Russian spy Maria Butina's cover story was her academic interest and expertise in cybersecurity. As cover stories go, this unfortunately wasn't a hard one to pull off.
Except anyone holding even the barest minimum of cybersecurity knowledge could've figured out in minutes that Butina's interest in cybersecurity was minimal.
If you're not caught up on the story, Maria Butina (aka Mariya Valeryevna Butina, Mariia Butina, Мари́я Валерьевна Бу́тина) is an alleged Russian spy who pleaded guilty to engaging in conspiracy against the US yesterday. She originally made headlines on July 15th this year, when the feds nabbed her. A founder of the Russian gun-rights organization Right to Bear Arms, she cultivated relationships with powerful conservatives in American politics (including Donald Trump Jr.), infiltrated the Republican Party and the NRA, then built connections between Russia and the NRA and even got money flowing between the two. She also worked at cultivating a relationship with the EFF and other civil rights groups.
"As part of her agreement," reviewed by The Daily Beast, "she has promised to cooperate with American law enforcement." So surely we'll learn more about those "further orders" in the near future. But while the indictment and press focus on the Russia-GOP-NRA connections, it's her work in the cybers and how it pertains to orgs like the EFF that some may find fascinating.
For this article, a cursory check showed that Butina had zero to no interest in hacking, security, the infosec profession or even cyber policy — her stated masters degree target. Butina's Facebook was all guns, NRA and wealthy old men. On her VK profile, the Russian version of Facebook, it's much of the same. Even more revealing is her old LiveJournal.ru account. This shows us the real Maria Butina: a young woman deeply devoted to Russia's "Motherland Party," also called Rodina, created by the Kremlin. In 2014 The Globe and Mail wrote that "the party proudly billed itself as Mr. Putin's political Spetznaz — 'special forces'." The party's hallmark is virulent xenophobia and "the need to protect ethnic Russians wherever they live." Nary a mention of cybersecurity to be found.
This certainly explains why it has been widely reported that her conservative activist American boyfriend Paul Erickson did her college cybersecurity homework for her. (Erickson, it should be noted, was found to have written a note to himself about deciding what to do with his job offer from the FSB.) However, it will pain cybersecurity professionals even more to know that despite having her infosec homework faked, it didn't stop Butina from authoring an academic paper on the subject.
While she spied on and infiltrated the Republican party, she also was a research assistant at American University and co-authored a paper titled "Cybersecurity Knowledge Networks." Read it if you want to see what achingly fake, buzzword bingo looks like.
Butina's paper on cyber advice focuses heavily on teamwork — something she knows, er, intimately. "In this article, we argue that effective cybersecurity practices require well-organized collaboration rooted in knowledge sharing and social interaction," it states. Evoking shades of Facebook and Cambridge Analytica, it explained: "We use social network analytics to capture team knowledge across multiple dimensions, persons, and teams."
Aside from her recently acquired major at American University, the paper is really Butina's only cybersecurity credential. Apparently, this combination was good enough to get her in the door of a few US civil rights organizations to talk to them about their cybersecurity and potential vulnerabilities. The Washington Post reported that in 2017 she "sparked alarm at one Washington-area civil rights group in June 2017, when she asked to interview the group's director about its vulnerability to cyberattacks for a school project."
"It was incredibly suspect activity," said Jon Steinman, co-founder of HillCyber, a cybersecurity firm that consulted with the group. Steinman said he immediately contacted the FBI and was interviewed about the episode at length in January.
It was with well-known digital rights organization Electronic Frontier Foundation that Butina found a little traction. In a June 2017 encrypted email reviewed by Associated Press, Butina reached out to EFF's director of cybersecurity (and perhaps coincidentally, American-born Russian and Russian speaker) Eva Galperin and requested Galperin's "expertise." That got Butina and others on her team a conference call with Galperin. AP reported that Galperin "did not make the connection with the arrested Russian until the AP contacted her. She said the students asked general questions about the threat landscape and that she passed along no sensitive information."
This is a good thing, but also an extremely worrisome thing, chiefly because Butina didn't have diplomatic cover. According to former FBI special agent Asha Rangappa, who spoke with CNN, "most spies are here under diplomatic cover precisely so if they get caught, they have diplomatic immunity."
"If the government has evidence that she was acting at the direction and control of Russia, that makes her an agent of a foreign power, which means she would have been a legitimate target for FISA surveillance," she said. "Anyone talking to her at that time would be captured on that as well. I agree with [CNN analyst Jack Quinn] that there could be many other people who should be concerned at this point."
Ms. Butina's story is only beginning to unfold. Let's just hope the collateral damage doesn't go any wider than it needs to.