The Cable

Putin Steals Oppo Files on Most Pro-Putin 2016 Candidate

Hackers likely working on behalf of the FSB and GRU broke into DNC servers.


Hackers working on behalf of the Russian government have breached the German Bundestag and the White House email system. Now they’ve notched another major score: the Democratic National Committee’s opposition research file on Donald Trump.

Cyber attackers linked to Moscow’s military intelligence unit, the GRU, and to the FSB, the successor to the KGB, broke into the DNC and won wide-ranging access to its computer systems, which was first reported by the Washington Post. The DNC and Crowdstrike, the security firm called in to kick the Russian hackers off the network, confirmed the details of that story to Foreign Policy.

Calls to the Russian Embassy on Tuesday went unanswered.

In April, the DNC grew suspicious that its networks may have been penetrated and called in Crowdstrike, based in Irvine, Calif. to investigate. Dmitri Alperovitch, the company’s co-founder and chief technology officer, told FP in an interview that his company immediately recognized the hackers as Russian-backed groups that it had previously encountered. The breach used techniques and codes consistent with the groups, which are well known and have been linked to a number of prominent breaches.

Stealing opposition research on Trump makes perfect sense from a foreign intelligence perspective, according to Alperovitch. “Every world leader right now is trying to figure out this election. Trump is an unknown, and it is unclear what his positions are,” he said.

DNC officials told the Post that they have no evidence that donor or financial information was targeted.

The DNC’s Trump files present an appealing target. Opposition research might give the Kremlin insight into how Trump would approach countries in which he has investments or provide fodder for blackmail. It could also help Russian President Vladimir Putin sort out whether Trump is as potentially friendly to Moscow as he seems; the GOP frontrunner has spoken warmly about Putin, and the Russian strongman has responded with positive words of his own.

Following a Trump foreign-policy address in April, Putin called him a “a brighter person, talented without a doubt.” Trump has described Putin as someone he would “get along very well with.”

The Russian hackers likely made easy work of the DNC. “Not-for-profit organizations, like the DNC, are run with low operational expense budgets. Unfortunately, many organizations consider information security as an afterthought,” said Justin Harvey, chief security officer at Fidelis Cybersecurity. “Once these attackers are in, it’s just a matter of masquerading as a valid user throughout the system to access sensitive data and remove it.”

The digital break-in at the DNC comes on the heels of warnings by American intelligence officials that state-sponsored hackers are going after the computer systems of major political campaigns. Last month, Director of National Intelligence James Clapper warned that U.S. spies have picked up “some indications” that the campaigns are being targeted online.

“I anticipate as the campaigns intensify we’ll probably get more of it,” Clapper said.

Alperovitch said the DNC was penetrated by two different groups, which Crowdstrike has dubbed Fancy Bear and Cozy Bear. The company assesses with what Alperovitch called medium confidence that Fancy Bear works on behalf of the GRU, Russian military intelligence. The company is less certain about the identity of Cozy Bear, but believes that hacking group is likely working on behalf of FSB.

The two hacking groups went after mostly different targets on the DNC’s servers. Fancy Bear targeted opposition research on Trump and succeeded in stealing several files on the presumptive Republican nominee. Cozy Bear set up a surveillance system on the DNC servers that allowed Russian spies to monitor the email and chat communications of the political body’s employees.

Alperovitch described the two groups’ tradecraft as “superb,” saying they make extensive use of so-called “zero days,” which refer to software vulnerabilities unknown to manufacturers. Such vulnerabilities can sell for five or six-digit dollar amounts on the black market. In order to remain undiscovered on the DNC servers, both groups frequently changed their tactics and used traditional Windows tools.

Fancy Bear broke in in April; Cozy Bear had remained undetected on DNC servers since last summer. It appears the groups were not aware of one another’s presence on the DNC system, as some of their work overlapped.

Cozy Bear previously broke into the unclassified email systems at the White House and the Joint Chiefs of Staff, according to Alperovitch.

Crowdstrike executed an operation to kick the hackers off the DNC system this weekend.

“The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with,” Rep. Debbie Wasserman Schultz (D-Fla.), the DNC chairwoman, said in a statement. “When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network.”

In recent years, hackers have frequently targeted American political campaigns. In 2008, an attack that originated in China penetrated the computer systems of both the McCain and Obama campaigns and reportedly succeeded in stealing significant quantities of files. According to Newsweek‘s Evan Thomas, the attack on Obama targeted policy information and was carried out by what the FBI told the campaign was a “foreign entity.” The attacks on Obama and McCain sought to obtain “information that might be useful in any negotiations” in future negotiations with them, once in power in the White House, Thomas reported.

In 2012, hackers repeatedly targeted the Obama and Romney camps, according to Time. Those attacks included attempts by the Anonymous hacking collective to bring down their websites using distributed denial of service attacks. Sophisticated spear-phishing attempts tried to gain wide-ranging access to their computer systems, an attack that could have been the work of hackers plying their trade on behalf of a nation-state. Criminal groups tried to steal credit card data of donors.

Harvey cautioned that it is impossible to ascertain the exact identity of hackers such as those that targeted the DNC. “It would not be outside of the realm of possibility that these attacks are not “just” state-sponsored,” he said. “Some Eastern-European threat groups have ties with Russian intelligence/military organizations and organized crime syndicates.”


Elias Groll is a staff writer at Foreign Policy. Twitter: @EliasGroll

Trending Now Sponsored Links by Taboola

By Taboola

More from Foreign Policy

By Taboola