The Russian hackers indicted by the U.S. special prosecutor last month have spent years trying to steal the private correspondence of some of the world's most senior Orthodox Christian figures, The Associated Press has found, illustrating the high stakes as Kiev and Moscow wrestle over the religious future of Ukraine.
The targets included top aides to Ecumenical Patriarch Bartholomew I, who often is described as the first among equals of the world's Eastern Orthodox Christian leaders.
The Istanbul-based patriarch is currently mulling whether to accept a Ukrainian bid to tear that country's church from its association with Russia, a potential split fueled by the armed conflict between Ukrainian military forces and Russia-backed separatists in eastern Ukraine.
The AP's evidence comes from a hit list of 4,700 email addresses supplied last year by Secureworks, a subsidiary of Dell Technologies.
The AP has been mining the data for months, uncovering how a group of Russian hackers widely known as Fancy Bear tried to break into the emails of U.S. Democrats , defense contractors , intelligence workers , international journalists and even American military wives . In July, as part of special counsel Robert Mueller's ongoing investigation into Russian interference in the 2016 U.S. election, a U.S. grand jury identified 12 Russian intelligence agents as being behind the group's hack-and-leak assault against Hillary Clinton's presidential campaign.
The targeting of high-profile religious figures demonstrates the wide net cast by the cyberspies.
Patriarch Bartholomew claims the exclusive right to grant a "Tomos of Autocephaly," or full ecclesiastic independence, sought by the Ukrainians. It would be a momentous step, splitting the world's largest Eastern Orthodox denomination and severely eroding the power and prestige of the Moscow Patriarchate, which has positioned itself as a leading player within the global Orthodox community.
Ukraine is lobbying hard for a religious divorce from Russia and some observers say the issue could be decided as soon as next month.
"If something like this will take place on their doorstep, it would be a huge blow to the claims of Moscow's transnational role," said Vasilios Makrides, a specialist in Orthodox Christianity at the University of Erfurt in Germany. "It's something I don't think they will accept."
The Kremlin is scrambling to help Moscow's Patriarch Kirill retain his traditional role as the head of the Ukrainian Orthodox Church and "the more they know, the better it is for them," Makrides said.
The Russian Orthodox Church said it had no information about the hacking and declined comment. Russian officials referred the AP to previous denials by the Kremlin that it has anything to do with Fancy Bear, despite a growing body of evidence to the contrary.
Ukrainian President Petro Poroshenko flew to Istanbul in April in an effort to convince the patriarch to agree to a split, which he has described as "a matter of our independence and our national security." Moscow's Patriarch Kirill is flying to Turkey later this week in a last-ditch bid to prevent it.
Hilarion Alfeyev, Kirill's representative abroad, has warned that granting the Tomos could lead to the biggest Christian schism since 1054, when Catholic and Orthodox believers parted ways.
"If such a thing happens, Orthodox unity will be buried," Alfeyev said.
The issue is an extraordinarily sensitive one for the Ecumenical Patriarchate. Reached by phone, spokesman Nikos-Giorgos Papachristou said: "I don't want to be a part of this story."
Other church officials spoke to the AP about the hacking on condition of anonymity, saying they did not have authorization to speak to the media.
Bartholomew, who is 78, does not use email, those church officials told AP. But his aides do, and the Secureworks list spells out several attempts to crack their Gmail accounts.
Among them were several senior church officials called metropolitans, who are roughly equivalent to archbishops in the Catholic tradition. Those include Bartholomew Samaras, a key confidante of the patriarch; Emmanuel Adamakis, an influential hierarch in the church; and Elpidophoros Lambriniadis, who heads a prestigious seminary on the Turkish island of Halki. All are involved in the Tomos issue; none returned recent AP messages seeking comment.
Spy games have long been a part of the Russian Orthodox world.
The Soviet Union slaughtered tens of thousands of priests in the 1930s, but the Communists later took what survived of the church and brought it under the sway of Russia's secret police, the KGB, with clerics conscripted to spy on congregants and emigres.
The nexus between Russia's intelligence and religious establishments survived the 1991 fall of the Soviet Union and the KGB's reorganization into the FSB, according to Moscow-based political analyst Dmitry Oreshkin.
"Our church leaders are connected to the FSB and their epaulettes stick out from under their habits," Oreshkin said. "They provide Vladimir Putin's policy with an ideological foundation."
That might make one target found by the AP seem curious: The Moscow Patriarch's press secretary, Alexander Volkov.
But Orthodox theologian Cyril Hovorun said he wouldn't be surprised to see a Russian group spying on targets close to home, saying, "they're probably checking him out just in case."
Volkov did not return AP emails seeking comment.
Hovorun is unusually qualified to speak on the issue. In 2012 he — like Volkov — was an official within the Moscow Patriarchate. But he resigned after someone leaked emails showing that he secretly supported independence-leaning Ukrainian clergy.
Hovorun has since been targeted by the Russian hackers, according to the data from Secureworks, which uses the name Iron Twilight to refer to the group.
Hovorun said he believes that those who published his emails six years ago weren't related to Fancy Bear, but he noted that their modus operandi — stealing messages and then publishing them selectively — was the same.
"We've known about this tactic before the hacking of the Democrats," Hovorun said, referring to the email disclosures that rocked America's 2016 presidential campaign. "This is a familiar story for us."
The Russian hackers' religious dragnet also extended to the United States and went beyond Orthodox Christians, taking in Muslims, Jews and Catholics whose activities might conceivably be of interest to the Russian government.
John Jillions, the chancellor of the Orthodox Church in America, provided the AP with a June 19, 2015, phishing email that Secureworks later confirmed was sent to him by Fancy Bear.
Fancy Bear also went after Ummah, an umbrella group for Ukrainian Muslims; the papal nuncio in Kiev; and an account associated with the Ukrainian Greek-Catholic Church, a Byzantine rite church that accepts the authority of the Vatican, the Secureworks data shows.
Also on the hit list: Yosyp Zisels, who directs Ukraine's Association of Jewish Organizations and Communities and has frequently been quoted defending his country from charges of anti-Semitism. Zisels said he had no knowledge of the attempted hacking. Vatican officials did not return messages.
Protestants were targeted too, including three prominent Quakers operating in the Moscow area.
Hovorun said Protestants were viewed with particularly intense suspicion by the Kremlin.
"There is an opinion shared by many in the Russian establishment that all those religious groups — like Quakers, evangelicals — they are connected to the American establishment," he said.
Secureworks' data shows hacking attempts on religious targets that took place in 2015 and 2016, but other material obtained by the AP suggests attempts to compromise the Ecumenical Patriarchate are ongoing.
On Oct. 16, 2017, an email purporting to come from Papachristou, who was just being appointed as spokesman, arrived in the inboxes of about a dozen Orthodox figures.
"Dear Hierarchs, Fathers, Brothers and Sisters in Christ!" it began, explaining that Papachristou was stepping into his new role as director of communications. "It's a very big joy for me to serve the Church on this position. Some suggestions on how to build up relations with the public and the press are provided in the file attached."
The file was rigged to install surveillance software on the recipients' computers.
The email's actual sender remains a mystery — independent analyses of the malicious message by Secureworks and its competitor CrowdStrike yielded nothing definitive.
Church officials told the AP they were disturbed by the hacker's command of church jargon and their inside knowledge of Papachristou's appointment.
"The one who made this is someone who knows us," one official said.
Priests and prelates don't make obvious targets for cyberespionage, but the stakes for the Kremlin are high as the decision on Tomos looms.
Granting the Ukrainian church full independence "would be that devastating to Russia," said Daniel Payne, a researcher on the board of the J.M. Dawson Institute of Church-State Studies at Baylor University in Texas.
"Kiev is Jerusalem for the Russian Orthodox people," Payne said. "That's where the sacred relics, monasteries, churches are ... it's sacred to the people, and to Russian identity."
Francesca Ebel and Nataliya Vasilyeva in Moscow contributed to this report.
The October, 2017 malicious email:
Raphael Satter can be reached at: http://raphaelsatter.com