Written by Ryan Duffy

Maria Butina, the Russian national accused of spying on the U.S., took a keen interest in a D.C.-based organization’s cybersecurity vulnerabilities soon after the group was hit by phishing attempts and its website was defaced with fake Islamic State messaging, according to a consultant who helped the group recover from the incident.

The organization, which works on civil rights issues, was targeted through a “social engineering campaign,” said Jon Steinman, the co-founder of HillCyber, a cybersecurity consultancy. Soon afterward, Butina sent an email to the organization “asking to come meet with folks and interview them about their vulnerabilities,” said Steinman, who declined to name the group.

Although the indictment against Butina centers on how she ingratiated herself with U.S. conservatives, her interest in left-leaning organizations also has been documented — the Washington Post reported that in the summer of 2017, “Butina began probing groups on the left … trying unsuccessfully to interview a D.C.-based civil rights group about its cyber-vulnerabilities.”

The group cited by the Post is indeed the HillCyber client, Steinman said. “She literally said, ‘I want to talk to you about your cyber vulnerabilities,'” he said.

The timing of that outreach is suspicious, Steinman said, given the accusations against Butina by federal prosecutors and the U.S. intelligence community’s extensive reports about Russian hacking campaigns against U.S. institutions. The criminal complaint against Butina said she conspired to act as an agent of the Russian government without registering with U.S. authorities, as required under U.S. law.

“My gut feeling is that this was all [related], she wasn’t by herself,” Steinman said, but rather “was only one facet of the Russian campaign against our country.”

HillCyber helped to fix the hacked website but did not do extensive work on trying to attribute the attack to any specific perpetrator, Steinman said. The website defacement “wasn’t real ISIS,” Steinman said. He suspects it to be a false-flag operation — a step attackers take to obscure their identity.

The organization was also hit by phishing attacks, Steinman said.

“There was curious communications traffic that didn’t make sense to them or us. Emails that appeared to be coming from a senior director or big donor, asking somebody to do something or click a link. It was clear these emails weren’t genuine,” Steinman told CyberScoop. “They were faked.”

HillCyber reported the incident to the FBI, DOD officials, American University — where Butina was a student at the time — and other groups in the private sector, Steinman said. Afterward, the client did not hear again from Butina or get any further malicious emails, he said.

Butina’s lawyer said last Wednesday that FBI agents had actively surveilled her since June 2017, the same month HillCyber went to authorities. He did not respond to CyberScoop’s request for comment.

A deep interest in cybersecurity

CyberScoop reached out to a number of think tanks, nonprofits, and civil rights groups based in D.C. regarding Butina’s cybersecurity interests. Most did not respond to a request for comment.

However, a spokesperson from the Atlantic Council did confirm that according to the center’s records, Maria Butina attended the group’s events on cybersecurity and Russia.

This included the Cyber 9/12 Student Challenge, a simulation in which teams of students respond to a “fictional cyber catastrophe.”

As a graduate student, Butina published articles or papers dedicated to cybersecurity and foreign policy. In “Cybersecurity Knowledge Networks,” Butina and two American University co-authors characterized cybersecurity as a “critical issue for organizations seeking to protect vulnerable data … we argue that effective cybersecurity practices require well organized collaboration rooted in knowledge sharing and social interaction.”

In June 2015, Butina also wrote an article in the National Interest, a bimonthly international affairs magazine, that called for a Republican to win the 2016 if relations between Russia and the U.S. were to improve.

According to her LinkedIn profile, Butina earned a master’s degree in international service with a concentration in cyber policy, the Internet of Things, cryptocurrencies and blockchain technology. She also wrote on her profile that she had “lectured in a dozen countries around the world and been in and out of active conflict regions.”

American University confirmed to CyberScoop that Butina was enrolled from the summer of 2016 to the spring of 2018, graduating with a master’s degree.

An AU spokesman declined to answer further questions about Butina, citing federal government privacy laws.

According to the indictment, Butina developed relationships with high-powered conservative operatives in the U.S. She openly cultivated ties to the National Rifle Association as well as GOP strategists.

Reuters recently reported that Butina “had wider high-level contacts in Washington than previously known, taking part in 2015 meetings between a visiting Russian official and two senior officials at the U.S. Federal Reserve and Treasury Department.”

Butina reported back to her Russian handler via Twitter, email, and other means. The handler remains unnamed in court filings but is thought to be Alexander Torshin, a former KGB operative and banker with ties to the Kremlin. Butina’s LinkedIn profile explicitly lists a prior job as an unpaid special assistant to Torshin.

Chris Bing contributed to this report.