for a Russian president who views the U.S. as not just a competitor but in many ways as an enemy, experts said. As such, aggressive collection of intelligence on the Trump transition effort would be part of Putin’s playbook, in terms of how the former KGB intelligence officer seeks to gain leverage over his opponents, said Shawn Henry, a former top FBI cybersecurity official who is now at the CrowdStrike security firm.
"They are interested in anything that is going to demonstrate and dictate the direction that the U.S. is going," including key players and policies, said Henry, whose security firm has tracked Cozy Bear for several years.
"It is a whole-cloth collection across the U.S. and how they can use that information in negotiations," Henry told NBC News. "If you know the answer before the test you are in a stronger position."
Two targets come forward
Cozy Bear’s flurry of activity on the morning of Nov. 9 targeted think tanks, non-governmental-organizations and university researchers, said Adair. Most of those targeted had ties to the national security, defense, international affairs, public policy, and European and Asian studies realms, according to Adair and other experts at cybersecurity firms that track the Russian hackers.
"Before 9 a.m., we started seeing it," said Adair. "What are they after? We can’t say with certainty. But one of the goals is to gain early access to the people who will have influence over where things are going, and to increase their foothold in organizations that are already playing, or will continue to play, a role in what happens next."
Adair told NBC News that the campaign especially targeted "people who are or will be associated with the incoming administration" or with those in Congress and other places who will be working with them. Also targeted: those with subject matter expertise in public policy matters that have suddenly risen in importance now that a Republican administration is taking over, he said.
"They want an early view of what happens," Adair said, "before it becomes policy or law."
Related: The Trail of Russian Hackers
Adair said the hacking campaign used sophisticated spearphishing techniques to send emails to hundreds of people that look so legitimate that they won’t hesitate to click on links that are included, or to download files. That installs malware on their system and enables the hackers to get their emails and files and to move on to others they communicate with.
Two of the five separate "attack waves" included purported messages forwarded on from the Clinton Foundation giving insight and postmortem election analysis, a Volexity web report said.
So far, at least two targets have come forward. Maeve Whelan-Wuest of the Brookings Institution and Adam Segal of the Council on Foreign Relations tweeted that they received suspect emails. Neither are Russia experts, but Segal directs the council’s Digital and Cyberspace Policy Program. And since both think tanks are prominent and focus on U.S.-Russia relations, it’s likely the hackers targeted non-Russia experts who might be less suspicious of emails as a way of gaining access to the entire roster of experts and their contacts, one former senior U.S. intelligence official told NBC News.
The former intelligence official said the spearphishing campaign was also timed to maximize its chances of success: "People were in such a frenzy about the coming political change that their hesitation in opening an email or attachment would probably be greatly reduced."
Adair said the speed and intensity of the campaign suggests the hackers were planning their cyberattack no matter which candidate had won, but that they appear to have tailored the specifics to focus on people who were suddenly more important in a future Trump administration.
The big question is whether Russia will continue to use information it steals through cyberespionage to meddle in U.S. political affairs.
Many experts bet yes, and say Putin often undermines foreign leaders by leaking enough true information to show that Russia has stolen their secrets, and then releasing manipulated or completely fabricated material that creates huge problems for them.
"They could quote Trump or his advisors saying things that they didn’t say, to create added instability and uncertainty," Kanuck said. "Countries like Russia have a long history of influence operations and information confrontation. We should expect that to continue in the digital media space."