I Was Hacked Because I Work on Russia

I Was Hacked Because I Work on Russia

I was hacked because I work on Russia. That's not unusual for people in my line of work. What was slightly less common, however, was that "Claudie" didn't exist, and neither did any of her colleagues with State Department addresses. The approach was part of a careful plan to break into my Gmail account. And it seems to have succeeded.

For professional Russia watchers such as myself, being the subject of unwanted online attention comes with the job. Crude attempts at hacking and phishing are more or less constant, and every now and then we encounter something genuinely novel or clever. Back in 2019, I blew the whistle on an online deception campaign using LinkedIn that was the first documented instance of a deepfake-generated face being used as part of such an operation.

A couple of years later, a well-constructed phishing attempt had me half a second away from clicking on a deceptive link that appeared to be an appointment reminder from my actual, real, optician. But Claudie's efforts were different again. The operators behind the name carefully, painstakingly brought together a number of different pillars of plausibility, and unlike on previous occasions, they didn’t put a foot wrong.

For instance, they plainly knew that the first thing I would do was write back to her "colleagues" at their state.gov addresses to see if they existed—but they also knew, which I didn’t, that the U.S. State Department's email server accepts all incoming messages and won't show you an error if you write to nonexistent people.

What followed was a slow, patient, and ultimately successful process of coaching me into opening up a backdoor to all of my emails. The hacking of my email account has been described in detail by the University of Toronto's Citizen Lab, an organization dedicated to protecting civil society against state campaigns of this kind, and you can read some of the email traffic with "Claudie" in their report.

Google's Threat Intelligence Group has also reported on the operation and linked it to others that they tentatively associate with the Russian Foreign Intelligence Service. The attack used a feature in Gmail and other apps called an application-specific password, or ASP. That’s a means of creating a special password so that you can still use older or less secure apps that don’t support modern security protocols.

And that’s where the problem lies: ASPs are a widely available means of bypassing all of the security precautions that we are all told so insistently to make sure are in place, such as getting verification codes sent to our phones. The feature is supported by Microsoft, Apple, Google, and other platforms as a seemingly routine technical workaround when other security systems don’t work, with little to no user-friendly warnings about how dangerous a tool such as this can be.

Importantly, the hack didn’t exploit some technical vulnerability in the software. As Google has pointed out, there “wasn't a flaw in Gmail itself”; instead, “the attackers abused legitimate functionality.” That is correct: The ASP setup worked exactly as intended.

The attack worked by convincing me to set up a route into my account that is built in by design, rather than by outwitting the security and breaking in. In the most literal sense, this backdoor to our email accounts is not a bug but a feature. But there’s a problem with that.

The fact that there is a widely available option to bypass today’s security precautions and throw your account wide open was an unexpected discovery not just for me, but also for anybody I’ve spoken to who isn’t deep in the cybersecurity business. So for Google to say that “there is no vulnerability connected to Google's application-specific passwords” is, again, technically correct but potentially very misleading in terms of how easily ASPs can be exploited—as demonstrated by my case and by however many others there might be by now.

I seem to be the first person who has gone public about being targeted in this way, but I’m sure I won’t be the last. As Google has also pointed out, users get a notification email when they create one of these passwords. But that’s of limited use when you already know that you set one up, whether or not you were deceived into doing so.

Because everything worked as intended, there was no way that I could see that anything was wrong. To Google's credit, it was its security systems that eventually noted that something was amiss and caused my account to be frozen.

After recovering my account, I found a notification buried deep in the security settings about a login from a suspicious address—dated eight days before Google locked my account with no warning. The way that the platforms have tightened digital security while retaining the option of using ASPs to connect is like investing in heavy new locks for your front door but leaving the side door wide open for people who don’t have the keys.

Because it involved a clever new attack that could affect almost anyone, my case has created quite a bit of attention in media specializing in cybersecurity. Organizations other than Google have naturally been readier to recognize the security problem.

As Sophos, another cybersecurity company, politely noted in a warning to customers on June 18: "The potential impact of creating an app password and providing it to a third party is not made clear in the creation process." In other words, what would really have helped was a warning during the process of setting up ASPs of exactly what they are and what they do, which would have alerted me to what was going on.

Google has correctly pointed out that there is a warning along those lines in their help files. But that doesn’t help if you don’t go to those help files—because, as in my case, your attacker has kindly provided an authentic-looking manual of their own to walk you through the process.

The real heroes of this story are at the Citizen Lab—in particular, the privacy and security guru John Scott-Railton. It was John, together with Reuters journalists Raphael Satter and James Pearson, who helped me piece together what had happened when all I could see was that Google had frozen my accounts (and in one case, telling me that this was because of "policy violations").

And it was they who used their professional contacts at Google to try to help me regain control. The Citizen Lab calls itself an “interdisciplinary laboratory” focused on research in information technology and human rights.

But their investigations of digital espionage against civil society—and their efforts to protect citizens’ privacy and other rights against corporations and state agencies—are invaluable for people like me who point the finger at evildoers such as the Russian state but don’t have the support of powerful governments or institutions behind them.

The infiltration raises serious national security concerns in Washington. Several people have asked me if I’m concerned about what the attackers will do next. The hackers carefully crafted a plausible story.

In my case, the attackers put an extraordinary amount of time, effort, and patience into building the con. For whatever reason, they decided I was worth it—or maybe they were just frustrated after so many previous failed efforts over so many years.

But anyone who is not as automatically cautious as me—perhaps because they’re not in a line of work that sees them routinely targeted—could be taken in by a far less sophisticated deception campaign. We probably all have friends and relatives, especially older ones, who have been taken in by scams that, in hindsight, seemed blatantly obvious.

If they know how, then readers should check whether this kind of password has been set up on their accounts. If they are concerned, there are options such as Google’s Advanced Protection Program, which blocks this method of attack and some others.

But in any case, Google and other companies should make sure that the risk of this account feature is more widely understood by ordinary users. When attacks do succeed, it’s also important that more people speak up about them.

It’s understandable that individuals who are duped in this way are sometimes reluctant to come forward and share the details. Anybody less thick-skinned than me might be embarrassed—and feel a little foolish at having been outwitted.

But it’s essential to share as much as possible. Our collective security is worth so much more than one person’s individual embarrassment.