Thomas Rid, one of the world’s leading analysts of cyber-warfare, writes for Esquire:
….This sort of [electronic] espionage was business as usual, a continuation of long-standing practice. And during the Cold War, both the USSR and the United States subtly, and sometimes covertly, interfered with foreign elections. What changed over the past year, however — what made the DNC [Democratic National Committee] hack feel new and terrifying — was Russia’s seeming determination to combine the two. For the first time, Russia used a hacking operation, one that collected and released massive quantities of stolen information, to meddle in an American presidential election. The inspiration and template for this new attack was a poisonous cocktail of fact and fabrication that the Russians call kompromat, for “compromising material”.
Kompromat had been deployed by the Soviet Union since at least the 1950s, but in 1999 the Kremlin gave the tactic a high-tech update. With parliamentary elections fast approaching, and with post-USSR corruption at a peak, the government of president Boris Yeltsin used anonymous websites to sling mud at opposition candidates. One notorious kompromat repository was run specifically to slander the mayor of Moscow, a rising star in the opposition with his eyes on the presidency. In 2009, a senior British diplomat working in Russia was forced to resign after the appearance online of a four-minute video that showed him having sex with two blond women in a brothel.
One of the first American targets of kompromat was Victoria Nuland, who served as the top U. S. diplomat for Europe during Obama’s second term. In February 2014, at the peak of the crisis in Ukraine, Nuland was surreptitiously recorded while speaking on the phone with the U. S. ambassador to Kiev. Frustrated with Europe’s lackluster response to the Ukrainian crisis, Nuland said, “Fuck the EU”. Shortly after, an aide to the Russian Deputy Prime Minister tweeted a link to a recording of the intercepted phone call. The State Department called the leak “a new low in Russian tradecraft”.
Hacking the Democratic National Committee
The Nuland leak prompted a minor diplomatic hiccup between the European Union and the United States. But the kompromat campaign of the past year appears to be aimed at much bigger game: the American electoral system. According to Reuters, the FBI first contacted the DNC in the fall of 2015, obliquely warning the Democrats to examine their network. It wasn’t until May, however, that the DNC asked for help from a cybersecurity company called CrowdStrike, which had experience identifying digital espionage operations by nation-states. CrowdStrike immediately discovered two sophisticated groups of spies that were stealing documents from the Democrats by the thousands.
CrowdStrike was soon able to reconstruct the hacks and identify the hackers. One of the groups, known to the firm as Cozy Bear, had been rummaging around the DNC since the previous summer. The other, known as Fancy Bear, had broken in not long before Putin’s appearance at the St. Petersburg forum. Surprisingly, given that security researchers had long suspected that both groups were directed by the Russian government, each of the attackers seemed unaware of what the other was doing.
Meanwhile a mysterious website named DC Leaks was registered on April 19. In early June, a Twitter account associated with the site started linking to the private conversations of Philip Breedlove, who had been, until a few weeks earlier, NATO’s Supreme Allied Commander in Europe. DC Leaks was well designed, but nobody seems to have noticed it until early July.
On June 14, less than an hour after The Washington Post reported the breach at the DNC, CrowdStrike posted a report that detailed the methods used by the intruders. The firm also did something unusual: It named the Russian spy agencies it believed responsible for the hack. Fancy Bear, the firm said, worked in a way that suggested affiliation with the GRU. Cozy Bear was linked to the FSB.
The Russian Mistakes
The day after the Post story broke, a website appeared that claimed to belong to a hacker who identified himself as Guccifer 2.0. (Guccifer was the nickname of a Romanian hacker who, among other things, broke into the email account of George W. Bush’s sister.) The operators, posing as Guccifer 2.0, dismissed CrowdStrike’s attribution, insisting instead that the DNC had been “hacked by a lone hacker.” As proof, Guccifer published eleven documents from the DNC, including an opposition-research file on Donald Trump and a list of major Democratic donors. In the weeks that followed, Guccifer offered interviews and batches of documents to several journalists, but he wrote that “the main part of the papers, thousands of files and mails, I gave to WikiLeaks”.
Ultimately, more than two thousand confidential files from the DNC found their way to the public. Throughout the campaign, Guccifer maintained that he was the only person behind the hacking and leaking. “This is my personal project and I’m proud of it,” he—or they—wrote in late June. But several sloppy mistakes soon revealed who was really behind the operation. The unraveling happened more quickly than anybody could have anticipated.
As soon as Guccifer’s files hit the open Internet, an army of investigators—including old-school hackers, former spooks, security consultants, and journalists—descended on the hastily leaked data. Informal, self-organized groups of sleuths discussed their discoveries over encrypted messaging apps such as Signal. Many of the self-appointed analysts had never met in person, and sometimes they didn’t know one another’s real names, but they were united in their curiosity and outrage. The result was an unprecedented open-source counterintelligence operation: Never in history was intelligence analysis done so fast, so publicly, and by so many.
Matt Tait, a former GCHQ operator who tweets from the handle @pwnallthethings, was particularly prolific. Hours after the first Guccifer 2.0 dump, on the evening of June 15, Tait found something curious. One of the first leaked files had been modified on a computer using Russian-language settings by a user named “Feliks Dzerzhinsky.” Dzerzhinsky was the founder of the Cheka, the Soviet secret police—a figure whose mythic renown was signaled by a fifteen-ton bronze statue that once stood in front of KGB headquarters. Tait tweeted an image of the document’s metadata settings, which, he suggested, revealed a failure of operational security.
A second mistake had to do with the computer that had been used to control the hacking operation. Researchers found that the malicious software, or malware, used to break into the DNC was controlled by a machine that had been involved in a 2015 hack of the German parliament. German intelligence later traced the Bundestag breach to the Russian GRU, aka Fancy Bear.
There were other errors, too, including a Russian smile emoji—”)))”—and emails to journalists that explicitly associated Guccifer 2.0 with DC Leaks, as the cybersecurity firm ThreatConnect pointed out. But the hackers’ gravest mistake involved the emails they’d used to initiate their attack. As part of a so-called spear-phishing campaign, Fancy Bear had emailed thousands of targets around the world. The emails were designed to trick their victims into clicking a link that would install malware or send them to a fake but familiar-looking login site to harvest their passwords. The malicious links were hidden behind short URLs of the sort often used on Twitter.
To manage so many short URLs, Fancy Bear had created an automated system that used a popular link-shortening service called Bitly. The spear-phishing emails worked well—one in seven victims revealed their passwords—but the hackers forgot to set two of their Bitly accounts to “private.” As a result, a cybersecurity company called SecureWorks was able to glean information about Fancy Bear’s targets. Between October 2015 and May 2016, the hacking group used nine thousand links to attack about four thousand Gmail accounts, including targets in Ukraine, the Baltics, the United States, China, and Iran. Fancy Bear tried to gain access to defense ministries, embassies, and military attachés. The largest group of targets, some 40 percent, were current and former military personnel. Among the group’s recent breaches were the German Parliament, the Italian military, the Saudi Foreign Ministry, the email accounts of Philip Breedlove, Colin Powell, and John Podesta — Hillary Clinton’s campaign chairman — and, of course, the DNC.
Moscow’s Media Victory
The rapid public reconstruction of the DNC break-in appears to have caught the hackers off guard. Researchers surmised that the Russian spies had not expected to be identified so quickly, a theory that would explain, among other things, the peculiar animus Guccifer seemed to have for CrowdStrike. According to this hypothesis, the tradecraft blunders that Tait and others had identified were the result of a hasty effort by the GRU to cover its tracks.
As if to regroup after the initial rush of activity, Guccifer and DC Leaks went quiet at the end of June. But the 2016 presidential campaign, already the most bizarre in living memory, had a further surprise in store, one that worked in favor of the Russians. At a time when only 32 percent of Americans say that they trust the media to report the news fairly and accurately, the hackers were about to learn that getting called out publicly didn’t really matter: Their kompromat operations would still work just fine.
On July 22, three days before the Democratic National Convention in Philadelphia, WikiLeaks published the largest trove of files to date, which included nearly twenty thousand hacked emails. Press coverage of the release quickly centered on emails that suggested a bias among some DNC staffers in favor of Hillary Clinton. The leaked emails lent credence to a suspicion held by some Democrats that the party establishment had never intended to give Bernie Sanders, Clinton’s opponent in the primaries, a fair shake. Protesters in Philadelphia held up signs that read election fraud and dnc leaks shame. One day before the convention, the Russian kompromat campaign took its first trophy: Debbie Wasserman Schultz, the DNC chair, resigned from the organization.
The episode shocked the Democratic establishment, not least because of what it augured for the future. As Clinton’s lead in the polls widened after the convention, commentators began to speculate that a damaging leak late in the campaign might be the only chance for Donald Trump to win the election. Fears of a Russia-sponsored October surprise grew as it became clearer that the subversion effort was improving. When files appeared, they were now scrubbed of the sort of distinguishing metadata that had allowed analysts to trace the leak back to Russian intelligence.
The operators behind Guccifer and DC Leaks also appear to have recognized that American journalists were desperate for scoops, no matter their source. The Russians began to act like a PR agency, providing access to reporters at Politico, The Intercept, and BuzzFeed. Journalists were eager to help. On August 27, when part of the DC Leaks website was down for some reason, Twitter suspended the @DCLeaks account. The Daily Caller, a conservative news website, posted a story about the events, drawing an outcry from Trump supporters. Lou Dobbs, the Fox Business anchor, sneered that “leftist fascism” was throttling the last best hope for a Trump victory. Twitter soon reinstated @DCLeaks.
The most effective outlet by far, however, was WikiLeaks. Russian intelligence likely began feeding hacked documents to Julian Assange’s “whistleblower” site in June 2015, after breaching Saudi Arabia’s foreign ministry. A group called WikiSaudiLeaks, probably a Guccifer-like front for Fancy Bear, claimed that “WikiLeaks have been given access to some part of these documents”. The so-called Saudi Cables showed princes buying influence and monitoring dissidents. They became a major news story, proving that the old methods worked even better in the twenty-first century.
A leak released at the end of this past summer showed how frictionlessly the kompromat campaign was able to operate in the fact-free atmosphere of the 2016 American presidential campaign. In late September, DC Leaks published hundreds of emails from the account of a twenty-two-year-old freelancer for the Clinton campaign. Lachlan Markay, a reporter for The Washington Free Beacon, found an audio clip buried deep in the cache. In the recording, which was made at a fundraiser in Virginia, Hillary Clinton could be heard describing Sanders supporters as “children of the Great Recession” who “are living in their parents’ basement.” The comments were clumsy but, in context, hardly damning; Clinton was describing the appeal of Sanders’s “political revolution” for young voters. (“We want people to be idealistic,” she said.) Nevertheless, within a few days, Donald Trump was telling a roaring crowd in Pennsylvania, “Clinton thinks Bernie supporters are hopeless and ignorant basement dwellers.”
