According to sources familiar with FBI and private security efforts, Russian hackers are hard at work scouring the emails of liberal groups in a search for details embarrassing enough to pay hush money over.
Reports indicate that at least a dozen such groups have found themselves on the business end of blackmail since the presidential election. The accounts are at least somewhat credible — the ransom demands come with damning data attached as proof.
And it looks like at least some groups are paying up, despite the fact that shelling out $30,000 to $150,000 in bitcoin — the average price and payment method for this latest round of extortion — is not a promise of anything.
Who exactly is behind the hack is up in the air, though experts have noted a series of techniques that are considered to be the digital finger prints of “Cozy Bear,” one of the Russian government groups identified behind last year’s attack on the Democratic National Committee.
Extortion is a new trick out of Cozy Bear — though experts wonder if these efforts are more likely to be the sideline pursuits of state-sponsored terrorists.
Among reportedly affected groups so far are the Center for American Progress and Arabella Advisors.
“CAP has no evidence we have been hacked, no knowledge of it and no reason to believe it to be true. CAP has never been subject to ransom,” Allison Preiss, a spokeswoman for the center, said in a statement Monday morning.
“Arabella Advisors was affected by cyber crime,” said Steve Sampson, a spokesman for the firm, which lists 150 employees operating in four offices. “All facts indicate this was financially motivated.’’
The FBI has not commented on who is behind the attacks as of yet — Russian officials have denied any attempted break-ins.
“I would be cautious concluding that this has any sort of Russian government backing,” said John Hultquist, director of cyber espionage analysis at FireEye Inc., after the outline of the attacks was described to him. “Russian government hackers have aggressively targeted think tanks, and even masqueraded as ransomware operations, but it’s always possible it is just another shakedown.”