WASHINGTON — Russian cyberspies pursuing the secrets of military drones andother sensitive U.S. defense technology tricked key contract workers intoexposing their email to theft, an Associated Press investigation has found.

What ultimately may have been stolen is uncertain, but the hackers clearlyexploited a national vulnerability in cybersecurity: poorly protected emailand barely any direct notification to victims.

The hackers known as Fancy Bear, who also intruded in the U.S. election,went after at least 87 people working on militarized drones, missiles,rockets, stealth fighter jets, cloud-computing platforms or other sensitiveactivities, the AP found.

Employees at both small companies and defense giants like Lockheed MartinCorp., Raytheon Co., Boeing Co., Airbus Group and General Atomics weretargeted by the hackers. A handful of people in Fancy Bear’s sights alsoworked for trade groups, contractors in U.S.-allied countries or oncorporate boards.

“The programs that they appear to target and the people who work on thoseprograms are some of the most forward-leaning, advanced technologies,” saidCharles Sowell, a former senior adviser to the U.S. Office of the Directorof National Intelligence, who reviewed the list of names for the AP. “Andif those programs are compromised in any way, then our competitiveadvantage and our defense is compromised.”

An Associated Press investigation finds that Russian cyber spies exploitinga national vulnerability in cybersecurity are trying to break into theemails of scores of people working on military drone technology. (Feb. 7)

“That’s what’s really scary,” added Sowell, who was one of the hackingtargets.

The AP identified the defense and security targets from about 19,000 linesof email phishing data created by hackers and collected by the U.S.-basedcybersecurity company Secureworks, which calls the hackers Iron Twilight.The data is partial and extends only from March 2015 to May 2016. Of 87scientists, engineers, managers and others, 31 agreed to be interviewed bythe AP.

Most of the targets’ work was classified. Yet as many as 40 percent of themclicked on the hackers’ phishing links, the AP analysis indicates. That wasthe first step in potentially opening their personal email accounts orcomputer files to data theft by the digital spies.

James Poss, who ran a partnership doing drone research for the FederalAviation Administration, was about to catch a taxi to the 2015 Paris AirShow when what appeared to be a Google security alert materialized in hisinbox. Distracted, he moved his cursor to the blue prompt on his laptop.

“I clicked on it and instantly knew that I had been had,” the retired AirForce major general said. Poss says he realized his mistake before enteringhis credentials, which would have exposed his email to the hackers.

Hackers predominantly targeted personal Gmail, with a few corporateaccounts mixed in.

Personal accounts can convey snippets of classified information, whetherthrough carelessness or expediency. They also can lead to other morevaluable targets or carry embarrassing personal details that can be usedfor blackmail or to recruit spies.

Drone consultant Keven Gambold, a hacking target himself, said theespionage could help Russia catch up with the Americans. “This would allowthem to leapfrog years of hard-won experience,” he said.

He said his own company is so worried about hacking that “we’ve almost goneback in time to use stand-alone systems if we’re processing clientproprietary data — we’re FedEx’ing hard drives around.”

The AP has previously reported on Fancy Bear’s attempts to break into theGmail accounts of Hillary Clinton’s presidential campaign, Americannational security officials, journalists, and Kremlin critics andadversaries around the world. U.S. intelligence agencies have concluded thehackers worked for the Kremlin and stole U.S. campaign email to tilt the2016 election toward Donald Trump.

But the hackers clearly had broader aims. Fifteen of the targets identifiedby the AP worked on drones — the single largest group of weaponsspecialists.

Countries like Russia are racing to make better drones as theremote-control aircraft have moved to the forefront of modern warfare. Theycan fire missiles, hunt down adversaries, or secretly monitor targets fordays — all while keeping human pilots safely behind computer controls.

The U.S. Air Force now needs more pilots for drones than for any othersingle type of aircraft, a training official said last year. Drones willlead growth in the aerospace industry over the next decade, with militaryuses driving the boom, the Teal Group predicted in November. Production wasexpected to balloon from $4.2 billion to $10.3 billion.

So far, though, Russia has nothing that compares with the new-generationU.S. Reaper, which has been called “the most feared” U.S. drone. GeneralAtomics’ 5,000-pound mega-drone can fly more than 1,000 miles (1,600kilometers) to deliver Hellfire missiles and smart bombs. It has seenaction in Afghanistan, Iraq and Syria.

The hackers went after General Atomics, targeting a drone sensorspecialist. He did not respond to requests for comment.

They also made a run at the Gmail account of Michael Buet, an electronicsengineer who has worked on ultra-durable batteries and high-altitude dronesfor SunCondor, a small South Carolina company owned by Star Technology andResearch. Such machines could be a useful surveillance tool for a countrylike Russia, with its global military engagements and vast domestic borderfrontier.

“This bird is quite unique,” said Buet. “It can fly at 62,000 feet (18,600meters) and doesn’t land for five years.”

The Russians also appeared eager to catch up in space, once an arena forCold War competition in the race for the moon. They seemed to be carefullyeyeing the X-37B, an American unmanned space plane that looks like aminiature shuttle but is shrouded in secrecy.

In a reference to an X-37B flight in May 2015, Russian Deputy PrimeMinister Dmitry Rogozin invoked the vehicle as evidence that his country’sspace program was faltering. “The United States is pushing ahead,” hewarned Russian lawmakers.

Less than two weeks later, Fancy Bear tried to penetrate the Gmail accountof a senior engineer on the X-37B project at Boeing.

Fancy Bear has also tried to hack into the emails of several members of theArlington, Virginia-based Aerospace Industries Association, including itspresident, former Army Secretary Eric Fanning. It went after Lt. Gen. MarkShackelford, who has served in the military and aerospace industry as acorporate board member. He has been involved with major weapons and spaceprograms like SpaceX, the reusable orbital rocket company founded bybillionaire tech entrepreneur Elon Musk.

Along another path, the hackers chased people who work on cloud-basedservices, the off-site computer networks that enable collaborators toeasily access and juggle data.

In 2013, the CIA signed a $600 million deal with web giant Amazon to builda system to share secure data across the U.S. intelligence community. Otherspy services followed, and the government cleared them last year to moveclassified data to the cloud at the “secret” level — a step below thenation’s most sensitive information.

Fancy Bear’s target list suggests the Russians have noticed thesedevelopments.

The hackers tried to get into the Gmail accounts of a cloud complianceofficer at Palantir and a manager of cloud platform operations at SAPNational Security Services, two companies that do extensive governmentwork. Another target was at Mellanox Federal Systems, which helps thegovernment with high-speed storage networks, data analysis and cloudcomputing. Its clients include the FBI and other intelligence agencies.

Yet of the 31 targets reached by the AP, just one got any warning from U.S.officials.

“They said we have a Fancy Bear issue we need to talk about,” said securityconsultant Bill Davidson. He said an Air Force cybersecurity investigatorinspected his computer shortly after the 2015 phishing attempt but found nosign that it succeeded. He believes he was contacted because his name wasrecognized at the Air Force Office of Special Investigations, where he usedto work.

The FBI declined to give on-the-record details of its response to thisRussian operation. Agency spokeswoman Jillian Stickels said the FBI doessometimes notify individual targets. “The FBI takes … all potentialthreats to public and private sector systems very seriously,” she said inan email.

However, three people familiar with the matter — including a current and aformer government official — previously told the AP that the FBI knew thedetails of Fancy Bear’s phishing campaign for more than a year.

Pressed about notification in that case, a senior FBI official, who was notauthorized to publicly discuss the hacking operation because of itssensitivity, said the bureau was overwhelmed by the sheer number ofattempted hacks. “It’s a matter of triaging to the best of our ability thevolume of the targets who are out there,” he said.

A Pentagon spokeswoman, Heather Babb, said she could release no detailsabout any Defense Department response, citing “operational securityreasons.” But she said the department recognizes the evolving cyber threatand continues to update training and technology. “This extends to all ofour workforce — military, civilian and contractor,” she added.

The Defense Security Service, which protects classified U.S. technology andtrains industry in computer security, focuses on safeguarding corporatecomputer networks. “We simply have no insight into or oversight of anyone’spersonal email accounts or how they are protected or notified whensomething is amiss,” spokeswoman Cynthia McGovern said in an email.

Contacted by the AP, Lockheed Martin, Raytheon, Boeing, Airbus and GeneralAtomics did not respond to requests for comment.

Jerome Pearson, a space system and drone developer, acknowledged that hehas not focused on security training at his company, Star Technology, whereBuet has consulted. “No, we really haven’t done that,” he said with anervous laugh. “We may be a little bit remiss in that area.” He said theymay do training for future contracts.

Cybersecurity experts say it’s no surprise that spies go after less securepersonal email as an opening to more protected systems. “For a goodoperator, it’s like hammering a wedge,” said Richard Ford, chief scientistat the Forcepoint cybersecurity company. “Private email is the soft target.”

Some officials were particularly upset by the failure to notify employeesof cloud computing companies that handle data for intelligence agencies.The cloud is a “huge target for foreign intelligence services in general —they love to get into that shared environment,” said Sowell, the formeradviser to the Office of the Director of National Intelligence.

“At some point, wouldn’t someone who’s responsible for the defensecontractor base be aware of this and try to reach out?” he asked.

Even successful hacks might not translate into new weapons for Russia,where the economy is weighed down by corruption and international sanctions.

However, experts say Russia, while still behind the U.S., has been makingmore advanced drones in recent years. Russian officials have recently beenbragging as their increasingly sophisticated drones are spotted over warzones in Ukraine and Syria.

At a 2017 air show outside Moscow, plans were announced for a newgeneration of Russian combat drones.

Rogozin, the deputy prime minister, boasted that the technological gapbetween Russia and the United States “has been sharply reduced and will becompletely eliminated in the near future.” – Agencies