Home / Technology / Hackers Trawl User Data in Hopes a Small Target Will Lead to a Big One

Hackers Trawl User Data in Hopes a Small Target Will Lead to a Big One

At this point, they’d have a lot to work with. In the two years since Yahoo believes the hackers first penetrated its network, state-sponsored hackers have stolen tens of millions of records from the insurance companies Anthem and Premera Blue Cross, including Social Security numbers, health records, birth dates, addresses, emails, passwords and employment information — basically, everything you’d need to know about a person.

Simple tips to follow if you think your personal information online has been exposed to hackers.

Hackers amassed a vast collection of security clearance records, even fingerprints, in a yearlong hacking of the United States Office of Personnel Management. They have breached law firms and accounting firms, and last year they even made off with flight records for millions of United Airlines passengers.

It may sound like a crazy collection of unrelated information. But it is not that difficult to make connections among seemingly random bits of information using data-sifting technology.

Just as a corporation may use big data to figure out what a consumer might buy based on their past purchases, a spy agency can use big data to make connections to useful intelligence. A Palo Alto, Calif., company named Palantir sells this technology to American intelligence agencies, allowing them, for example, to match travel records and personal data to identify possible terrorists.

So while Yahoo’s announcement on Thursday that state-sponsored hackers — the company did not say what country it believes they are working for — had made off with more than 500 million customers’ personal records was stunning to many, intelligence officials say it can be seen as just the latest step in an escalating nation-state digital warfare campaign.

“A lot of people overlook why some of these seemingly purposeless breaches matter,” said Mr. Kanuck.

Intelligence services could use this information for a range of things — some trivial and some intrusive. They could match international flights taken by their own officials with those taken by American personnel to the same cities at the same time. They could comb the user names and emails released in a hacking of Ashley Madison, the online affairs site that was breached last year, with the personal Yahoo accounts of government officials and contractors or their spouses, and leak that information online or use it for blackmail.

And they can use the most intimate details of people’s lives — their medical records — to undercut the reputations of prominent American athletes, as Russian hackers did in a release of medical records stolen from the World Anti-Doping Agency that belonged to the gymnast Simone Biles, the tennis stars Venus and Serena Williams and other Olympic athletes.

The biggest worry, Mr. Kanuck and other American intelligence officials say, is the impact these data thefts can have on global politics. James. R. Clapper, the director of National Intelligence, warned Senate officials earlier this year that Russia was escalating its espionage campaigns against United States targets.

Interactive Graphic

Find out which parts of your identity may have been stolen in major hacking attacks over the last three years.

OPEN Interactive Graphic

“Russia continues to take information warfare to a new level, working to fan anti-U.S. and anti-Western sentiment both within Russia and globally,” Mr. Clapper said in his annual worldwide threat briefing in February.

Intelligence officials and private security researchers say it’s not just prominent United States government officials that Russian hackers are after. It’s their spouses, staff members, lawyers, accountants and business partners, who may not have the same level of security on their data and communications.

“In the past year, we’ve seen personal webmail accounts and social network accounts specifically being targeted by Russian, Chinese and Iranian espionage operators, on several occasions,” said John Hultquist, an espionage analysis manager at FireEye, the security software company. “That’s where some of the most sensitive conversations take place, and hacking private accounts leaves a much lighter footprint.”

One of the most adept at this approach, Mr. Hultquist and other security researchers say, has been a Russian intelligence hacking group alternately known in the security and intelligence community as APT28, Fancy Bear or Pawn Storm. The group regularly uses the compromised personal webmail accounts of staff members, spouses and their colleagues as tools to glean more information on high-level government targets.

In just the last few months, the group has been blamed for attacks on the Democratic National Committee, the White House and the World Anti-Doping Agency.

Going back to last year, the Russian group also has been trying to break into the online accounts of 2,600 members of the Washington elite — lobbyists, journalists, officials, contractors and even their spouses, according to private security researchers at Trend Micro, the global security company, who briefed intelligence agencies on the hacking.

Among the Russians’ targets were Colin L. Powell, the former secretary of state, whose personal emails caused a sensation when they were leaked online last week, according to people with knowledge of the briefing who spoke on the condition of anonymity.

“This is the new normal,” said Tom Kellermann, one of the security experts who briefed intelligence officials last year in his former role as chief security officer at Trend Micro. “It’s not just the usual targets who are being hunted. It’s their spouses.”

Mr. Kanuck said no one should be shocked that this is going on. “Every prominent person in Washington, every publicly known intelligence official, congressman and significant staffer should presume they have been targeted,” Mr. Kanuck said. “You’d be a fool not to think that’s the case.”

Continue reading the main story


NYT > Technology

Leave a Reply

Your email address will not be published. Required fields are marked *

*