The Plot to Hack America: How Putin's Cyberspies and WikiLeaks Tried to Steal the 2016 Election

Cyber Bears! Attack!

At some point early in fall of 2015 the National Security Agency and the FBI cyber division had indications of unusual activity related to Democratic National Committee servers. The signature of the attempts was familiar, since this had not been the first time that foreign entities had attempted to penetrate related to the US political parties’ networks, high profile persons, or U.S. government agencies. Individual hackers would attempt these penetrations for personal notoriety and bragging rights among the tight and secretive hacking community, but this practice had long since expanded into a global business worth billions in stolen data. Some hacking thieves stole Social Security numbers, credit cards, and identity theft information belonging to ordinary people, in sophisticated exploits that skimmed cash at the blink of an eye. Other groups specialized in stealing large-volume banking data or attempting large-scale fraud.

It has long been a dictum of warfare that forewarned is forearmed. In business and politics as well, the strengths of an opponent can be exploited, their weaknesses taken advantage of and manipulated. To this end a small, elite network of individual hackers or hacker gangs specialize in stealing corporate secrets to sell or use for blackmail. A hacker of this ilk will sell the stolen data to business rivals. Whether it be the size of the bid on a contract or the nude photos of an opposing CEO’s mistress, such data that could never have been previously available without physically breaking and entering a file or safe could now safely be extracted from a third party that often does it for a reasonable fee. Throughout the 1990s hacking groups performing these services had formed in Eastern Europe, then to West Africa, China, and South Asia. Foreign intelligence agencies often subcontracted their services to see what they could find on targets in America as well.

It was always advisable for the FBI and cyber security companies to give the political parties warnings before the run-up to an election season. Clearly, a history of hacks had occurred before, and the FBI told the DNC to be on the lookout for “unusual activity.”¹ Director of National Intelligence James Clapper said that the Department of Homeland Security and FBI had been working “to educate campaigns against potential cyber threats.” Clapper added, “I anticipate as the campaigns intensify, we’ll probably have more of those [attempts].”²

Given the size and scope of their systems, IT divisions have to deal with many different and routine hacks and exploits occur on a regular basis, including nuisance messages, offensive and malicious emails with links to archaic viruses, or offers from Nigerian Princes. A more critical method of attacking the servers is to flood the networks with a massive email tsunami of spam, all at once, and from multiple sources. This is called a Denial-of-Services or DoS attack. The vast amount of data filling the entryways to the server slows down or blocks authorized messages from entering the system, akin to an internet brown-out. As each bit of valid data competes with the massive quantity of hacker-fed data, the entire system grinds to a halt in a cyber traffic jam. Hence, service is denied.

Though the DNC IT security staff did not receive warnings about specific activity, they should have been well aware of previous political exploits. At a minimum, all of the security personnel and their subcontractors should have received briefings about the previous hacks and signatures that could indicate a real threat coming down the pike. In the end, they were left to fend for themselves. The hackers most likely knew that, since the DNC is a private political organization, they would only be as good as the local IT security; a human factor weakness to be exploited. The National Security Agency and Cyber Command were not responsible for political security outside of government agencies. For all of their vast protective power, the federal agencies gave what was minimally required… a bit of advice.³

The DNC took what precautions they thought were appropriate for the level of risk. Yet others were watching with greater interest. In October 2015, InfoSec Institute, an information security training center, carried out a protective hack known as advanced penetrative testing. White Hat hackers at IT security companies performed these defensive hacks to test the perimeter of the network’s security walls and reveal the holes in the security system. Such tests sometimes reveal minor vulnerabilities, but most of the time these tests expose holes so extensive that a cyber-tractor trailer could pass through without any chance of detection.

It is important to identify and share information on threats as they have developed and as they currently operate. There are also ways to detect the location of adversaries by examining the available metadata found in the files captured, by accessing the C2 (Command-and-Control) servers, and by finding where data is routed or retrieved, by examining timestamps in the meta to determine build times, and by examining the deployment of files and routine checkins conducted by the attackers. IPs found in C2 servers, locations where files are retrieved for operations, and IP info in emails can help determine the source of the attack.

InfoSec Institute’s tests revealed threat the DNC servers had massive security flaws, setting themselves up for a hack the exact same way the Chinese exploited the Obama and McCain campaigns in 2008. The best defense to these threats is a regular security update at the client end, so the developers could stay on top of the latest exploits and 0day vulnerabilities. Sometimes all of these efforts can be overlooked, not shared, or just fall by the wayside. That is how the DNC got hacked: The sum efforts of sharing, comparing, and preparing was like a small rainstorm and the CYBER BEARS managed to dance between the raindrops.

The Bears Arrive

In April 2016 DNC chief executive officer Amy Dacey contacted DNC lawyer Michael Sussman. Dacey called him to let him know that the DNC’s IT department noticed strange behavior on their system. Sussman was a partner at Perkins Coie, a firm focused on cybercrimes. Sussman contacted Shawn Henry, president of cybersecurity firm CrowdStrike, to conduct an assessment and determine if there was a breach and how deep it went.⁴ CrowdStrike revealed that the DNC computers had been breached and that data on contributors, opposition research on candidates, and even the day-to-day inter-office chats and email had been stolen. The whole system had been professional compromised.

CrowdStrike assessed that COZY BEAR had breached the system in 2015 and had been engaged in gathering data for a year. They then found that a second group, FANCY BEAR had breached the server in April of 2016. They managed to penetrate through spear-phishing, the technique of sending a false email to a victim, who would subsequently click on a link in the email, connecting them to a hacker’s server. In this case, one of the spear-phishing attacks used a fraudulent site with the deliberately misspelled URL “misdepatrment.com.” The link was supposed to connect the target to the MIS Department. Instead sent the user to an identical, but fake site called a watering hole, that downloaded a malware kit on the victim’s computer. The malware contained additional modules to disseminate the computer virus widely throughout the DNC’s servers.

CrowdStrike discovered that COZY BEAR used a malware kit identified as “SeaDuke” (also called “SeaDaddy”), a backdoor module that was installed in the file “pagemgr.exe.”⁵ It was noted by F-Secure that SeaDuke was written in the Python coding language, which indicated that COZY BEAR knew the operating system might be based on Linux.

In order to evade the security systems, the attackers would update their modules or the location of their C2 servers. The report said the second attack group was APT28, FANCY BEAR. It used a module named “X-Agent” to enable it to send remote commands, watch every keystroke through keylogging, and transfer files via the C2 server. The group also used “X-Tunnel” malware to give them the ability to send even more remote commands to the servers. The X-Tunnel was set to 45.32.129.185, revealing that it was built specifically for this hack, giving it the ability to extract passwords and create its own encrypted private network to operate covertly.

Several cyber security firms have examined the related metadata to the ATP 28 FANCY BEAR infections. They have nearly unanimously found that several combinations of factors tie this group to a large group of similar infections since 2007. In particular, the Internet Protocol or IP address like 176.31.112.10, used for its command and control sever (C2) shows up repeatedly in other cyber warfare campaigns.⁶ This IP was linked to the breaches at the German Bundestag, the DNC, and the DCCC. Additionally, both IPs are associated with the watering hole attacks and the C2 servers on the DNC and DCCC hacks, revealing their past associations. Another key indicator is the time zone associated when compiling the malware. Russian threat actors like APT28 work most commonly at UTC+4 time zone. While compiling the data about the hack, several firms noted that the operating system used to develop the malware was set to Cyrillic, Russian language text, during some of the development, but not in all.

The firms also noted Russia’s association the ATP-29 COZY BEAR malware, also called “SeaDaddy” or “SeaDuke,” because it had already been extensively tracked by several cyber security firms and associated with Russian Intelligence. As with APT 28, indicators embedded within the metadata pointed to Russia as the source of this malware. This also included the C2 server IPs reused from past operations known to be Russian. The operational time of module compilation and the targets they struck were beneficial only to Russian interests.

Another indicator of professional intelligence agency involvement was the way they performed OpSec or Operational Security. OpSec was the methodology the operators used to evade detection and cover their tracks. CrowdStrike was impressed and called it “superb.” They noted that they demonstrated a “live off the land” approach to evading security. In fact, just one year before the DNC hack was revealed, the firm found COZY BEAR responsible for hacks of the White House, the State Department, and the U.S. Joint Chiefs of Staff.

“We have identified no collaboration between the two actors, or even an awareness of one by the other,” Dmitri Alperovitch wrote in a blog post. “Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials.”⁷ Alperovitch wrote this is “not an uncommon scenario” in Russia, where the primary domestic and foreign intelligence agencies—the FSB and SVR, respectively—have a competitive and even adversarial relationship.

The hackers frequently cleared out the logs that would reveal their activities or reset the timestamp of files so it appeared that they were never opened or tampered with.⁸ However, some additional breadcrumb trails lead many cyber security firms and intelligence agencies to conclude that this was the work of the CYBER BEARS or one of its hired hacker hit squads.

Another critical bit of evidence was the use of a specific Command and Control server in the attack. It was traced back to the IP address of 176.31.112.10 and it had been seen before. This same IP came up during the investigation on the German Bundestag spear-phishing. That attempt was believed to have been carried out by Russian intelligence.⁹

By May 18, 2016, The Director of National Intelligence, James R. Clapper Jr. spoke at the Bipartisan-Policy Center in Washington and said there were “indications” of attempted cyberattacks in the 2016 presidential campaign without specifying either attempted intrusions or on suspected foreign or domestic hackers.¹⁰ Brian P. Hale, director of public affairs for the Office of the Director of National Intelligence, backed Clapper up stating, “we’re aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations, from philosophical differences to espionage, and capabilities, from defacements to intrusions,” and, “we defer to FBI for specific incidents.”¹¹

On June 15, 2016 a Wordpress page appeared with links to the stolen DNC Documents. It was posted by Guccifer 2.0 and came with a list of Frequently Asked Questions.

Guccifer 2.0, who claimed to be a Romanian lone wolf, was clearly a cover-up for the CYBER BEARS. Lorenzo Franceschi-Bicchierai, a staff writer at VICE Motherboard who covers hacking and information security, writes, “[C]onsidering a long trail of breadcrumbs pointing back to Russia left by the hacker, as well as other circumstantial evidence, it appears more likely that Guccifer 2.0 is nothing but a disinformation or deception campaign by Russian state-sponsored hackers to cover up their own hack—and a hasty and sloppy one at that.”¹²

Franceschi-Bicchierai, who actually chatted with Guccifer 2.0, points to the blogger’s use of certain characters that are popular in Russia and metadata that indicates the blogger might actually be Russian. He also points out other linguistic evidence—such as his seemingly poor Romanian and broken English that wasn’t necessarily consistent with a Romanian speaking English as a second language, but might bear some resemblance to Russian-English syntax—as indicators that Guccifer 2.0 might not be who he claimed to be.¹³

Regardless of whether or not Guccifer 2.0 really did infiltrate the DNC systems or release the documents to WikiLeaks, CrowdStrike issued an update to its original post in response, reiterating its findings about the presence of the two Russian groups in DNC networks. “Whether or not this posting is part of a Russian Intelligence disinformation campaign, we are exploring the documents’ authenticity and origin,” Alperovitch wrote. “Regardless, these claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community.”¹⁴

Fomenting Civil War among Democrats

On July 22, 2016 a few days before the opening of the DNC, WikiLeaks published 19,252 emails alleged to be from the DNC hack.¹⁵ Operation LUCKY-7 was now fully underway. The emails weren’t spectacular, mostly mundane discussions that would happen between personnel, including their preferred candidate. However, as released by WikiLeaks it fueled suspicions of the most hardcore Bernie Sanders supporters that the Democratic presidential nomination was engineered and stolen.

Team Trump saw the opportunity and they too piled on in a series of tweets that tried to drive a wedge between the Clinton and Sanders camps. On July 23, Trump tweeted “The WikiLeaks e-mail release today was so bad to Sanders that it will make it impossible for him to support her, unless he is a fraud!”¹⁶ Assange immediately replied to the Trump tweet and linked to the DNC cache so his followers would find it with a cheery “everyone can see for themselves.”

The emails revealed that DNC chairperson Debbie Wasserman-Shultz, whose role should make her neutral until the nomination process was complete, had been strongly favoring Hillary Clinton throughout the primary process. The DNC did not dispute the content of the emails themselves.

There was an email thread started on May 5, 2016 with the title “No shit” in which Brad Marshall, the CFO for the DNC, allegedly suggests to get someone to ask Sanders what his beliefs are in order to portray him as an atheist. It read “My Southern Baptist peeps would draw a big difference between a Jew and an atheist.”¹⁷ Follow up emails suggest that Amy Dacey responded with “Amen.”

In some of the emails for example, senders made recommendations to diminish the Sanders campaign. An email from May 21, 2016 allegedly from committee communications official Mark Paustenbach, made a suggestion to criticize the Sanders campaign as a “mess” that didn’t have its “act together” when it was discovered that they had accessed voter data belonging to the Clinton campaign.¹⁸ He also stated “It’s not a DNC conspiracy, it’s because they never had their act together” in one email.¹⁹

In a particularly pointed email dated May 17, 2016, soon-to-be-former DNC Chairwoman Debbie Wasserman-Shultz called Jeff Weaver, the Sanders Campaign manager “particularly scummy” and a “damn liar.”²⁰ The Sanders campaign had spent many months calling for the resignation of the DNC Chairwoman, and the emails provided their chance.

The Response to the Hacks

The storm of outrage among Sander’s supporters exploded on the starting day of the Democratic Convention. The revelation of damaging emails happened just in time fr the first news of the morning. It appeared that their release would cause a massive split and tear Sander’s passionate voters away from not only Clinton, but the Democratic party. To quell the danger Chairwoman Debbie Wassermann-Schultz announced her resignation. Senator Sanders had been preparing to endorse Clinton and his supporters were begging him to walk out of the convention and run as a third party candidate. Such an event would split the ticket and catapult a flailing Trump directly into the White House. In the end, common sense prevailed and Clinton did end up receiving Sanders’s endorsement, but he seemed very cold during the convention. Pro-Bernie delegates often interrupting the speeches of prominent Democratic key speakers, chanting his name, including House Democratic Whip, Representative Steny Hoyer, Former Secretary of Defense and CIA Director Leon Panetta, Representative Elijah Cummings, Senator Al Franken and comedian Sara Silverman, and even their own economic heroine Senator Elizabeth Warren.

The outrage was so hot in the convention hall that committee CEO Amy Dacey, Communications Director Luis Miranda, and CFO Brad Marshall and other supporting staffers also left their posts at the DNC in an effort to stem the split.²¹ Some Sanders delegates staged a walk-out and went directly to the Press tent to complain about how the system was rigged –exactly as Donald Trump kept saying. Outside the venue in the nearby Roosevelt Park more than a thousand Sanders supporters took to the scalding streets of Philadelphia to vent their frustration. Many Sanders supporters shouted against Mrs. Clinton with the same taunting chant from the previous week’s Republican convention: “Lock her up!” Other protesters gathered outside the downtown Ritz-Carlton, where many major donors to Mrs. Clinton’s campaign were staying, and attacked her use of a “super PAC” and her reliance on big fundraising events.²² Some claimed that they were actually planning to vote for Trump. Initial reactions were much less focused on the hack itself, rather they were focused on reiterating the Republican nominee’s claim that the Democratic primaries and the resulting nomination process was illegitimate.

Julian Assange said that WikiLeaks actually timed the release of the leak to coincide with the start of the convention. “That’s when we knew there would be maximum interest by readers, but also, we have a responsibility to,” Assange told CNN’s Anderson Cooper. “If we published after, you can just imagine how outraged the Democratic voting population would have been. It had to had to have been before.”²³ The Assange friendly media joined in on the disinformation campaign against Clinton too. News articles abounded such as the Guardian’s headline “WikiLeaks Proves Primary Was Rigged: DNC Undermined Democracy.”²⁴

Around the same time, Assange, with the help of Russia Today also brought another prominent conspiracy theory to promenence when he suggested a DNC staffer who had been murdered in July might have been an informant killed for leaking information to WikiLeaks. “Whistleblowers often take very significant efforts to bring us material and often at very significant risks,” Assange said in an interview on a Dutch television program, discovered by BuzzFeed’s Andrew Kaczynski. “There’s a 27-year-old who works for the DNC and who was shot in the back, murdered, just a few weeks ago, for unknown reasons as he was walking down the streets in Washington.”²⁵ When asked if he was suggesting Rich might be a WikiLeaks source, Assange replied that they do not comment on their sources. Then, WikiLeaks announced on Twitter it was offering a $20,000 reward “for information leading to conviction for the murder of DNC staffer Seth Rich.” Jeremy Stahl, a senior editor at Slate wrote, “Julian Assange and his WikiLeaks organization appear to be actively encouraging a conspiracy theory that a Democratic National Committee staffer was murdered for nefarious political purposes, perhaps by Hillary Clinton.”²⁶ He noted however, that there was “zero evidence” to support these conspiracy theories, and that the fact checking website, Snopes had debunked many of them.²⁷

Despite Assange straying off the deep end of conspiracy theory, the most significant aspect of the WikiLeaks dump was a surprise that the CYBER BEARs had given the stir-crazy Assange and his gullible supporters: The Russians had infected the downloadable package of DNC emails with a wide variety of hacking malware. Tens of thousands of people who would download the emails from their WikiLeaks’ Global Intelligence Files would find their computers filled with malware and open their lives to exploitation by the CYBER BEARS. It was quickly noticed and warnings went out across the cyber security community to beware of malware embedded in emails from WikiLeaks.²⁸

Fomenting a crisis between the two competing candidates of the Democratic Party was the objective and it looked like it could succeed, if not for Donald Trump himself. During the convention the family of U.S. Army Captain Humayun Khan, a soldier killed in Iraq by a suicide bomber, came to the stage to give a speech. The Khans were Gold Star parents—parents who have lost their children in war. His father Khzir Khan gave a stirring patriotic speech attacking Trump’s knowledge of sacrifice and of the U.S. Constitution. Captain Khan’s mother, Ghazala stood next to her husband, devastated in grief under a 20-foot high photo of her son. She was struck speechless. Trump could not resist the opportunity to insult the family and in an instant the fury over the DNC leaks essentially ended in a plume of Trump-initiated radioactivity.²⁹

Though the protests did slowly calm down or were repressed and the persistent interruption of speakers ceased, tensions remained during the convention throughout the entire week. While the Republican Party spent the election season plagued by internal factions, the hacked emails were enough to make internal disputes within the Democratic Party the focus of political media. During President Obama’s address to the convention, a shout-out to Senator Sanders met with the televised image of a prickly-looking Sanders.

Ignoring the implications that Russia might be trying to influence the outcomes of this election by taking attention off of Trump and discrediting Clinton, Sanders supporters expressed outrage that the Democratic Party bigwigs had picked a candidate before primary voters had. The doubts about Clinton, amplified by release of the stolen emails, called into question her own campaign’s involvement in the election. Though the tensions waned, and the Democratic party did not suffer a split, a secondary desired effect was that many Sanders supporters now had a hard time supporting Clinton.

For the CYBER BEAR hackers this effect was well on track for what the operation had intended to produce, though a Democratic Party split would have been optimal.

To paraphrase J.K. Rowling’s Harry Potter, the mischief had been managed, but the attack was not yet finished. The CYBER BEARs were going to systematically waltz their way through the remaining arms of the Democratic Party’s machine and steal, reveal, discredit, and attack anyone who stood against Donald Trump, and by extension, Russia.

Team Trump Tips its Hand?

The first two days of the Democratic National Convention in Philadelphia had been chaotic. The forces between Clinton and Sanders where engaged in tit-for-tat taunts and accusations of divisiveness. If the hacks were designed to damage the convention it was performing nominally. The entire pathway of Kompromat from surveillance, planning, and hacking, to establishing a legend in Guccifer 2.0 and gaining international credibility by channeling the release through WikiLeaks was happening within planning parameters and with only minor hitches. Even the international media was buying into the belief that it was absolutely unimportant how the information from the hacks was acquired, but that the content was critical. So long as the CYBER BEARs could infuse doubt as to their participation, there was little chance for repercussion. Julian Assange hinted at future releases though the Guccifer 2.0 legend and the ever-compliant WikiLeaks. There also remained perfect opportunites to prepare and introduce Black Propaganda—false documents that could be taken from a clean source and modified ever so slightly to make it malicious. Science and Technology Directorate of the FSB’s SVR could easily fabricate such documents if the mission required letters, money, deeds, titles, or any other falsely impugning evidence. Working with the SVR political warfare specialists, the cyber warriors of the FSB could also seamlessly change a word or two in an email without a trace and reintroduce it into a flood of legitimate documents. But then that plan was suddenly spoiled.

Speaking to the American press conference when asked about the subject of hacking Trump brought up the private Hillary Clinton emails deleted from her server. Trump blurted out, “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing… I think you will probably be rewarded mightily by our press.”³⁰ Almost immediately a media storm shook the campaign and people wondered aloud if Trump was actually in league with the Kremlin. It made some wonder if the comments made by Fox News’s Andrew Napolitano in May—stating that Russia was engaged in an inter-Kremlin argument about whether to release Clinton’s hacked emails—was tied to Trump’s call to release them. Did Team trump have advance knowledge of what the Kremlin was doing?

In another strange twist, Trump ally Roger Stone would later claim to be in direct communication with the WikiLeaks founder Julian Assange. “I actually have communicated with Assange,” Stone said. “I believe the next tranche of his documents pertain to the Clinton Foundation but there’s no telling what the October surprise may be.”³¹ While Stone has no official role in the Trump campaign, Roll Call writes that he “might have inadvertently linked the Donald Trump campaign with the WikiLeaks founder Julian Assange.”³²

The Kremlin certainly could no longer express shock and surprise now that they had been asked publically to do what they had been doing since 2015. All that could be done for LUCKY-7 was to keep up the flow of email releases in the hope that Trump does not damage or discredit the hacks any further.

American presidential elections are high-stakes events. Russia would not be the first foreign power, friendly or hostile, to pursue its preferred outcome. Nor would Mr. Trump be the first politician to leverage foreign actors for electoral benefit. But this is the first time that a presidential candidate had openly asked a foreign power to meddle in the democratic process to his benefit. More than that, Mr. Trump seemed to be suggesting that Russia should violate United States espionage laws on his behalf.³³ To members of the U.S. intelligence community, the indications that nefarious practitioners were playing in the most dangerous of games was now confirmed. The first question that popped into the minds of many practitioners was, “What does Trump know that we do not?” The implication would naturally cause counterintelligence and cyberwarfare operatives ask themselves if there is there a link between Trump or his supporters and the Russians in the DNC hacks?

The DCCC and ActBlue Hacks

The next day after Trumps begging Russia to hack America the CYBER BEARS complied. On July 28, the Democratic Congressional Campaign Committee announced it was attacked by the CYBER BEARS. The DCCC is focused on raising funds for Democratic congressional campaigns and managing the finances of the senatorial campaign donations. This hack used Typosquatting, building a fake website identical to the DCCC’s where staff and donors sign-in information was stolen. It used spear-phishing techniques to gain entry, and was focused on an effort to gain general information from the DCCC. The CYBER BEARS managed to steal much more personal data about the donors and supporters of the party from the DCCC than the DNC, including information on credit card numbers, personal information, and addresses.³⁴ Since the effort placed so much emphasis on donors, the mission was most likely intended to create doubts about the security of the Democratic Party’s control of financial information and reduce donations.

Reuters announced the attack just before the DNC’s grand evening, the Hillary Clinton Acceptance speech in Philadelphia. On the eve of Clinton’s speech, the DCCC’s spokeswoman said in a statement, “The DCCC takes this matter very seriously. With the assistance of leading experts, we have taken and are continuing to take steps to enhance the security of our network in the face of these recent events. We are cooperating with the federal law enforcement with respect to their ongoing investigation.”³⁵

ActBlue.com is the official site for fundraising that donors thought they were going to when they wound up at ActBlues.com which was a fake watering hole site complete with a malware packaged ready to steal data.³⁶ ActBlues.com was being hosted on a machine with a Netherlands IP address. The site had been registered to a Gmail account, fisterboks@gmail.com, which had registered three other sites used as German cover for Russian spear-phishing campaigns. Cyber security companies ThreatConnect and Fidelis concluded that the Gmail was tied to domains associated with the DNC hack related to “misdepatrment.com.” That domain was registered to frank_merdeux@europe.com and was used as the C2 server in the DNC attack.³⁷ The CYBER BEARS had struck again.

The administrators of the official ActBlue.com site stated they were never hacked and that no information on donors in their systems was compromised.³⁸

The DCCC did not officially disclose what data had been stolen. However, shortly after the leak was announced the account associated with “Guccifer 2.0” claimed responsibility. On August 12, 2016 they published a trove of internal emails, memos and other data. In particular, there was a memo from Troy Perry, a DCCC employee who advised others on how to handle activists in the Black Lives Matters campaign. He suggested to “listen to their concern but do not offer support for concrete policy decisions.”

As a result of publishing the DCCC information, Twitter suspended the Guccifer 2.0 account.³⁹ WordPress too took action… in a way. They stepped in and scrubbed the website of posts related to the DCCC hack and sent a reminder to Guccifer 2.0 of its Terms of Service related to publishing private information. The laughter in the LUCKY-7 Information Warfare Management (IWMC) cell must have been raucous when the sternly-worded letter about monkey-wrenching an entire American election was read aloud.

Clinton Campaign Hack

Trumps wish for Russia to get more data continued apace. On July 29, 2016, Clinton campaign spokesman Nick Merrill said, “Our campaign computer system has been under review by outside cyber security experts. To date, they have found no evidence that our internal systems have been compromised.”⁴⁰ This was political lingo to say the campaign had been visited by the CYBER BEARS but they hadn’t found the actual hack yet.

In fact the CYBER BEARS did attack the Clinton servers, but their access was limited. The attackers managed to access a server used for the campaign’s analytics program that stores voter analysis. There is no other sensitive data on those machines and the campaign said the internal computer systems had not been compromised. Still, the Russians now knew more about how the Clinton campaign analyzed voter data. Nothing is ever too obscure for cyber theft.

The techniques the CYBER BEARs used to attack were the same as the others. An email was sent to 108 Hillary for America email addresses, containing a short link pointing to a fake Google sign-in. The target enters their Gmail email and password and then—poof!—it belongs to Mother Russia.

SecureWorks determined 213 links were sent. Because SecureWorks could only find just over half of the 108 Gmail accounts, they determined the hackers got the emails from another source.⁴¹ The emails were aimed at specific figures that held rank in the campaign. Out of the 213 links generated by the hackers, 20 had been clicked at least once. Eight people clicked the links at least twice; two of those clicked them four times. In addition, 26 personal accounts for Clinton campaign staffers were targeted in 150 short links specifically created to target this group.

The DNC uses dnc.org as its mail server for staff email. SecureWorks reported that sixteen short links were sent to nine specific accounts at the DNC. At least three senior Clinton staff members clicked on these short links. SecureWorks did not link these emails specifically to the DNC hack, but did affirm the same spear-phishing technique was used.⁴² In its brief on the HillaryClinton.com hack, SecureWorks refers to “TG-4127” and designated it as APT28 COZY BEAR.

Now that their tears of laughter had dried from the stern warning from Wordpress, the CYBER BEARS paid no heed and started to issue more stolen DNC documents, including “DCCC internal docs on primaries in Florida.” However, a telling clue of the releases started to reveal itself. While Guccifer 2.0 released some documents randomly in order to incite Sanders die-hards, others followed a certain parameter, indicating that the Russian IWMC was paying close attention to what the Trump campaign said and then released documents to support Trump’s statements. The most telling was the week long storm the Trump campaign made by claiming that if he didn’t win in Pennsylvania, then the election was stolen. Speaking in Altoona on August 12, he said “We’re going to watch Pennsylvania. Go down to certain areas and watch and study and make sure other people don’t come in and vote five times. If you do that, we’re not going to lose. The only way we can lose, in my opinion—I really mean this, Pennsylvania—is if cheating goes on.” Little more than a week later, Guccifer 2.0 posted “DCCC Docs Pennsylvania.” They would soon be followed up with leak of DNC material from virtually all of the swing states of Florida, Ohio, New Hampshire, Illinois and North Carolina just when Trump needed a boost in the polls.

More evidence of synchronicity was found on the same day that Trump visited Mexico and then lit a barn burner of a speech on immigration. That night Guccifer 2.0 released the documents “DCCC docs from [Nancy] Pelosi’s PC” with discussions on immigration, Black Lives Matters, and other items.⁴³

The New York Times had set a new editorial policy stipulating that anything Trump said needed fact checking. Editorial writer Charles Blow wrote an article suggesting that if you support Trump, you support racism.⁴⁴ Sure enough, within days the CYBER BEARS hacked the New York Times in what appears to be an attempt to gain information to discredit Blow and others. What it did was reveal that anyone who publically goes against Trump is subject to attack.

The Intelligence Professionals Weigh In

As the public has come to learn about more cyberattacks, numerous officials and cyber security experts have weighed in on the possibility of Russian interference on the 2016 election cycle. Numerous intelligence officials, government, and cyber security experts alike, weighed in on possible Russian involvement. They overwhelmingly agreed that though more evidence is needed, the CYBER BEARS paw prints are all over the hacks.

Reuters reported that the U.S. Department of Justice national security division was investigating the attacks as threats on U.S. national security. The FBI also said it was investigating the case and it was “aware of media reporting on cyber intrusions involving multiple political entities, and is working to determine the accuracy, nature and scope of these matters.”⁴⁵

While speaking at the Aspen Security Forum about the Clinton Campaign hacks, C.I.A. director John O. Brennan didn’t point any fingers to Russia, but said, “obviously, interference in the U.S. election process is a very, very serious matter, and I think certainly this government would treat it with great seriousness.”⁴⁶

The U.S. government has not yet officially named any culprits, but the general consensus is that Russia is behind the hacks. “The consensus that Russia hacked the DNC is at this point very strong, albeit not unanimous,” said cybersecurity consultant Matt Tait. “The consensus that Russia hacked the DNC in support of Trump is, by contrast, plausible, but something for which the jury at this stage is very much still out.”⁴⁷

President Obama also said “anything’s possible” to NBC, since Russian hackers “on a regular basis, they try to influence elections in Europe.”⁴⁸

Yahoo! News reported August 15 that state polling systems had been hacked by foreign agencies. The FBI sent out an internal “flash” alert from the FBI’s Cyber division saying that state polling systems had potentially been hacked by Russian state-sponsored hackers, aimed at disrupting the November elections. Homeland Security Secretary Jeh Johnson held a conference call with state elected officials to offer his department’s services. Johnson said there were no “specific or credible cybersecurity threats” to the election, but three days later, the FBI released a memo titled “Targeting Activity Against State Board of Election Systems.” It revealed that the bureau is investigating attacks on two state election websites this summer that resulted in the theft of voter registration data.⁴⁹

The memo didn’t directly name any particular states, but Yahoo! News sources claim Arizona and Illinois were affected. In Illinois, officials were forced to shut down the state’s voter registration system for ten days in late July, after hackers downloaded personal data on at least 200,000 state voters, according to Ken Menzel, the general counsel of the Illinois Board of Elections. The Arizona attack wasn’t as serious; the virus injected into the voter registration system wasn’t successful in stealing data.

“The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected,” the alert said. “Attempts should not be made to touch or ping the IP addresses directly.”

“This is a big deal,” said Rich Barger, chief intelligence officer for ThreatConnect, a cybersecurity firm, on the FBI alert. “Two state election boards have been popped, and data has been taken. This certainly should be concerning to the common American voter.”^-270 Barger said one of the IP addresses listed in the FBI alert has surfaced before in Russian criminal underground hacker forums. He also compared the hacking methods to that of cyberattacks on the World Anti-Doping agency. The FBI told Yahoo! News that it intended “to help systems administrators guard against the actions of persistent cyber criminals.” Menzel, the Illinois election official, said the FBI was investigating a “possible link” to the other hacks. They drew no conclusions in the run-up to the election about the intent of the hack; some say it could just be common cyber criminals looking to steal data for fraud. However, the IPs of where the hackers registered their domains came from a shady company called IT Itch. It registers sites anonymously and is paid in Bitcoins, the currency of the internet underworld. This same company registered the COZY BEAR and FANCY BEAR spear-phishing websites as well.⁵⁰

Even President Barack Obama weighed in on the possibility that Russia was behind the leak. The Associated Press wrote:

Overall, the CYBER BEARs working in the guise of Guccifer 2.0 publically gave Trump and Clinton detractors illegally-obtained opposition research, without it being connected directly to Trump. As former FBI agent and security specialist Ali Soufan noted on twitter “The nature of breaches appears to be changing from covert info collection to the overt and weaponized use of that info.”⁵²

I Know Noth-Think!

On September 1, 2016 in a moment of rare candor and perhaps a bit of mischief, Vladimir Putin spoke about the nature and responsibility of the hacks against the United States: “But I want to tell you again, I don’t know anything about it, and on a state level Russia has never done this.” Putin then added, with a completely straight face, “Listen, does it even matter who hacked this data?… The important thing is the content that was given to the public.”