The threat over her phone to Army wife Angela Ricketts was terrifying. “Dear Angela!” it said. “Bloody Valentine’s Day!”
“We know everything about you, your husband and your children,” it continued, claiming that Islamic State militants had penetrated her computer. “We’re much closer than you can even imagine.”
More than three years after Ricketts and four other military wives received this and other alarming messages, AP London-based cybersecurity reporter Raphael Satter has unraveled the secret behind it all. The threats were not from Middle Eastern terrorists at all, but hackers from the Russian group widely dubbed Fancy Bear – the same gang who later broke into the Democratic Party’s emails and interfered in the 2016 U.S. presidential election.
For revealing the latest wrinkle in the Russian hacking story, Satter earns the Beat of the Week
His story, accompanied by photos and video shot by Indianapolis-based AP photographer Michael Conroy, found its genesis in a massive hit list of Fancy Bear targets handed to Satter by cybersecurity company Secureworks last year. Satter and his colleague Jeff Donn have been mining the list for months, drawing out stories about how the Russian hacking group spent years targeting politicians, intelligence figures and journalists. This time, Satter focused on a group of five women whose names were clustered together on the list. None of the five knew much about Fancy Bear, but all reported having received death threats from another mysterious group calling itself CyberCaliphate back in 2015.
Ties between CyberCaliphate and Fancy Bear had already been documented publicly, but the women didn’t know that and their story put a human face on what had up until then had largely been confined to dry industry reports. The AP’s story – based on independently validated evidence – showed how one set of hackers had masqueraded as another in an apparent bid to hype up the threat of radical Islam to the U.S. homeland.
Specialty publication Cyberscoop said the AP’s story “brings to life established links between the CyberCaliphate and APT28 (another name for Fancy Bear) in a way that no cybersecurity research did,” adding that the story offered “a fresh reminder ... of the difficulties associated with assigning blame for hacking – and of the consequences when a case of mistaken identity takes hold.”
Samantha Power, former U.S. national security adviser and U.N. ambassador, said the news was disgraceful. Left-wing campaign group VoteVets called it “disgusting, horrifying, and infuriating.” Israeli newspaper Haaretz described it as a “horrifying effort from Russia to spread fear and hate of Muslims in the U.S.”
The AP’s reporting drew attention in Washington, where Rhode Island congressman and Congressional Cybersecurity Caucus co-founder Jim Langevin was quoted as saying that “we need to continue to do more until [the Russian government feels] the pain.”
"Stunning reporting on a stunning operation."
– Professor Thomas Rid, cybersecurity authority, Johns Hopkins University
Even academics in cybersecurity were impressed.
“This blows my mind,” said Jacquelyn Schneider, who teaches at the U.S. Naval War College. Johns Hopkins researcher Thomas Rid called the AP piece “stunning reporting on a stunning operation.”
The story appeared on thousands of news websites and was widely retweeted. According to Teletrax, which monitors broadcasters, Voice of America used 2 minutes 35 second of the report. WCBS and TV3 Latvia also picked it up, and on AP News, the story was AP’s No. 2 most popular story for the day on mobile with 16,232 clicks and No. 6 on the website with 3,119 clicks.
For unmasking and showing the maliciousness of Russian hackers apparently out to widen fears in the U.S. of Middle East extremism, Satter wins this week’s $500 prize.