Yeah, the Russians Probably Did Penetrate the DNC

Since the election, we frequently hear the charge that the Russians were behind the hack of the Democratic National Committee’s poorly-secured mail systems, and that they did it in order to influence the election. This is what has led the outgoing president to expel some three dozen Russian diplomats, some of whom are most certainly intelligence officers, and some of whom are probably just diplomats. It is interesting to note that he did not react to anything Russian intelligence has done for the last eight years, until it became entangled with the fortunes of his own political party. Iranians murder Americans, he did nothing; Russia invades neighbors, he does nothing; Saudi Arabia sponsors terrorism, he does nothing; China expands its borders onto Vietnamese or Filipino territory, he does nothing; Syria gasses civilians, he does nothing. Only The Party is worth defending.

Customarily, an expulsion of diplomats (often when an intelligence net is rolled up) is followed pro forma by the tit-for-tat expulsion of their opposite numbers by the competitor nation. By not doing this, Vladimir Vladimirovich Putin has expressed his and his nation’s contempt for Obama and his supine administration.

“The Russian diplomats returning home will spend the New Year holidays with their relatives and dear ones,” Putin said in a statement published on the Kremlin website. “We will not create problems for U.S. diplomats. We will not expel anybody.”

“Moreover, I am inviting all children of U.S. diplomats accredited in Russia to the New Year and Christmas parties at the Kremlin,” he said.

Troll level: Tsar. It gets even better, though:

Maria Zakharova, a Russian foreign ministry spokeswoman, took to Facebook to call the Obama administration “a group of foreign policy losers, angry and ignorant.”

“My country, may it always be right, but my country, right or wrong,” is a noble statement, but it is hard to argue with Miss Zakharova’s assessment of the outgoing Russian policy of irregularly alternating periods of groveling supplication and periods of infantile tantrum that have comprised the last eight years.

Let’s get back to the crime at issue. Technically, it wasn’t a “hack,” this penetration: the “hacker” used social engineering, spearphishing, to induce officials at the target (and many others) to admit them onto the network and give up access. As is often the case, senior officers of the organization think they’re above the laws and rules that apply to mere mortals (consider the wrist tap David Petraeus received for mishandling classified, or the non-prosecution of the Bush-era leaker Richard Armitage, who was not prosecuted because he was too well-connected).

We believe that the Russians probably are responsible for the penetration, but that’s only one of the allegations that are made. In a moment, we’ll share our evidence for Russian responsibility, but we have to say that evidence for the proposition that the DNC was particularly or uniquely targeted is lacking, especially in light of the fact that the same APTs targeted their Republican opposite numbers, albeit less successfullly; and evidence of Russian motives is entirely absent.

Many in the media seem to assume that V.V. Putin preferred Trump because he feared Hillary Clinton, which is in our view both a vast underestimation of the Russian supremo and an overestimation of his would-be American opposite number. The only thing Russia had to fear from a Clinton Administration was more of the illogic and unpredictability of the Obama years. Trump could be predicted, perhaps, to behave rationally in American interests, and Russian leaders and diplomats might be relieved to have that, after the 2008-16 World Apology Tour.

Here is a technical breakdown of the DNC break-in, from consultants that the Committee itself used, which dates from prior to the election; in fact, the hack and the cybersecurity firm’s involvement date to 2015.

CrowdStrike Services Inc., our Incident Response group, was called by the Democratic National Committee (DNC), the formal governing body for the US Democratic Party, to respond to a suspected breach. We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.

COZY BEAR is a CrowdStrike name for something other researchers call APT 29 (Advanced Persistent Threat is a term of art for competitive or adverse nation-state level permanent cyber establishments) and is associated in unclassified literature with Russian civil intelligence services, either FSB (internal security, broadly similar to FBI-National Security, or MI5) or SVR (external intelligence, similar to CIA or MI6).  FANCY BEAR, APT 28, is associated more solidly with Russian military intelligence, the GRU.

One of the more interesting observations by CrowdStrike’s Dmitry Alperovich is that there is no apparent coordination between the two APTs, with COZY and FANCY not only not working together, or even not deconflicting (as Western cyber entities might try to do), but not being aware that the other was at work here.

The implication of both military and civilian intelligence agencies targeting a single target is that the target is on the target list (EEI or CCIR, “Essential Elements of Information” or “Commander’s Critical Information Requirements,” depending on when you learned your acronyms) of some authority level to which both military and civilian intelligence are responsible. We leave finding that level on a Russian org chart as an exercise for the reader.

The “intelligence community” report published by the DNI seems to be a rewrite of a version of this report by CrowdStrike, probably the original, as provided to their client, the DNC (which tells you all you need to know about the incumbent DNI). There is much more on the CrowdStrike website about the DNC penetration, for the technically adept. Note that what would have prevented this is not some magical software or big-dollar consultant, but the basic blocking and tackling of network security, software updates, and better education of senior officials who think they’re too important to pay attention in the cyber briefing. In other words, prevention is very simple, but very difficult in the real world.

As far as Russian election-altering intent goes, Lew Amselem, a retired diplomat, “ain’t buying it,” and neither are we.

Regular readers of this blog may find another report by CrowdStrike, on the GRU’s use of cyber to negate a Ukrainian artillery threat, of greater interest. We mean to write about this but we’ll put the link here in case we don’t get to it.

 

 

45 thoughts on “Yeah, the Russians Probably Did Penetrate the DNC

  1. 2hotel9

    Since Hillary gave them every opportunity of course they did. They also breached DeptState and Executive Branch systems. That was THE reason she ran her little homebrew server, and she was paid well for it. UraniumOne deal was just icing on their corruption cake. Total impossibility she can prove her innocence in any of this, hence Bill paying off Lynch in that “secret” airport meeting.

    1. Hognose Post author

      I think there is no point ascribing to treason that which can be explained by hubris, incompetence, and the Dunning-Kruger effect.

      1. Buckaroo

        Why can’t she be treasonous, incompetent, AND full of hubris?

        None of these things are necessarily mutually exclusive.

        She peddled influence to foreign states. That’s undeniable fact. If that isn’t treason, I’m not sure what is.

  2. Heresolong

    “consider the wrist tap David Petraeus received for mishandling classified”

    He did get fined $100,000 and resigned. Fairly significant penalty I’d think, considering that the person to whom he showed the classified info had a TS clearance of her own. Not defending what he did, but not exactly a tap on the wrist.

    Agreed that the Armitage thing was ridiculous. Especially since from what I’ve read the special prosecutor knew that Armitage was the “leak” early on and continued with his investigation anyway. Can’t think of any reason other than to embarrass the Bush administration.

    1. OBob

      “He did get fined $100,000 and resigned. Fairly significant penalty I’d think, considering that the person to whom he showed the classified info had a TS clearance of her own.”

      Two points: Just because you have a TS clearacne does NOT entitle you to view ALL TS info! Secondly, had Broadwell’s behavior been known her TS would have been revoked in a millisecond

      As for Petraeus, $100k is nothing compared to not being a E1 in Kansas for the next 20 years or being locked up in the federal pen until the second term of the Chelsea administration. And yes, I think either of those penalties would have been warranted given the extraordinary risks he exposed our country to out of ego, vanity, and lust (not the info he shared with his biographer, but rather the blackmail potential of director).

      As for the faux outrage what the Russian did, I think it is all theater. It is fully expected that EVERY country in the world is trying every single day to intercept, decrypt, hack, tap, etc, the communication of every other country in the world, friend and foe. We certainly do it and are doing it right now, and know everyone else is too.

      Lastly, with a “password” of P@SSWORD, I can only imagine that THOUSANDS of hackers gained access to that account. No doubt the Russians did, but I’ll bet a lot of other countries and 13yr old kiddies did too.

    2. Hognose Post author

      If he was PFC Petraeus, he might not have got the $100k fine, but he certainly would be in prison until some time in the Trump Administration. “Different spanks for different ranks” is the fundamental value of the Army elite, the Acela elite, and certainly, the FBI Partisan Political Police and the DOJ.

    3. Mike_C

      >He did get fined $100,000 and resigned. Fairly significant penalty I’d think
      Fairly significant to most people, but that $100k is less than Petraeus’ average speaking fee for a single engagement.

      Hah. The last invited talk I gave to a professional organization (as opposed to presenting at a scientific conference, where youpay for the dubious privilege of doing so) I was handed a check for $200, and a peck of apples in a paper sack. Both were unexpected since I was essentially speaking on behalf of my research group and had chalked it up to “community outreach”. Total time expended (tuning the admittedly mostly-canned talk to that group; actually delivering talk, answering questions, attending some reception; transit to and from) about 4h. Anyway, the apples were good, and I somehow managed to lose the check. As to return on time spent, those were good apples, but not THAT good ;-)

  3. W. Fleetwood

    A minor point. I’m not at all sure the GRU / SVR / FSB cross treading indicates a high level commitment to a specific goal. In my lowly toad-under-the-harrow experience the various spooks, cops, and MI types will all give lip service to interservice coordination in aid of the grand design. Then they assign some junior officer in a basement office (Who’s on leave at the time.) as the LNO and proceed to do what ever they damn well feel like. Given that the US of A is such an inviting, target rich environment I’d reckon that it would take a Command interest, complete with vicious threats and a few bureaucratic heads on pikes to keep then from not cross treading. FWIW.

    Wafa Wafa, Wasara Wasara.

    1. W. Fleetwood

      Damn. Last line was gibberish. Let’s try again. It would take a Command interest to prevent them from cross treading each other. Better.

      Sua Sponte.

      1. John M.

        I agree. If we stipulate that multiple Russian agencies were working the DNC over at the same time, I think that more likely points to multiple Russian agency heads acting independently of each other rather than highest-level coordination.

        “Whom would you like to hack Amerikanskii Demokratskii Party, sir?” seems like the obvious question if Putin had ordered his cabinet to do this.

        -John M.

  4. Tom Stone

    As far as the hacks, Podesta’s password was P@ssword.
    Brilliant dude, smartest guy in the room.
    So Hillary lost because the DNC hacks showed the electorate that her campaign was run by a bunch of sleazy and corrupt incompetents….and this proves that DJT is a Russian Dupe or more likely a traitor.
    I’m sure this would make a lot more sense if I took enough bad drugs.

    1. Buckaroo

      What’s even more hilarious is, after the hack of Podesta’s email was revealed in the Wikileaks dump of his email account, some NEET from 4chan decided to see if Podesta had changed his email password after the hack. Of course he hadn’t, so the kid went in and cleaned out the rest of Podesta’s emails.

      Podesta proves that you can be evil AND incompetent. They aren’t mutually exclusive.

      1. Toastrider

        And that’s why I love 4chan to bits, even when they’re a hive of scum and villainy. *chuckles evilly*

  5. John M.

    TL;DR: The Rooskies made fools out of Hillary and her trained monkeys. Again.

    Most. Qualified. Candidate. Ever.

    -John M.

  6. KevsBlogBrother

    I’m as avid a news watcher and reader as the next guy (okay not as much as the guy who runs this blog), and one thing I’ve noticed from the media wing of the DNC is that this is one of the rare, rare, rare occasions when they have NOT dumped loads of 5000-word essays detailing exactly how the Russians “hacked the election.” Instead, they’ve just used this three-word shorthand – “hacked the election.”

    So, if you’re a regular voter out there, you might be wondering – just how did the Russians “hack the election?” The answer, as all of us here know, is they took advantage of the DNC’s crappy cybersecurity and clueless geniuses, e.g. Podesta, to get thousands of embarrassing, incriminating emails that exposed exactly how cynical and corrupt the Dems are – and then published them.

    But to Joe and Jane Regular Voter, “hacking” implies something much worse. It connotes doing terrible things to the election, and the nation, and all of us. If the stories replaced “hacked the election” with “exposed the Dem leadership as cynical, corrupt douchebags,” that would be bad for the narrative.

    One last point: as Hognose may have mentioned, I work for a very large company (Fortune 100) that has access to tons of personal private information. Because of this, unlike the DNC which sought control of a much more powerful organization than my own little employer, my bosses take cybersecurity VERY seriously.

    1. rocketguy

      Similar situation here – lots of security and constant testing with in-house phishing emails. I asked one of the IT guys about them one time and learned (not exactly shocking) that the rate of falling for the phishing tests is inversely correlated with rank/age.

      1. TRX

        Oh yeah. I used to do IT security at a large hospital. Doctors were mostly too elite to actually read security regulations, much less obey them. And certain they were too smart to fall for any sort of phishing. A few of them fell for the simplest trojans and scams every. single. time.

        I apparently fell short in the “subservient ass-kissing” category, and was quickly removed from dealing with the MDs, RNs, and department heads.

  7. Buckaroo

    Oh yeah, one other thing.

    >DNC pays Crowdstrike to uncover source of hacks.

    >Crowdstrike delivers the answer that DNC wants to hear.

    Anybody else see a problem here?

  8. Mr. 308

    “Moreover, I am inviting all children of U.S. diplomats accredited in Russia to the New Year and Christmas parties at the Kremlin,” he said.”

    This alone shows more leadership than what Obama has done in his eight years combined.

    1. John M.

      It gives Putin the advantage when it’s time to negotiate with Trump. If he’d expelled Americans, he wouldn’t have had that card.

      -John M.

  9. Jim Scrummy

    Poor petulant Zero. In 3 weeks his 8 year vacation is over, and whatever he “accomplished” will be wiped out in the next 4 years.

    Yeah, like NSA/CIA/DIA/et.al., aren’t trying to hack their way into other countries gubmint interwebs systems. Hell, I know many of these people personally. I do love how every year I have to take the useless DoD “Cyber” training so that I can keep our “adversaries” at bay… Of course at a briefing I asked a “dumb” question in regards to who are our cyber “adversaries”. Again, I was told to go to the little kids table with my crayons (the IT “cyber folks” couldn’t answer the question). Luckily, I have the 64 crayola crayon set!

    1. bloke_from_ohio

      It is probably safe to assume our “adversaries” include everybody from everywhere. That said, the USG cyber establishment was using the term “team east” and using a lot of re graphics on the cyber conference circuit about five years back. The last shin dig I had the pleasure of attending was a little less cheeky about it, but not by much.

  10. Greg

    “Christmas parties” ?!? Surely they mean “season’s festivities.” Can’t use the c-bomb, people may get offended.

  11. Trone Abeetin

    Yeah, I kinda get a kick out of them calling it “hacking”. All it was, is an idiot giving up his credentials willingly. Morons abound, at every station in life.

  12. Keith

    Lost a job once because the department I was in did a better job detecting fraud than the parent organization.

  13. Sean

    One of the points that many people keep leaving out of this is that their was an attempted penetration of the RNC system at the same time. Both detected by FBI and other resources, and reported to each organization.

    RNC fixes problem and takes cyber security at least somewhat seriously. No massive RNC data dump.

    DNC staffer won’t even return FBI phone calls, because he, to quote, “doesn’t even think it’s real FBI agents”. And, massive penetration continues….

    So, of course, they point the victim finger…

  14. Quill_&_Blade

    I try to be a good person; I try to have good thoughts, but just as I clicked ‘back’ I saw the post title gain and wondered if there was a dual meaning?

  15. Kirk

    Here’s a point I see everyone overlooking; back in 2014, someone, presumably the Russians, penetrated the White House and they shut down the networks for a couple of weeks, and suffered a severe disruption of work. This was official government servers, run for the White House. Other penetrations included the Pentagon, and a few other places.

    There was also the OPM breach. Where the government pissed away every piece of personal security information for every clearance holder since God alone knows when.

    All these incidents? No real response, at least publically, and I suspect, not a damn thing was done out of the public eye, either. Hell, they haven’t even fired anyone over the whole OPM fiasco, which is arguably the biggest security breach, ever.

    And, Obama choses to throw a fucking hissy fit over this latest deal, most of which can be blamed on rank incompetence I’d expect from a high-school student?

    Yeah, pull my other leg. It’s got bells on.

    This administration has been one long litany of security failures, and they’re suddenly gonna get all tough, and act like hard guys? What the hell happened to Obama’s assurances to the Russians that he’d be able to be more “flexible” after the 2012 elections, again?

    If I really gave a flying f**k, anymore, I’d be outraged. I lost that capacity sometime around 2010, though. Now, I’m just bemusedly watching everything blow away in the wind, and wondering how long until the barbarian hordes appear on the horizon… I can’t even think of a good classical reference to compare Obama to–Some feckless Byzantine, perhaps?

  16. bloke_from_ohio

    The biggest problem about our response is the inconsistency. As Even if “punishing” the Russians is the right thing to do in response to cyber intrusions, the timing and lack of action on other similar attacks makes it hard to take them seriously. Even if it is not a nakedly partisan move, it sure does look that way. The perception of an administrations intent important as the reality of its intent.

    The fact the espionage (if we can call it that) happened in the cyber domain given how attribution is especially difficult to confirm. The media and government have been correctly pushing that line pretty hard for a while. On the internet no one knows you are a horse! So the Russian’s have an insane level of plausible deniability built in already should they choose to use it. The counter naritive that the administration is just being a bunch of sore losers and lashing out at poor innocent Russia would probably resonate well both inside and outside Russia.

    Further the sanctions are unlikely to deter future endeavors by state or non-state actors. Perhaps the intel organizations involved will be reprimanded for getting caught, but I doubt it. At best this will force adversaries into tightening up their game and make it hard to detect their actions in the future. It is often more useful to know what information your enemy has stolen than it is to keep them from stealing it. For one thing, it lets you know a lot about their capabilities. That knowledge helps you protect the stuff you really don’t want them to get. It also helps you build your own capabilities by incorporating their good ideas into your own bag of tricks. The USA does not have a monopoly on being clever.

    Regardless, this fiasco does nothing to strengthen either the Democratic party, the current outgoing administration, or America as a whole. The appearance of naked partisanship and the plausible deniability afforded by the medium, means this whole dog and pony show will only be useful for stirring up the progressive base. And that is a travesty of the worst kind of political tribalism.

  17. bloke_from_ohio

    In paragraph 2 “The fact the espionage (if we can call it that) happened in the cyber domain given how attribution is especially difficult to confirm.” should read “The fact the espionage (if we can call it that) happened in the cyber domain makes attribution especially difficult to confirm”

    Incomplete revision is a pain…

  18. robroysimmons

    Now according to the political hacks you better go buy a generator the Russians have hacked the grid.

    1. TRX

      There are many things that should not be connected to the internet. The USAF drone control center in Oklahoma, various power stations, water pumping stations, sewage stations, medical equipment, “security” systems…

      The idiots at Creech AFB first admitted they’d been pwned back in 2011, and they’re *still* unable to secure their systems. “But… *everything* must be connected to the internet!”

  19. 11B-Mailclerk

    Most of the damage was from deleting emails, required by law to be kept, which were subsequently found elsewhere. The ones ordered released by a Court.

    That, and using a bootleg server in the most ham-handed-amature way possible.

    The “leaked” emails were some coffin nails, but not what put the subject in the dirt-box in the first place.

    Personally, I am convinced that the winner of the Means+Opportunity+Motive prize for the “leak” is BHO himself, or one of his most senior minions. He is legendary for petty backstabbing retaliation, and that “leak” is exactly the sort of Chicago back-pat one might expect from the Illustrious Termite.

  20. RostislavDDD

    Developer Ukrainian artillery programs – 1 person. Ukrainian artillery officer. The freely available, this program was not. It is spread only among the Ukrainian officers, after a personal identification. Artillery officer in the Ukrainian army bit.
    Conclusions can be two:
    1. Ukrainian officer working on the SVR (FSB).
    2. Alperovich liar.
    In the latter case, bind “Russian hackers” and an arbitrary piece of code is a great way to make money. “Terrible Russian hackers” pervaded everywhere. Save can only Alperovich. :)
    Huge losses howitzer D-30 and 2S1, in boilers 2014 is not exactly connected with smartphones Ukrainian artillerymen.

    1. Hognose Post author

      Everyone has been surprised at the efficiency of Russian artillery in this war. Artillery has always been a Russian specialty, but it is clear that last 30 years Russian artillerymen have been working hard to make their arm more effective and lethal in several ways. Meanwhile the rest of world has a mistaken idea of big dumb Ivan whose artillery has great power but not great efficiency, speed of fire, pinpoint accuracy.

      1. RostislavDDD

        It has always been so. During the Cold War, our tactical and technical backlog of aviation from NATO, was 15-25 years.
        Approximately the same amount, we were ahead in the artillery. Due to the neglect of US artillery in 1990 … 2000, a significant difference remains.
        Recommend allegedly hit the Internet, report Mikhailovsky Artillery Academy:
        http://archive.is/La5sX
        ———–
        The great error of Stalin and his military experts, craze massaging artillery. Just do not have time to cook of qualified professionals. The reports from the front, about the massing of artillery that creates a problem even wrote to Stalin.
        Scary letter to Stalin from the S-3 Staff of 33th Army, Colonel Tolkonyuk. Dedicated to fighting with the highest level of secrecy of documents – Central (Moscow) direction, 1942-44. By checking this letter was removed from the post commander of the Western Front, General Sokolovsky. “Numerous artillery hinders management, and reduces efficiency” – is written direct text. http://rostislavddd.livejournal.com/99932.html

      2. bloke_from_ohio

        Making the rubble bounce is easier than hunting single individuals from 30K feet. Some nations can get away with the former. That drives strategy. And strategy should drive weapons development and so forth.

Comments are closed.