The DNC "Hack," Part 1: Background and Discovery

(Amy Beth Bennett/South Florida Sun-Sentinel via AP)

In 2016, the chair of the DNC was Florida Congresswoman Debbie Wasserman-Schultz.  She had suffered criticism from the Sanders camp over debates.  The times chosen for the debates were unpopular and less likely to be watched.  She may have succeeded in this area as evidenced by the ratings.  The first debate garnered 15.8 million viewers and it was downhill from there.  Although there were eventually nine debates, the last one gained only 5.6 million viewers.  Conversely, on the Repubican side there were 12 debates that drew 24 million viewers.  The last debate, when Trump was, in effect, the winner drew 11.9 viewers compared to the 5.6 million on the side of the Democrats when the nomination was still very much undecided.  Wasserman-Shultz’s strategy of limiting the exposure of Sanders to potential Democrat primary voters succeeded.

She also, at one point, cut off the ability of the Sanders campaign to access the vital DNC’s registered voter database.  Normally, this would kill a campaign had the decision stayed in place.  The finance chief of the DNC was caught scheduling a campaign fundraising event for Clinton which is against their bylaws since they are to be impartial.   

Donna Brazile later replaced Schultz and wrote after the election that she discovered the Clinton campaign had taken over the DNC’s fundraising apparatus and day-to-day operations as early as August 2015.  This was done under an agreement that the Clinton campaign would assume the massive debt incurred by the DNC after Obama’s 2012 reelection effort.  

Sometime in the summer of 2015, Dutch intelligence notified US authorities of an intrusion into the computer system of the DNC by a cyber outfit known as Cozy Bear.   Cozy Bear was known to hackers and intelligence services and had been called The Dukes or APT29 in the past.

The Bears (Cozy and Fancy) have three things in common.  First, they are expensive digital tools suggesting state sponsorship.  Second, they pursue sensitive, embarrassing and strategic information and are not used for financial gain.  Finally, their goals seem to align with Russia’s geopolitical goals.  They had been used in disinformation campaigns in the Caucasus, especially Georgia.  

The key behind Bear attacks is how they adroitly disguise the malware.  Since at least 2007, the tools of their trade have been updated more frequently than most software applications.  Fancy Bear is more specific in their targeting suggesting some kind of surveillance or reconnaissance of a target.  Fancy Bear finds unsuspecting users by sifting through available social media and other online data like LinkedIn and carefully cataloging data stolen from previous hacks.  

Fancy Bear also favors infected files in which it hides the virus known as SourFace that creeps onto a target computer and downloads malware that allows the computer to be controlled remotely.  In short, Fancy Bear benefits most from digital ignorance when it comes to cybersecurity.  As some experts have noted, why engage in targeted spear phishing or other pricey techniques when people still open email attachments?  

Once either group acquires the credentials it needs for its operation, it uses flaws in popular software to secretly send data back to its own network without anyone’s knowledge.  These flaws are known as zero-day exploits and they are a must-have tool in any hacker’s box since they are hard for administrators to defend against.  But zero-day exploits are not for novice hackers.  They are notoriously expensive on the black market, difficult to design, and keep stable.  If used effectively, they can steal large sums of money or intellectual property (think China).

The Bears do not behave that way.  They exfiltrate sensitive data by camping out on a computer network for a long period of time.  Generally, it gathers information that would only appeal to a government.  In 2013, MiniDuke malware was traced to Cozy Bear activity in Belgium, Luxembourg, and Hungary.   

According to Dutch intelligence, Cozy Bear attempted to break into the DNC computers sometime in the summer of 2015.   Fancy Bear managed to hack into the system of the DNC in April 2016.  Fancy Bear is associated with the Russian military intelligence agency- the GRU.  

We know that in September 2015 a special agent with the FBI (Hawkins) had contacted Yared Tamene about the attempted hack.  Tamene is not a full-time employee of the DNC but works for a company called The MIS Department in Chicago which was contracted by the DNC to run their computer systems.  Tamene was left out in the cold to not only determine the accuracy of the call but even whether Hawkins was a legitimate FBI agent.  Email contact was out of the question lest the FBI inadvertently tip off Cozy Bear that they were onto them.  Hawkins never showed up in person and had advised Tamene to look for a particular malware called “Dukes.”  Tamene scanned the system and found nothing.  

Hawkins continued to leave several voice messages in the fall of 2015 which went unanswered because, as Tamene later explained, he found nothing wrong and nothing to report.  In November 2015, Hawkins allegedly notified the DNC, through Tamene, that the DNC server was “calling home” to Moscow.  The following month, Victoria Nuland at the State Department was briefed about the hacking operation and concluded that it had all the earmarks of a state-sponsored operation, most likely Russia.

According to the official narrative, sometime in April Fancy Bear managed to install X-Agent malware on the DNC server and the DCCC.  By April 18th, the GRU had successfully hacked into the DNC servers and four days later began exfiltrating gigabytes of data from the servers.  

On April 30, 2016, the DNC became aware their system had been hacked and that information was stolen and they hired CrowdStrike and this is where the story starts to gets interesting.  The CEO of CrowdStrike is Shaun Henry.  In 2008, Henry had been elevated to the head of the FBI’s cyber division, then head of the DC field office where he remained until 2012 when he left the FBI to take up his current job.  Henry was promoted by FBI director, Robert Mueller.  

Upon hearing of the breach, Michael Sussman, a lawyer for the DNC, hired CrowdStrike and personally contacted Henry.  The discovery created such alarm that CrowdStrike founder Dimitri Alperovitch was contacted.  They then installed Falcon software on the DNC servers and within minutes it lit up indicating a data breach.  On May 13, event logs were erased from the servers making it difficult to trace whoever hacked into the system.  Two days later, based on the findings of CrowdStrike, the DNC notified the FBI of the intrusion which opened an investigation, asked to examine the servers directly and were denied by the DNC.  The DNC further told the FBI, again based on CrowdStrike, that the intruders were likely Russian.

It is known that despite the efforts of CrowdStrike, the intruders remained on the server until sometime in October 2016.  In June, 2016 CrowdStrike confiscated the laptops of all DNC workers and replaced the infected software.  Then on June 14, 2016 the Washington Post reported that the DNC computers had been breached.  

With the story now in the public domain, CrowdStrike and the DNC pressured the FBI to announce that the breach was perpetrated by the Russians.  The DNC had a public relations nightmare on their hands as they headed to their national convention on July 25th in Philadelphia.

The narrative was that the perpetrators were Russia.  CrowdStrike based these conclusions on the fact that the attacks mirrored previous cyberattacks they had observed by Cozy and Fancy Bear.  They said the code for the malware was allegedly written in Russian servers and the activity occurred between 8:00 a.m. and 8:00 p.m. Moscow time indicating it was a state operative and not someone burning the midnight hacking oil.

It is possible that the FBI, now with Comey at the helm, deferred to Henry at CrowdStrike given the FBI’s familiarity with one of their own.  Why the FBI never persisted in examining the DNC servers using their own forensic experts was never fully explained.  In recently unsealed confidential Congressional testimony, Henry and others from CrowdStrike stated under oath that they could not definitively prove that Russia or Russian actors were behind the computer breach and had instead relied on circumstantial evidence based on their previous experiences with Cozy and Fancy Bear cyber attacks.

This makes the whole situation even more murky given the entrance of Guccifer 2.0.  It was on July 14, 2016 that he sent encrypted files to WikiLeaks with instructions on how to access them.  Four days later, he sent numerous documents and files to The Hill describing political strategies of both major parties and a list of banks that received bailouts and later contributed to politicians in both parties.  This would indicate that Guccifer 2.0 had gained access not only to the DNC files, but also those of the GOP.

He then set up a WordPress blog and released about 200 pages of documents including DNC opposition research on Donald Trump.  There was certainly nothing earth shattering or jaw dropping- just a rehash of Trump remarks and actions and political positions.  Then three days before the convention in Philadelphia, WikiLeaks began to release the batches of documents pilfered.  Guccifer 2.0 claimed that the documents included 100 GB of financial reports, donor information, and political strategies to be used against Republicans.

Next:  More on CrowdStrike