Since the election, we frequently hear the charge that the Russians were behind the hack of the Democratic National Committee’s poorly-secured mail systems, and that they did it in order to influence the election. This is what has led the outgoing president to expel some three dozen Russian diplomats, some of whom are most certainly intelligence officers, and some of whom are probably just diplomats. It is interesting to note that he did not react to anything Russian intelligence has done for the last eight years, until it became entangled with the fortunes of his own political party. Iranians murder Americans, he did nothing; Russia invades neighbors, he does nothing; Saudi Arabia sponsors terrorism, he does nothing; China expands its borders onto Vietnamese or Filipino territory, he does nothing; Syria gasses civilians, he does nothing. Only The Party is worth defending.
Customarily, an expulsion of diplomats (often when an intelligence net is rolled up) is followed pro forma by the tit-for-tat expulsion of their opposite numbers by the competitor nation. By not doing this, Vladimir Vladimirovich Putin has expressed his and his nation’s contempt for Obama and his supine administration.
“The Russian diplomats returning home will spend the New Year holidays with their relatives and dear ones,” Putin said in a statement published on the Kremlin website. “We will not create problems for U.S. diplomats. We will not expel anybody.”
“Moreover, I am inviting all children of U.S. diplomats accredited in Russia to the New Year and Christmas parties at the Kremlin,” he said.
Troll level: Tsar. It gets even better, though:
Maria Zakharova, a Russian foreign ministry spokeswoman, took to Facebook to call the Obama administration “a group of foreign policy losers, angry and ignorant.”
“My country, may it always be right, but my country, right or wrong,” is a noble statement, but it is hard to argue with Miss Zakharova’s assessment of the outgoing Russian policy of irregularly alternating periods of groveling supplication and periods of infantile tantrum that have comprised the last eight years.
Let’s get back to the crime at issue. Technically, it wasn’t a “hack,” this penetration: the “hacker” used social engineering, spearphishing, to induce officials at the target (and many others) to admit them onto the network and give up access. As is often the case, senior officers of the organization think they’re above the laws and rules that apply to mere mortals (consider the wrist tap David Petraeus received for mishandling classified, or the non-prosecution of the Bush-era leaker Richard Armitage, who was not prosecuted because he was too well-connected).
We believe that the Russians probably are responsible for the penetration, but that’s only one of the allegations that are made. In a moment, we’ll share our evidence for Russian responsibility, but we have to say that evidence for the proposition that the DNC was particularly or uniquely targeted is lacking, especially in light of the fact that the same APTs targeted their Republican opposite numbers, albeit less successfullly; and evidence of Russian motives is entirely absent.
Many in the media seem to assume that V.V. Putin preferred Trump because he feared Hillary Clinton, which is in our view both a vast underestimation of the Russian supremo and an overestimation of his would-be American opposite number. The only thing Russia had to fear from a Clinton Administration was more of the illogic and unpredictability of the Obama years. Trump could be predicted, perhaps, to behave rationally in American interests, and Russian leaders and diplomats might be relieved to have that, after the 2008-16 World Apology Tour.
Here is a technical breakdown of the DNC break-in, from consultants that the Committee itself used, which dates from prior to the election; in fact, the hack and the cybersecurity firm’s involvement date to 2015.
CrowdStrike Services Inc., our Incident Response group, was called by the Democratic National Committee (DNC), the formal governing body for the US Democratic Party, to respond to a suspected breach. We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.
COZY BEAR is a CrowdStrike name for something other researchers call APT 29 (Advanced Persistent Threat is a term of art for competitive or adverse nation-state level permanent cyber establishments) and is associated in unclassified literature with Russian civil intelligence services, either FSB (internal security, broadly similar to FBI-National Security, or MI5) or SVR (external intelligence, similar to CIA or MI6). FANCY BEAR, APT 28, is associated more solidly with Russian military intelligence, the GRU.
One of the more interesting observations by CrowdStrike’s Dmitry Alperovich is that there is no apparent coordination between the two APTs, with COZY and FANCY not only not working together, or even not deconflicting (as Western cyber entities might try to do), but not being aware that the other was at work here.
The implication of both military and civilian intelligence agencies targeting a single target is that the target is on the target list (EEI or CCIR, “Essential Elements of Information” or “Commander’s Critical Information Requirements,” depending on when you learned your acronyms) of some authority level to which both military and civilian intelligence are responsible. We leave finding that level on a Russian org chart as an exercise for the reader.
The “intelligence community” report published by the DNI seems to be a rewrite of a version of this report by CrowdStrike, probably the original, as provided to their client, the DNC (which tells you all you need to know about the incumbent DNI). There is much more on the CrowdStrike website about the DNC penetration, for the technically adept. Note that what would have prevented this is not some magical software or big-dollar consultant, but the basic blocking and tackling of network security, software updates, and better education of senior officials who think they’re too important to pay attention in the cyber briefing. In other words, prevention is very simple, but very difficult in the real world.
As far as Russian election-altering intent goes, Lew Amselem, a retired diplomat, “ain’t buying it,” and neither are we.
Regular readers of this blog may find another report by CrowdStrike, on the GRU’s use of cyber to negate a Ukrainian artillery threat, of greater interest. We mean to write about this but we’ll put the link here in case we don’t get to it.
Kevin was a former Special Forces weapons man (MOS 18B, before the 18 series, 11B with Skill Qualification Indicator of S). His focus was on weapons: their history, effects and employment. He started WeaponsMan.com in 2011 and operated it until he passed away in 2017. His work is being preserved here at the request of his family.