Russian spies masqueraded as Islamic State supporters to threaten vocal spouses of U.S. military personnel.
Army wife Angela Ricketts was soaking in a bubble bath in her Colorado home, leafing through a memoir, when a message appeared on her iPhone from hackers threatening to slaughter her family.
"Dear Angela!" the Facebook message read, according to Military.com. "Bloody Valentine's Day!"
"We know everything about you, your husband and your children," the message continued, claiming that the hackers operating under the flag of Islamic State militants had penetrated her computer and her phone. "We're much closer than you can even imagine."
Ricketts was one of five military wives who received death threats from the self-styled CyberCaliphate on the morning of Feb 10, 2015. The warnings led to days of anguished media coverage of Islamic State militants' online reach.
Except it wasn't ISIS.
Read alsoWashington accusing Russia of new, ongoing operation to penetrate U.S. energy gridThe Associated Press has found evidence that the women were targeted not by jihadists but by the same Russian hacking group that intervened in the American election and exposed the emails of Hillary Clinton's presidential campaign chairman, John Podesta.
The brazen false flag is a case study in the difficulty of assigning blame in a world where hackers routinely borrow one another's identities to throw investigators off track. The operation's attempt to hype the threat of radical Islam also presaged the inflammatory messages pushed by internet trolls during the U.S. presidential race.
Links between CyberCaliphate and the Russian hackers — typically nicknamed Fancy Bear or APT28 — have been documented previously. On both sides of the Atlantic, the consensus is that the two groups are closely related.
"Never in a million years did I think that it was the Russians," said Ricketts, an author and advocate for veterans and military families. She called the revelation "mind blowing."
"Fear is exactly what — at the time — we perceived ISIS wanted from military families," said Lori Volkman, a deputy prosecutor based in Oregon who had won fame as a blogger after her husband deployed to the Middle East.
Russian officials in Washington and in Moscow did not respond to questions seeking comment. The Kremlin has repeatedly denied masterminding hacks against Western targets.
Read alsoReuters: U.S., UK accuse Russian government-backed hackers in global cyber campaignProof that the military wives were targeted by Russian hackers is laid out in a digital hit list provided to the AP by the cybersecurity company Secureworks last year. The AP has previously used the list of 4,700 Gmail addresses to outline the group's espionage campaign against journalists, defense contractors and U.S. officials. More recent AP research has found that Fancy Bear, which Secureworks dubs "Iron Twilight," was actively trying to break into the military wives' mailboxes around the time that CyberCaliphate struck.
Lee Foster, a manager with cybersecurity company FireEye, said the repeated overlap between Russian hackers and CyberCaliphate made it all but certain that the groups were linked.
The trolls — Russian employees paid to seed American social media with disinformation — often hyped the threat of Islamic State militants to the United States. A few months before CyberCaliphate first won attention by hijacking various media organizations' Twitter accounts, for example, the trolls were spreading false rumors about an Islamic State attack in Louisiana and a counterfeit video appearing to show an American soldier firing into a Quran.
Read alsoU.S. accuses Russia of orchestrating NotPetya cyber-attack on Ukraine, warns of consequencesRicketts said that by planting threats with some of the most vocal members of the military community, CyberCaliphate guaranteed maximum press coverage.
"Not only did we play right into their hands by freaking out, but the media played right into it," she said. "We reacted in a way that was probably exactly what they were hoping for."
