US law enforcement is reportedly investigating a fresh wave of cyberattacks hitting progressive and liberal groups, with the hackers demanding tens of thousands of dollars in hush money after breaking into computer networks and pilfering sensitive data.
Named targets include a Washington DC think tank called the Center for American Progress and a liberal donation and investment firm known as Arabella Advisors, according to Bloomberg. The tactics used to hack into networks show signs of being linked to a known Russian hacking collective.
Branded Cosy Bear, or APT29, it was one of two cyber-espionage groups suspected of hacking the Democratic National Committee (DNC) in the lead-up to the US presidential election last November.
The US intelligence community (IC) believes "senior-most" officials in Russia sanctioned the hacking.
Citing two people familiar with the ongoing probe, Bloomberg said more than a dozen liberal groups have been targeted in the spree, with ransom demands reaching up to $150,000 (£122,460) worth of Bitcoin, an anonymous online currency.
To date, no technical evidence has been released to back up the claims.
The sources said ransoms are being accompanied by "samples of sensitive data" which largely include embarrassing email conversations. What's worse, Bloomberg reported some groups have already paid the ransom fee without any guarantee the data won't hit the web regardless.
Steve Sampson, a spokesman for Arabella Advisors, admitted his firm was "affected by cybercrime" and said it was a clear attempt at financial extortion. However, a spokesperson for the Center for American Progress denied the sources' claims, saying it had "never been subject to ransom". It remains unclear if these two incidents are indeed linked.
The hacking campaigns of Cosy Bear (and a second related group codenamed Fancy Bear) are well documented by security firms. They are known to target think tanks, universities, large businesses and government departments via email phishing.
According to a declassified US government report into the group, Cosy Bear uses web links that lead to a malicious piece of software known as a remote access tool (Rat). Once it gets into a network it steals data and analyses it for intelligence value.
"These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organisations, establish command and control nodes, and harvest credentials and other valuable information from their targets," the report noted.
Yet in cases of cybercrime, attribution remains difficult at best.
As such, despite a wealth of evidence indicating Russia was closely linked to the DNC infiltration, no security firm can say it with complete certainty. The probe into this, and alleged Russian links to US President Donald Trump, continues.
"I would be cautious concluding that this has any sort of Russian government backing," John Hultquist, director of cyber-espionage analysis at FireEye, told Bloomberg.
"It's always possible it is just another shakedown," he noted.
Officials in Russia, including President Vladimir Putin, have denied involvement in the cyberattacks. "The hysteria is simply to distract the American people from the contents of what the hackers have posted. There's nothing there benefiting Russia," he said last October.