In the wee hours of June 14, the Washington Post revealed that "Russian government hackers" had penetrated the computer network of the Democratic National Committee. Foreign spies, the Post claimed, had gained access to the DNC's entire database of opposition research on the presumptive Republican nominee, Donald Trump, just weeks before the Republican Convention. Hillary Clinton said the attack was "troubling."
It began ominously. Nearly two months earlier, in April, the Democrats had noticed that something was wrong in their networks. Then, in early May, the DNC called in CrowdStrike, a security firm that specializes in countering advanced network threats. After deploying their tools on the DNC's machines, and after about two hours of work, CrowdStrike found "two sophisticated adversaries" on the Committee's network. The two groups were well-known in the security industry as "APT 28" and "APT 29." APT stands for Advanced Persistent Threat—usually jargon for spies.
This story is part of Motherboard's hacking theme week, The Hacks We Can't See. Follow along here.
CrowdStrike linked both groups to "the Russian government's powerful and highly capable intelligence services." APT 29, suspected to be the FSB, had been on the DNC's network since at least summer 2015. APT 28, identified as Russia's military intelligence agency GRU, had breached the Democrats only in April 2016, and probably tipped off the investigation. CrowdStrike found no evidence of collaboration between the two intelligence agencies inside the DNC's networks, "or even an awareness of one by the other," the firm wrote.
This was big. Democratic political operatives suspected that not one but two teams of Putin's spies were trying to help Trump and harm Clinton. The Trump campaign, after all, was getting friendly with Russia. The Democrats decided to go public.
Digitally exfiltrating and then publishing possibly manipulated documents disguised as freewheeling hacktivism is crossing a big red line and setting a dangerous precedent
The DNC knew that this wild claim would have to be backed up by solid evidence. A Post story wouldn't provide enough detail, so CrowdStrike had prepared a technical report to go online later that morning. The security firm carefully outlined some of the allegedly "superb" tradecraft of both intrusions: the Russian software implants were stealthy, they could sense locally-installed virus scanners and other defenses, the tools were customizable through encrypted configuration files, they were persistent, and the intruders used an elaborate command-and-control infrastructure. So the security firm claimed to have outed two intelligence operations.
Then, the next day, the story exploded.
On June 15 a Wordpress blog popped up out of nowhere. And, soon, a Twitter account, @GUCCIFER_2. The first post and tweet were clumsily titled: "DNC's servers hacked by a lone hacker." The message: that it was not hacked by Russian intelligence. The mysterious online persona claimed to have given "thousands of files and mails" to Wikileaks, while mocking the firm investigating the case: "I guess CrowdStrike customers should think twice about company's competence," the post said, adding "Fuck CrowdStrike!!!!!!!!!"
Along with the abuse, the Guccifer 2.0 account started publishing stolen DNC documents on the Wordpress blog, on file sharing sites, and by giving "a few docs from many thousands" to at least two US publications, The Smoking Gun and Gawker. Mainstream media outlets quickly picked up the story and covered the Clinton campaign's opposition research on Trump in hundreds of news items that revealed pre-rehearsed arguments against the presumptive Republican nominee: that "Trump has no core"; that he is a "bad businessman;" and that he should be branded "misogynist in chief." Donor lists were leaked along with personal contact details and juicy dollar amounts.
The Guccifer 2.0 account also claimed that it had given an unknown number of documents containing "election programs, strategies, plans against Reps, financial reports, etc" to Wikileaks. Two days later, Wikileaks published a massive 88 gigabyte encrypted file as "insurance." This file, which Julian Assange could unlock by simply tweeting a key, is widely suspected to contain the DNC cache. On 13 July, almost a month after the hack became public, the intruders leaked selected files exclusively to The Hill, a Washington outlet for Congressional and political news, and then made the original files available later.
Nine days later, on July 22, just after Trump was officially nominated and before the Democratic National Convention got under way, Wikileaks published more than 19,000 DNC emails with more than 8,000 attachments—"i sent them emails, i posted some files in my blog," Guccifer confirmed by DM, when asked if he shared all files with Julian Assange. Two days later, on July 24, Debbie Wasserman Schultz, chair of Democratic National Committee, announced her resignation—the extraordinary hack and leak had helped force out the head of one of America's political parties and threatened to disrupt Hillary Clinton's nominating convention.
This tactic and its remarkable success is a game-changer: exfiltrating documents from political organisations is a legitimate form of intelligence work. The US and European countries do it as well. But digitally exfiltrating and then publishing possibly manipulated documents disguised as freewheeling hacktivism is crossing a big red line and setting a dangerous precedent: an authoritarian country directly yet covertly trying to sabotage an American election.
So how good is the evidence? And what does all this mean?
The forensic evidence linking the DNC breach to known Russian operations is very strong. On June 20, two competing cybersecurity companies, Mandiant (part of FireEye) and Fidelis, confirmed CrowdStrike's initial findings that Russian intelligence indeed hacked the DNC. The forensic evidence that links network breaches to known groups is solid: used and reused tools, methods, infrastructure, even unique encryption keys. For example: in late March the attackers registered a domain with a typo—misdepatrment[.]com—to look suspiciously like the company hired by the DNC to manage its network, MIS Department. They then linked this deceptive domain to a long-known APT 28 so-called X-Tunnel command-and-control IP address, 45.32.129[.]185.
One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address—176.31.112[.]10—that was hard coded in a piece of malware found both in the German parliament as well as on the DNC's servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.
The evidence linking the Guccifer 2.0 account to the same Russian operators is not as solid, yet a deception operation—a GRU false flag, in technical jargon—is still highly likely. Intelligence operatives and cybersecurity professionals long knew that such false flags were becoming more common. One noteworthy example was the sabotage of France's TV5 Monde station on 9/10 April 2015, initially claimed by the mysterious "CyberCaliphate," a group allegedly linked to ISIS. Then, in June, the French authorities suspected the same infamous APT 28 group behind the TV5 Monde breach, in preparation since January of that year. But the DNC deception is the most detailed and most significant case study so far. The technical details are as remarkable as its strategic context.
The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named "Феликс Эдмундович," a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round.
Then there is the language issue. "I hate being attributed to Russia," the Guccifer 2.0 account told Motherboard, probably accurately. The person at the keyboard then claimed in a chat with Motherboard's Lorenzo Franceschi-Bicchierai that Guccifer 2.0 was from Romania, like the original Guccifer, a well-known hacker. But when asked to explain his hack in Romanian, he was unable to respond colloquially and without errors. Guccifer 2.0's English initially was also weak, but in subsequent posts the quality improved sharply, albeit only on political subjects, not in technical matters—an indication of a team of operators at work behind the scenes.
Other features are also suspicious. One is timing, as ThreatConnect, another security company, has pointed out in a useful analysis: various timestamps indicate that the Guccifer-branded leaking operation was prompted by the DNC's initial publicity, with preparation starting around 24 hours after CrowdStrike's report came out. Both APT 28 and Guccifer were using French infrastructure for communications. ThreatConnect then pointed out that both the self-proclaimed hacker's technical statements on the use of 0-day exploits as well as the alleged timeline of the DNC breach are most likely false. Another odd circumstantial finding: sock-puppet social media accounts may have been created specifically to amplify and extend Guccifer's reach, as UK intelligence startup Ripjar told me.
Perhaps most curiously, the Guccifer 2.0 account, from the beginning, was not simply claiming to have breached the DNC network—but claiming that two Russian actors actually were not on the DNC network at the same time. It is common to find multiple intruders in tempting yet badly defended networks. Nevertheless the Guccifer 2.0 account claimed confidently, and with no supporting evidence, that the breach was simply a "lone hacker"—a phrasing that seems designed to deflect blame from Russia. Guccifer 2.0's availability to the journalists was also surprising, and something new altogether.
The combative yet error-prone handling of the Guccifer account is in line with the GRU's aggressive and risk-taking organizational culture and a wartime mindset prevalent in the Russian intelligence community. Russia's agencies see themselves as instruments of direct action, working in support of a fragile Russia under siege by the West, especially the United States.
The larger operation, with its manipulative traits, fits well into the wider framework of Russia's evolving military doctrine, known as New Generation Warfare or the "Gerasimov Doctrine," named after Valery Gerasimov, the current Chief of the General Staff of the Armed Forces. This new mindset drastically expands what qualifies as a military target, and it expands what qualifies as military tactic. Deception and disinformation are part and parcel of this new approach, as are "camouflage and concealment," as the Israeli analyst Dima Adamsky pointed out in an important study of Russia's evolving strategic art published in November last year.
"Informational struggle," Adamsky observes, is at the center of New Generation Warfare. Informational struggle means "technological and psychological components designed to manipulate the adversary's picture of reality, misinform it, and eventually interfere with the decision-making process of individuals, organizations, governments, and societies."
The Guccifer 2 operation appears to be designed and executed as part of a wider "informational struggle." The implications are highly significant.
First, the operation is not over. The Russian spies got their hands on a large number of files from inside and beyond the Democratic National Committee. APT 29—the suspected FSB-controlled group—had protracted access to the DNC's email messages, chats, attachments, and more. Russian groups have also targeted Clinton's wider campaign organisation at least since October 2015. Guccifer 2.0, in an email to The Smoking Gun, even claimed to have "some secret documents from Hillary's PC she worked with as the Secretary of State." It is unclear if this assertion is accurate, and indeed it is unclear if all leaked documents are actually sourced from the DNC breach. About three weeks later, on July 5, the FBI's James Comey assessed that it was "possible that hostile actors gained access to Secretary Clinton's personal email account." The DNC intruders are likely to retain or regain some of this access. Moreover, the Guccifer 2.0 account has now been established as venue to distribute leaked documents. More activity, if not escalation, is to be expected.
American inaction now risks establishing a de facto norm that all election campaigns in the future, everywhere, are fair game for sabotage
Second, stolen documents leaked in an influence operation are not fully trustworthy. Deception operations are designed to deceive. The metadata show that the Russian operators apparently edited some documents, and in some cases created new documents after the intruders were already expunged from the DNC network on June 11. A file called donors.xls, for instance, was created more than a day after the story came out, on June 15, most likely by copy-pasting an existing list into a clean document.
Although so far the actual content of the leaked documents appears not to have been tampered with, manipulation would fit an established pattern of operational behaviour in other contexts, such as troll farms or planting fake media stories. Subtle (or not so subtle) manipulation of content may be in the interest of the adversary in the future. Documents that were leaked by or through an intelligence operation should be handled with great care, and journalists should not simply treat them as reliable sources.
Third, the DNC operation is unlikely to remain an exception. The political influencing as well as the deception worked, at least partly. The DNC's ability to use its opposition research in surprise against Trump has been blunted, and some media outlets lampooned Clinton—not a bad outcome for an operation with little risk or cost for the perpetrators.
Another takeaway: the deception does not have to be executed with perfection; it is sufficient simply to spread doubt. High journalistic standards, paradoxically, work in GRU's favour, as stories come with the Kremlin's official denials casting doubt as well as pundits second-guessing even solid forensic evidence. If other intelligence agencies also assess that this operation was a success, even if only a moderate one, then more such false flag influence operations are likely in future elections, especially in Europe.
Democracies, finally, have a double disadvantage. General election campaigns and their ad-hoc organisations offer a soft, juicy target: improvised and badly secured networks, highly combustible content, all combined with a reluctance on the part of law enforcement agencies and private sector companies to wade into what could easily become a high-stakes political mess.
Offenders, however, will also find such online operations newly risky. Operational security was rather different in traditional spying and offline sabotage ops. The Guccifer 2 team probably underestimated the remarkable crowdsourced forensic scrutiny that their advanced political trolling would trigger—with a good deal of that analysis playing out on Twitter, nearly in real-time, for example by one experienced analyst posting as Pwn All The Things.
Not reacting politically to the DNC hack is setting a dangerous precedent. A foreign agency, exploiting Wikileaks and a cutthroat media marketplace, appears to be carefully planning and timing a high-stakes political campaign in the United States that could escalate next week, next fall, or next time. Trump, ironically, is right: the system is actually rigged.
American inaction now risks establishing a de facto norm that all election campaigns in the future, everywhere, are fair game for sabotage—sabotage that could potentially affect the outcome and tarnish the winner's legitimacy. Inaction also risks squandering the deterrent effects created by the White House's reaction to North Korea's role in the infamous Sony Hack, as well as the US Department of Justice indictments of Chinese and Iranian operatives. Remarkably, so far the only countries that have had the confidence to call out aggressive Russian operations are Germany along with Switzerland and France in a more limited way.
It is time for the United States (and the United Kingdom) to pull their weight: by publishing more evidence, by signalling political consequences for the perpetrators, by treating Wikileaks as a legitimate counter-intelligence target, and by providing not only physical but also improved digital security to candidates and campaigns in the future.
The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.