Russian Held as Agent Studied US Groups' Cyberdefenses
30.10.2019 securityweek
BigBrothers

A year before federal prosecutors accused Maria Butina of operating as a secret agent for the Russian government, she was a graduate student at American University working on a sensitive project involving cybersecurity.

Butina's college assignment called for her to gather information on the cyberdefenses of U.S. nonprofit organizations that champion media freedom and human rights, The Associated Press has learned. It was information that could help the groups plug important vulnerabilities, but also would be of interest to the Russian government.

In fact, the Russians previously had in their sights at least two of the groups that she and other students interacted with.

Butina participated in the project under the tutelage of a respected professor who advised the State Department on cybersecurity matters. It was carried out for the nonprofit group Internews, which works extensively with the U.S. government to bolster the free flow of information in dangerous parts of the world and has drawn Russian ire with some of its programs in Russia and neighboring countries. The group also advises other nonprofits on cybersecurity.

Internews confirmed Butina's involvement and a broad description of what the project involved. A lawyer for Butina did not respond to a request for comment.

Butina's project raised few eyebrows before her July arrest, despite the fact that news reports already had posed questions about her rapid rise from selling furniture in Siberia and her ties with Kremlin officials.

As part of the project, a small group of students led by Butina was given a list of Internews partners working on human rights and press freedom issues for research purposes only, with the understanding that they not be contacted without consultation. But the students contacted some of the groups anyway, according to people involved in the project who spoke on condition of anonymity because they were not authorized to describe the work.

An individual who has worked on U.S. programs in Ukraine told the AP that after Butina's arrest he was briefed by U.S. officials who expressed concern that two Internews programs in Ukraine — dealing with media freedom and cybersecurity, and funded by the State Department — may have been exposed to Russian intelligence and may be at risk due to Butina's student work.

State Department spokesman Robert Palladino said the department was not involved with the Internews project Butina worked on.

"We have verified that all documents Internews provided to its students were publicly available, and we remain confident in the integrity of the State Department's programs with Internews," he said.

Kostiantyn Kvurt, who heads a local nonprofit that Internews helped establish, Internews Ukraine, said he was unaware of Butina's project before being informed of it by the AP, but already was wary of potential Russian intelligence interference.

"If they understand how to break our firewalls, they could find our partners," Kvurt said. "People could get detained, tortured, killed."

Internews said the students were never given access to the group's work or systems.

"The selection of the students and their roles and activities in the research was solely determined by AU faculty," spokeswoman Laura Stein Lindamood said. "Internews is currently reviewing our relationship with university-led student projects."

The access that Butina won through her coursework illustrates how academia and the extensive network of entities that often carry out sensitive, but not classified, work for the U.S. government remain national security vulnerabilities.

In this case, all the institutions expected someone else to vet Butina. Internews thought American University stood behind her; the university said it doesn't do background checks and expects the State Department to vet foreign applicants fully before issuing visas.

Prosecutors allege in court documents that attending the university was Butina's "cover" as she cultivated political contacts and ties with the National Rifle Association. They contend she was part of a clandestine political influence campaign directed by a former Russian lawmaker who has been sanctioned by the U.S. Treasury Department for his alleged ties to Russian President Vladimir Putin.

John Sipher, who once ran the CIA's Russian operations, said Butina fits the profile of the kind of lightly trained asset frequently used to help identify espionage targets without attracting attention from counterintelligence, which is often focused on high-level contacts with government officials.

"The project is perfect, because a student can do that research legitimately," Sipher said. "You can just imagine why that would be of interest. It's a sort of gold mine."

Butina's student project was led by Eric Novotny, a cybersecurity expert who has a high security clearance as an adviser to the State Department. One of Novotny's AU courses was called "Cyber Warfare, Terrorism, Espionage, and Crime." The project was aimed at helping Internews identify ways that it could help U.S.-based nonprofits improve their cybersecurity.

Novotny told the AP that even after press reports about Butina raised questions about her connections to the Russian government, he was obligated to treat her like any other student.

"I have always observed university policies and rules during my entire academic career," he said.

The university declined comment, citing federal privacy rules.

After the spring semester, Butina and three other students signed on to the work-study project, according to people familiar with the work, who spoke on condition of anonymity because they were not authorized to discuss it publicly.

One of the organizations that Butina contacted, the prominent digital rights organization Electronic Frontier Foundation, had frequent contact with Internews on cybersecurity issues before and had previously been a Russian target. But Butina did not mention Internews in a June 14, 2017, encrypted email reviewed by the AP.

In the email, addressed to cybersecurity director Eva Galperin, she wrote: "My name is Maria Butina and I'm the captain of an American University student group doing research on U.S (civil society organizations) and their cyber security challenges. We have several questions about cyber security concerns facing human rights organizations and your expertise would be very beneficial."

Novotny, who was later interviewed by the FBI about Butina, learned his instructions about not reaching out to partners had been ignored when the cybersecurity adviser of one nonprofit called him after becoming suspicious that a Russian student was asking about cyber vulnerabilities. He sternly warned the students not to ignore the protocol.

Research published by Toronto University-based The Citizen Lab analyzing Russian hacking attempts has found that civil society groups ranked behind only governments as the most frequent targets. Most often, it appeared Russian spies were trying to determine who the organizations were working with in places of strategic interest, the research found.

"Russian security services view civil society groups as a threat and treat their local partners with great suspicion." said John Scott-Railton, a cybersecurity researcher at Citizen Lab.

AP found no evidence that Butina passed any information from the university project to Moscow, but the work allowed her to contact likely Russian targets.

It's not clear why Butina's work raised concerns for the two Internews programs in Ukraine, which has not been a focus of prosecutors' case against her. But Ukraine has been a hotspot of U.S.-Russian tensions, where the two countries vie for influence.

The U.S. runs multiple programs aimed at strengthening democracy and boosting pro-Western sentiment in Russia's backyard and in parts of the world where America and Russia are vying for influence. Often they are run by contractors or nonprofit groups. By penetrating the programs, the Russians could determine who the organizations are working with and learn details about their security measures.

The Electronic Frontier Foundation often helps train at-risk civil society groups both in the U.S. and abroad. In recent years, it also has turned its attention to the scourge of state-sponsored malicious software, publishing reports on suspected government-backed hacking campaigns in Kazakhstan, Syria and Lebanon.

In 2015, the organization said Google had alerted it to a knockoff EFF site "almost certainly" operated by the infamous Russian cyberespionage ring now widely known as Fancy Bear. U.S. authorities say the hackers — who rattled the 2016 U.S. presidential campaign by releasing tens of thousands of Democrats' emails — are members of Russia's military intelligence agency.

Galperin said she had a conference call with Butina and the other students, but did not make the connection with the arrested Russian until the AP contacted her. She said the students asked general questions about the threat landscape, and that she passed along no sensitive information.

Butina later widened her search for contacts, posting a solicitation for the project on Facebook that began: "S.O.S. Poor Students Need Help from Civil Society Organizations!"

"My dear American FB friends and followers, I am looking for volunteers for a brief interview of the U.S. civil society organizations for a student research project," she wrote in July. "If you a leader of an organization registered in the United States dealing with human rights (domestically or abroad) and willing to talk online (via Skype or conference call) ... please send me a private message."

Novotny was not informed about the post.

After the student group prepared a report for Internews, Butina continued her cyberpolicy studies. Soon after she finished her spring semester this year, U.S. authorities charged her with trying to influence senior U.S. politicians and infiltrate political organizations on behalf of the Russian government.