Reporters reveal anatomy of Russian hack

“Hi,” the email from Google began, before turning more ominous. “Someone just used your password to try to sign in to your Google Account.” Change your password immediately, it urged, by clicking here. But the email wasn’t actually from Google, and it wasn’t sent randomly. It was from hackers connected to Russia who were targeting Hillary Clinton’s presidential campaign. The AP determined that the phishing attempts began on March 10, 2016 and were initially aimed at former Clinton staffers whose old addresses were still kicking around the web. All but one hit a defunct email address and bounced back to the senders. But the one that made it through got a click, and that was enough to open the door just enough for the digital thieves to get to work. They eventually found the email address of Podesta. And when an authentic-looking phishing email came his way, he clicked – and exposed a gold mine of 50,000 emails to the Russians. A two-month investigation by a team of AP reporters across the globe, led by International Investigations Editor Trish Wilson, reconstructed how and when the digital break-ins occurred. The reporting began with basic source work by Paris-based investigative reporter Raphael Satter. A source on his cybersecurity beat pointed him to a firm called Secureworks, which was holding a list of some 19,000 malicious links created by a group called Fancy Bear that U.S. intelligence says has ties to the Russian government. Among the revelations: Almost without exception, the phishing emails were sent during the work day – Moscow time.

Satter reached out and asked if the company would share the list, invoking the AP’s reputation for fairness and sensitivity. He forwarded the company a story he and another reporter had written previously to show Secureworks how responsible the AP is about protecting personal data. The company was persuaded, and soon after, Satter had the list. But then what? What Satter showed Wilson, his editor, was a mess of thousands of unknown email addresses. Wilson recruited other reporters to harness the full reach of the AP’s investigative resources. The reporters and data journalists mapped out a strategy for organizing and verifying the email addresses, eventually identifying roughly 2,300 people. They then spent weeks trying to verify the emails and contacting their owners. What emerged were two distinctive stories: one about the forensics of the attack on Clinton’s inner circle, and one about the broader attack on opponents of the Russian government. Targets included opposition leaders, top U.S. diplomats and military leaders, even members of the Moscow-based punk band Pussy Riot. U.S.-based investigative reporters Jeff Donn and Chad Day conducted interviews with Democrats while data journalist Justin Myers in Chicago crunched the numbers to show who was targeted where and when. The final package included an animation that laid out how Podesta had been hacked and a video that took viewers to an obscure Romanian hosting company where one of the hackers’ leak sites was based. All major media outlets have been reporting on Russia’s attempt to sway voters via social media and the investigation into whether the country colluded with the Trump campaign. But only the AP traced the digital footprints that led from the Clinton campaign email accounts back to Moscow. For their work, Satter, Myers, Donn and Day share this week’s Beat of the Week.