The U.S. has had a Russian Problem of Espionage for Decades

Posted on July 29, 2016July 29, 2016 by Denise Simon

What is terrifying and pathetic is the Obama White House and both Secretaries of State Hillary Clinton and John Kerry have been stooges of Putin….groveling for normalcy just as they have with the regime of Iran. This is an administration that is normalizing relations with all terror regimes across the globe that include North Korea, Cuba and Venezuela. Hillary said that Bashir al Assad of Syria was a reformer when 400,000 Syrians are dead and 4-5 million have left their homes. Then, we all remember that the Obama White House negotiated with Qatar to released 5 Taliban commanders in exchange for one Army deserter. Talks have been ongoing with the Taliban for years until just recently.

But back to Russia….before the hacking, to sway and or interfere with U.S. elections.

No one is admitting that Russian in cadence with WikiLeaks has hacked Hillary’s campaign systems, DCC and the DNC as well as other government systems. Why? Perhaps diplomacy due to talks continued talks with Iran and ending the civil war in Syria. Remember that ‘red-line’ on chemical weapons use.

So, let’s go back a way, like over a decade and up to just a couple of years ago when it came to Russian spies in the United States, shall we? This is for perspective and how the Obama administration including his National Security Council and the State Department continue to ‘omit’ history…

Espionage continues and tactics have not changed for Russia where cyber intrusions have replaced in country operatives, however a look at those operatives’ skills and missions must not be overlooked or dismissed.

Image result for russian spies caught

Let’s begin with Anna Chapman, the Russian spy.

DailyNews: Sultry former Russian secret agent Anna Chapman ended an exchange with NBC News almost before it began when she was pressed about her playful Twitter marriage proposal to NSA leaker Edward Snowden.

Here is the official criminal complaint and summary of how the FBI tracked her actions filed in 2010. The file also includes an additional spy Mikhail Sememko. This actually began in 1990….yes 1990.

But actually there were 8 more Russian spies and this is the criminal complaint for that case. What is fascinating here is the many stopovers in Latin America…..

The spying spree finally came to its end in the summer of 2014, when the trio were propositioned by a self-described investor who wanted to develop casinos in Russia. The scheme immediately drew red flags among the group, with Sporyshev offering that the proposal felt “like some sort of set-up.”
But despite his misgivings, Sporyshev didn’t stop Buryakov from meeting with the supposed investor, who was, in fact, an FBI informant.
For six hours on Aug. 28, Buryakov and the informant met in the anemic gambling metropolis Atlantic City. The informant, who claimed he had a well-placed source in the U.S. government, handed Buryakov documents that were labeled “Internal Treasury Use Only” and contained a list of Russians who were essentially blacklisted from doing business with the United States.
The valuable document earned the informant another meeting that day, when he offered Buryakov another official document that contained “a list of Russian banks… on which to impose sanctions,” according to the criminal complaint. More from DailyBeast.

Then there was a dead Russian, Mikhail Lesin. found in a hotel in Dupont Circle, Washington DC. A story that came and went real fast.

Image result for russian Mikhail Lesin

Mr. Lesin was a major figure in Russian media after the fall of the Soviet Union, first as an advertising executive and later as a top government official and media executive.

He had deep connections to the Russian state at the time Mr. Putin was reasserting his authority over the country’s rambunctious and freewheeling media. He was a crucial figure in that process, which began with the takeover of Russia’s first independent television channel, NTV, in the early 2000s, and was viewed with bitterness by many Russian journalists at that time.

He was Russian press minister between 1999 and 2004 — a time of increasing government pressure on independent journalists and media outlets in the country — and later served as a presidential adviser, spearheading the development of the government’s growing media and technology apparatus.

More recently, Mr. Lesin became head of Gazprom-Media, the country’s largest media holding company, in 2013, but resigned from that position in late 2014.

While still with the company in 2014, Mr. Lesin’s personal wealth attracted suspicion in the United States. Senator Roger Wicker, Republican of Mississippi, called for a Justice Department investigation, raising the possibility of corruption and money-laundering charges based on what he alleged were millions of dollars in assets, including $28 million worth of real estate in Los Angeles, controlled by the former civil servant. It is unclear whether such an investigation occurred. More here from the NewYorkTimes.

(Note, one of Trump’s top foreign policy advisors, Carter Page is deeply connected to Gazprom.)

(Note: Three former U.S. officials said that a trip Flynn took last December to Moscow—where he was filmed sitting at the head table next to Russian President Vladimir Putin during a formal dinner—set off alarms within military and intelligence circles over whether Flynn had notified the U.S. government about his foreign travel, as his security clearance requires.
The Defense Intelligence Agency spokesman said that Flynn had given the proper notices. But a current senior defense official said that word of Flynn’s travel didn’t reach the office of Defense Secretary Ash Carter, and that Pentagon brass were taken by surprise that he didn’t notify the department.
That he would be working with the Trump campaign or pushing for better U.S.-Russian relations, even as the two nations are battling each other on the behalf of proxy forces in Syria, was less surprising, the official said.
“He’s always been a bit of a wild card,” he concluded.
Another former senior U.S. intelligence official who knows Flynn said that he recently praised Trump as a “skilled negotiator” during a meeting of security leaders and experts in Washington. This person said the pair had become so close that, were Trump to win the presidency, he would likely nominate Flynn as the next Director of National Intelligence, the top intelligence official in the government. Via DailyBeast)

Clinton Campaign Refused FBI Request for Computer Logs

Posted on July 29, 2016July 29, 2016 by Denise Simon

Details, dates and motivations are everything when it comes decisions to cooperate with the FBI or not. Seems the powerbrokers in the Clinton campaign headquarters in Brooklyn did not trust the FBI either but one department within the agency is different from another.

Image result for clinton campaign headquarters brooklyn Reuters

FBI warned Clinton campaign last spring of cyberattack

Yahoo: The FBI warned the Clinton campaign that it was a target of a cyberattack last March, just weeks before the Democratic National Committee discovered it had been penetrated by hackers it now believes were working for Russian intelligence, two sources who have been briefed on the matter told Yahoo News.

In a meeting with senior officials at the campaign’s Brooklyn headquarters, FBI agents laid out concerns that cyberhackers had used so-called spear-phishing emails as part of an attempt to penetrate the campaign’s computers, the sources said. One of the sources said agents conducting a national security investigation asked the Clinton campaign to turn over internal computer logs as well as the personal email addresses of senior campaign officials. But the campaign, through its lawyers, declined to provide the data, deciding that the FBI’s request for sensitive personal and campaign information data was too broad and intrusive, the source said.

A second source who had been briefed on the matter and who confirmed the Brooklyn meeting said agents provided no specific information to the campaign about the identity of the cyberhackers or whether they were associated with a foreign government. The source said the campaign was already aware of attempts to penetrate its computers and had taken steps to thwart them, emphasizing that there is still no evidence that the campaign’s computers had actually been successfully penetrated.

But the potential that the intruders were associated with a foreign government should have come as no surprise to the Clinton campaign, said several sources knowledgeable about the investigation. Chinese intelligence hackers were widely reported to have penetrated both the campaigns of Barack Obama and John McCain in 2008.

The Brooklyn warning also could raise new questions about why the campaign and the DNC didn’t take the matter more seriously. It came just four months after the DNC had also been contacted by FBI agents alerting its information technology specialists about a cyberattack on its computers, the sources told Yahoo News. As with the warning to the Clinton campaign, the FBI initially provided no details to the DNC.

As Yahoo News first reported this week, in early May a DNC consultant who was investigating Trump campaign chief Paul Manafort’s work for pro-Putin political figures in Ukraine alerted senior committee officials that she had been notified by Yahoo security that her personal email account had been targeted by “state-sponsored actors.” The DNC had already realized that it was the victim of a serious breach, but the red flag from the staffer prompted committee security officials to conclude for the first time that the suspected cyberhackers were likely associated with the Russian government.

By mid-May, Director of National Intelligence James Clapper was telling reporters that US. Intelligence officials “already had some indications” of hacks into political campaigns that were likely linked to foreign governments and that “we’ll probably have more.”

In a talk at the Aspen Security Forum Thursday, Clapper said the U.S. government is not “quite ready yet” to “make a public call” on who was behind the cyberassault on the DNC, but he suggested one of “the usual suspects” is likely to blame. “We don’t know enough [yet] to … ascribe a motivation, regardless of who it may have been,” Clapper said.

Clapper’s comments come amid a mounting debate within the Obama administration about whether to publicly blame the Russian government for the cyberattack on the DNC. (A senior law enforcement official told Yahoo News that the Russians were “most probably” involved in the cyberattack, but cautioned that the investigation is ongoing.) On Wednesday, Sen. Dianne Feinstein of California and California Rep. Adam Schiff, the ranking Democrats on the Senate and House Intelligence Committees, wrote President Obama calling for a stern response, asserting that if the accounts of Russian involvement are true, “It would represent an unprecedented attempt to meddle in American domestic politics.”

But Clapper is reportedly among a number of U.S. intelligence officials who have resisted calls to publicly blame the Russians, viewing it as likely the kind of activity that most intelligence agencies engage in. “[I’m] taken aback a bit by … the hyperventilation over this,” Clapper said during his Aspen appearance, adding in a sarcastic tone, “I’m shocked somebody did some hacking. That’s never happened before.”

The confirmation that the campaign was warned by the FBI as early as March of an attempted breach of its computers is a further indication that the scope of the possible Russian attack may have been far wider and extensive than the official DNC accounts.

The FBI’s request to turn over internal computer logs and personal email information came at an awkward moment for the Clinton campaign, said the source, familiar with the campaign’s internal deliberations. At the time, the FBI was still actively and aggressively conducting a criminal investigation into whether Clinton had compromised national security secrets by sending classified emails through a private computer server in the basement of her home in Chappaqua, N.Y. There were already press reports, to date unconfirmed, that the investigation might have expanded to include dealings relating to the Clinton Foundation. Campaign officials had reason to fear that any production of campaign computer logs and personal email accounts could be used to further such a probe. At the Brooklyn meeting, FBI agents emphasized that the request for data was unrelated to the separate probe into Clinton’s email server. But after deliberating about the bureau’s request, and in light of the lack of details provided by the FBI and the absence of a subpoena, the Clinton campaign chose to turn down the bureau’s request, the source said.

Hey FBI, the Investigation into the DNC Hacking is Over Here

Posted on July 26, 2016July 26, 2016 by Denise Simon

Anyone ever see that Jack Ryan movie ‘Shadow Recruit’? It is playing out in a more nefarious form in real time.

May 2016: Director of National Intelligence James Clapper said today that presidential campaigns are a target for cyber intruders and that this political season has already seen some attempted hacks.

“We have already had some indications of that,” he said in response to a question about campaign website hacking, after speaking at the Center for Bipartisan Policy in Washington, D.C.

“I anticipate as the campaigns intensify, we will probably have more of it,” he added. He did not provide specifics about any attacks, but it has been reported that some hacking groups, such as Anonymous, have threatened to launch “total war” against Donald Trump‘s presidential campaign. Read more from ABC here.

**** So –>> Director of National Intelligence James Clapper says the FBI is helping campaigns tighten up to protect against the threat and how has that worked out so far?

*****

Via ThreatConnect: In our initial Guccifer 2.0 analysis, ThreatConnect highlighted technical and non-technical inconsistencies in the purported DNC hacker’s story as well as a curious theme of French “connections” surrounding various Guccifer 2.0 interactions with the media. We called out these connections as they overlapped, albeit minimally, with FANCY BEAR infrastructure identified in CrowdStrike’s DNC report.

Now, after further investigation, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN service to communicate and leak documents directly with the media. We reached this conclusion by analyzing the infrastructure associated with an email exchange with Guccifer 2.0 shared with ThreatConnect by Vocativ’s Senior Privacy and Security reporter Kevin Collier. This discovery strengthens our ongoing assessment that Guccifer 2.0 is a Russian propaganda effort and not an independent actor.

Analyzing the Headers from Guccifer 2.0 Emails

On June 21, 2016, TheSmokingGun reported they communicated with Guccifer 2.0 via a French AOL account. We examined the French language settings observed in Guccifer 2.0’s Twitter metadata as well as a pattern of Twitter follows that suggested Guccifer 2.0’s account was created from a French IP address. We hypothesized at the time that Guccifer 2.0 might be using French infrastructure to interact with the media.

During the Email Import process ThreatConnect analyzes an email message header and highlights indicators of interest with a color code that reveals if the indicators already exist within the platform. This helps overburdened eyes or greenhorn analysts quickly understand what they are seeing. At the same time ThreatConnect excludes legitimate or benign details that are not of value to our investigation.

As we can see here within ThreatConnect, Guccifer 2.0’s AOL email message reveals the originating IP address as 95.130.15[.]34 (DigiCube SaS – France). This is the IP address of the host which authenticated into AOL’s web user interface and sent the email. We can also tell this IP was not spoofed because the metadata was added by AOL when sent from within their infrastructure with appropriate DomainKeys Identified Mail (DKIM) configurations.

The fact that Guccifer 2.0 is indeed leveraging a French AOL account stands out from a technical perspective. Very few hackers with Guccifer 2.0’s self-acclaimed skills would use a free webmail service that would give away a useful indicator like the originating IP address. Most seasoned security professionals will be familiar with email providers that are more likely to cooperate with law enforcement and how much metadata a provider might reveal about their users. Taken together with inconsistencies in Guccifer 2.0’s remarks that make his technical claims sound implausible, this detail makes us think the individual(s) operating the AOL account are not really hackers or even that technically savvy. Instead, propagandist or public relations individuals who are interacting with journalists.

Drilling into Guccifer 2.0 Infrastructure: Picture of a VPN Starts to Emerge

As we focused in on IP Address 95.130.15[.]34 we queried public sources such as Shodan as well as Censys to discover what services might be enabled on this host. The goal of this was to better understand if this infrastructure is owned and operated, leased or co-opted by Guccifer 2.0 and how the infrastructure might be used to create space between an originating “source” network and investigators, or curious journalists.

According to Shodan, OpenSSH (TCP/22), DNS (UDP/53) and Point-to-Point Tunneling Protocol (PPTP) (TCP/1723) services have been enabled on this host. Secure shell (SSH) and point-to-point tunneling protocol services strongly suggest a VPN and/or a proxy, both of which would allow the Guccifer 2.0 persona to put distance between his originating network and those with whom he is communicating.

The SSH fingerprint can be used as an identifier, linking other IP addresses that use the same SSH encryption key. The SSH fingerprint for 95.130.15[.]34 (DigiCube SaS – France) is Fingerprint: 80:19:eb:c8:80:a1:c6:ea:ea:37:ba:c0:26:c6:7f:61. Searching for other servers that share this fingerprint at the time of writing, we discovered six additional IP Addresses over the course of our research (95.130.9[.]198; 95.130.15[.]36; 95.130.15[.]37; 95.130.15[.]38; 95.130.15[.]40; 95.130.15[.]41).

Each IP address falls within the 95.130.8.0/21 network range. This range is assigned to Digicube SAS, a French hosting provider which is assigned the Autonomous System AS196689. An IP address is analogous to the apartment numbers in an apartment building. The entire building is owned and operated by AS196689, but certain IP addresses may be let out to other companies and organizations.

The fact that Guccifer 2.0 would use a proxy service is not surprising, and our first stop was to check with various TOR proxy registration sites. None of these seven IP addresses are part of reported TOR infrastructure from what we were able to uncover. Read the full comprehensive detailed cyber investigation as published here by ThreatConnect.

*****

Meanwhile: FAS: The headquarters complex of the Foreign Intelligence Service (SVR) of the Russian Federation has expanded dramatically over the past decade, a review of open source imagery reveals.

Since 2007, several large new buildings have been added to SVR headquarters, increasing its floor space by a factor of two or more. Nearby parking capacity appears to have quadrupled, more or less.

The compilation of open source imagery was prepared by Allen Thomson. See Expansion of Russian Foreign Intelligence Service HQ (SVR; Former KGB First Main Directorate) Between 2007 and 2016, as of July 11, 2016.

Whether the expansion of SVR headquarters corresponds to changes in the Service’s mission, organizational structure or budget could not immediately be learned.

Russian journalist and author Andrei Soldatov, who runs the Agentura.ru website on Russian security services, noted that the expansion “coincides with the appointment of the current SVR director, Mikhail Fradkov, in 2007.” He recalled that when President Putin introduced Fradkov to Service personnel, he said that the SVR should endeavor to help Russian corporations abroad, perhaps indicating a new mission emphasis.

Russian intel buildings Russian intel from air Photos courtesy of FAS

What you Need to Know About the Gerasimov Doctrine’

Posted on July 26, 2016July 26, 2016 by Denise Simon

The FBI said on Monday that it was investigating the nature and scope of a cyberintrusion at the Democratic National Committee disclosed last month.

“A compromise of this nature is something we take very seriously, and the FBI will continue to investigate and hold accountable investigate and those who pose a threat in cyberspace,” the FBI said in a statement. More from BusinessInsider.

The FBI having any reach for prosecution in Russia is nil. Furthermore, the damage to America and American politics has already been done.

This site published an item as a primer of Russian aggression. Will the Obama administration address this condition with Russia? No, all deference has been given to both NATO with which to deal and further the deadly conflicts in Syria and Iraq have come under the management of Iran and Russia as decided by John Kerry and the White House National Security Council. How serious is this? Read on…

Gerasimov-Doctrine-and-Russian-Non-Linear-War-In-Moscow-s-Shadows

The above document describes the blurred lines between peace and war. This is an important condition and must be learned given the cyber hacks by Russia against the United States and most recently, the emails of the DNC. Russia has forged their way into American politics by which during the presidential election cycle, both nominees are ill prepared to address immediately.

General Valery Gerasimov, the Chief of Staff of the Russian Federation’s military, developed The Gerasimov Doctrine in recent years. The doctrine posits that the rules of war have changed, that there is a “blurring of the lines between war and peace,” and that “nonmilitary means of achieving military and strategic goals has grown and, in many cases, exceeded the power of weapons in their effectiveness.” Gerasimov argues for asymmetrical actions that combine the use of special forces and information warfare that create “a permanently operating front through the entire territory of the enemy state.”

An overview of Russian activity in Latin America shows an adherence to Gerasimov’s doctrine of waging constant asymmetrical warfare against one’s enemies through a combination of means. These include military or hard power as well as shaping and controlling the narrative in public opinion, diplomatic outreach, military sales, intelligence operations, and strategic offerings of intelligence and military technology. All are essential components of the Russian presence and Gerasimov’s view that the lines between war and peace are blurred, and that non-military means of achieving power and influence can be as effective or more effective than military force. Read more here.

*****

NATO, Russia, and the Gerasimov Doctrine

On April 29, a Russian fighter jet in the Baltic Sea flew within 50 feet of a U.S. reconnaissance plane and conducted a highly dangerous barrel roll, drawing a sharp rebuke from the Pentagon. Within the past month, there have been at least two other provocations by Russian aircraft in the region, with many officials suggesting it is in response to the North Atlantic Treaty Organization’s (NATO) decision to hold large military exercises in Poland next month and significantly increase its troop presence within Allied countries bordering Russia.

Washington, perceived by Moscow as NATO’s puppeteer, has quadrupled its European defense budget for 2017, adding nearly $3.5 billion. The exhibitionism from both Russia and NATO has led experts to conclude that geopolitical tensions “are at the highest levels since the end of the Cold War.”

Perhaps. However, barring any egregious miscalculation by either side, a large-scale conventional war between NATO and Russia is unlikely. While it is necessary to maintain modern militaries, their presence in the 21^st century is more symbolic than practical—at least when considering the prospect of warfare between nuclear-armed adversaries. Any war that does take place will be far from conventional, requiring a skillful blend of military and non-military tools. Within this domain, it is Russia, shrewd and flexible, that will have the advantage, leaving NATO and its transnational bureaucracy to react and adapt effectively.

In a February 2013 issue of the Military Industrial Courier, Russia’s Chief of the General Staff Valery Gerasimov discussed how the rules of war have changed and become more blurred. Whether called “hybrid war,” “ambiguous war,” “non-linear war,” or “special war,” this type of conflict is not new, but has been adopted and successfully updated by Russia to account for all the modern era’s technological complexities. As applied to Russia, it has been coined “The Gerasimov Doctrine,” and it is Russia’s new normal.

“Whether called “hybrid war,” “ambiguous war,” “non-linear war,” or “special war,” this type of conflict is not new, but has been adopted and successfully updated by Russia to account for all the modern era’s technological complexities.”

Russia has been aggressively exploiting its non-NATO “near abroad” as fertile testing ground for hybrid war. Through a calculated combination of disinformation campaigns, espionage, special operations forces, and the cultivation of a cadre of so-called “deniable agents,” Russia was able to successfully annex Crimea while Kiev was still recovering from its post-Euromaidan chaos.

These blatant violations of international law, while drawing substantial criticism and the economic sanctions that drove Russia into recession, have not been enough to deter continued belligerence. In fact, in many ways the sanctions have been counterproductive: Putin’s favorability increased significantly to nearly 90 percent following Crimea’s annexation; a similar spike in popularity was observed in 2008 following Russia’s military invasion of Georgia. Thus, Putin has been able to blame domestic woes on the West while simultaneously generating a patriotic rally-around-the-flag effect.

A March 2016 report from the prominent London-based think tank Chatham House asserts NATO is ill-prepared to handle these hybrid threats from Russia. The Very High Readiness Joint Task Forces, established at the 2014 NATO Summit in Wales, are “appropriate for addressing purely military threats, but hardly appear adequate when compared with the scale of Russian preparations for conflict.” Moreover, they only provide “a single dimension of reassurance to front-line states,” meaning “additional elements are required to protect against Russian tools of influence other than conventional military attack.”

“NATO should swiftly acknowledge it needs to focus its attention vis-à-vis Russia from conventional to hybrid threat readiness.”

It is strongly thought that the three Baltic states (Estonia, Latvia, and Lithuania) are most vulnerable to Russian meddling. All three were previously part of the Soviet Union and border Russia directly. More worryingly, these three states have a relatively large percentage of ethnic Russians living within their borders that could be susceptible to Russian influence, just as the inhabitants of Crimea were.

Indeed, Russia is already dabbling in subversion within the Baltic and Nordic regions. Following a row in 2007 between Russian and Estonian officials over the removal of a Soviet monument in Tallinn, a host of Estonian government websites were subjected to persistent cyber-attacks for three weeks—although Moscow denies involvement. Furthermore, Sweden’s state security services have warned of an increased amount of Russian covert activity aimed at undermining closer collaboration between NATO and Sweden. Finally, Russian warships have been formerly accused by Lithuania, which receives nearly all of its gas from Russia, of disrupting the creation of power cables that would diversify its energy dependence.

NATO should swiftly acknowledge it needs to focus its attention vis-à-vis Russia from conventional to hybrid threat readiness. A good start would be to increase the number of NATO members meeting the defense expenditure requirements of 2 percent of gross national product. Only 5 of 28 Allied countries currently do so. This increased funding should then be allocated in ways that will address NATO’s greatest vulnerabilities, for instance, by precluding disinformation campaigns in the Baltics, increasing the number of experts on Russia, or solving the issue of weening Allied states off of Russian gas.

Already dealing with a raft of regional security concerns—the migrant crisis, terrorist threats, and sweeping nationalism—NATO must recognize Russia is doing everything it can to exploit Western disunity. But forget the tanks and planes: this conflict will be fought in the shadows.

DNC Email Hacks: GRU, Russian Military Intelligence

Posted on July 25, 2016July 25, 2016 by Denise Simon

In part from Motherboard: In the wee hours of June 14, the Washington Postrevealed that “Russian government hackers” had penetrated the computer network of the Democratic National Committee. Foreign spies, the Post claimed, had gained access to the DNC’s entire database of opposition research on the presumptive Republican nominee, Donald Trump, just weeks before the Republican Convention. Hillary Clinton said the attack was “troubling.”

It began ominously. Nearly two months earlier, in April, the Democrats had noticed that something was wrong in their networks. Then, in early May, the DNC called in CrowdStrike, a security firm that specializes in countering advanced network threats. After deploying their tools on the DNC’s machines, and after about two hours of work, CrowdStrike found“two sophisticated adversaries” on the Committee’s network. The two groups were well-known in the security industry as “APT 28” and “APT 29.” APT stands for Advanced Persistent Threat—usually jargon for spies.

CrowdStrike linked both groups to “the Russian government’s powerful and highly capable intelligence services.” APT 29, suspected to be the FSB, had been on the DNC’s network since at least summer 2015. APT 28, identified as Russia’s military intelligence agency GRU, had breached the Democrats only in April 2016, and probably tipped off the investigation. CrowdStrike found no evidence of collaboration between the two intelligence agencies inside the DNC’s networks, “or even an awareness of one by the other,” the firm wrote.

This was big. Democratic political operatives suspected that not one but two teams of Putin’s spies were trying to help Trump and harm Clinton. The Trump campaign, after all, was getting friendly with Russia. The Democrats decided to go public.

Digitally exfiltrating and then publishing possibly manipulated documents disguised as freewheeling hacktivism is crossing a big red line and setting a dangerous precedent

The DNC knew that this wild claim would have to be backed up by solid evidence. A Post story wouldn’t provide enough detail, so CrowdStrike had prepared a technical report to go online later that morning. The security firm carefully outlined some of the allegedly “superb” tradecraft of both intrusions: the Russian software implants were stealthy, they could sense locally-installed virus scanners and other defenses, the tools were customizable through encrypted configuration files, they were persistent, and the intruders used an elaborate command-and-control infrastructure. So the security firm claimed to have outed two intelligence operations.

Then, the next day, the story exploded.

On June 15 a WordPress blog popped up out of nowhere. And, soon, a Twitter account, @GUCCIFER_2. The first post and tweet were clumsily titled: “DNC’s servers hacked by a lone hacker.” The message: that it was not hacked by Russian intelligence. The mysterious online persona claimed to have given “thousands of files and mails” to Wikileaks, while mocking the firm investigating the case: “I guess CrowdStrike customers should think twice about company’s competence,” the post said, adding “Fuck CrowdStrike!!!!!!!!!”

Along with the abuse, the Guccifer 2.0 account started publishing stolen DNC documents on the WordPress blog, on file sharing sites, and by giving“a few docs from many thousands” to at least two US publications, The Smoking Gun and Gawker. Mainstream media outlets quickly picked up the story and covered the Clinton campaign’s opposition research on Trump in hundreds of news items that revealed pre-rehearsed arguments against the presumptive Republican nominee: that “Trump has no core”; that he is a “bad businessman;” and that he should be branded “misogynist in chief.” Donor lists were leaked along with personal contact details and juicy dollar amounts.

The Guccifer 2.0 account also claimed that it had given an unknown number of documents containing “election programs, strategies, plans against Reps, financial reports, etc” to Wikileaks. Two days later, Wikileaks published a massive 88 gigabyte encrypted file as “insurance.” This file, which Julian Assange could unlock by simply tweeting a key, is widely suspected to contain the DNC cache. On 13 July, almost a month after the hack became public, the intruders leaked selected files exclusively to The Hill, a Washington outlet for Congressional and political news, and then made the original files available later.

Nine days later, on July 22, just after Trump was officially nominated and before the Democratic National Convention got under way, Wikileaks published more than 19,000 DNC emails with more than 8,000 attachments—“i sent them emails, i posted some files in my blog,” Guccifer confirmed by DM, when asked if he shared all files with Julian Assange. Two days later, on July 24, Debbie Wasserman Schultz, chair of Democratic National Committee, announced her resignation—the extraordinary hack and leak had helped force out the head of one of America’s political parties and threatened to disrupt Hillary Clinton’s nominating convention.

This tactic and its remarkable success is a game-changer: exfiltrating documents from political organisations is a legitimate form of intelligence work. The US and European countries do it as well. But digitally exfiltrating and thenpublishing possibly manipulated documents disguised as freewheeling hacktivism is crossing a big red line and setting a dangerous precedent: an authoritarian country directly yet covertly trying to sabotage an American election.

***

So how good is the evidence? And what does all this mean?

The forensic evidence linking the DNC breach to known Russian operations is very strong. On June 20, two competing cybersecurity companies, Mandiant (part of FireEye) and Fidelis, confirmed CrowdStrike’s initial findings that Russian intelligence indeed hacked Clinton’s campaign. The forensic evidence that links network breaches to known groups is solid: used and reused tools, methods, infrastructure, even unique encryption keys. For example: in late March the attackers registered a domain with a typo—misdepatrment[.]com—to look suspiciously like the company hired by the DNC to manage its network, MIS Department. They then linked this deceptive domain to a long-known APT 28 so-called X-Tunnel command-and-control IP address, 45.32.129[.]185.

One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address—176.31.112[.]10—that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.

The evidence linking the Guccifer 2.0 account to the same Russian operators is not as solid, yet a deception operation—a GRU false flag, in technical jargon—is still highly likely. Intelligence operatives and cybersecurity professionals long knew that such false flags were becoming more common. One noteworthy example was the sabotage of France’s TV5 Monde station on 9/10 April 2015, initially claimed by the mysterious “CyberCaliphate,” a group allegedly linked to ISIS. Then, in June, the French authorities suspected the same infamous APT 28 group behind the TV5 Monde breach, in preparation since January of that year. But the DNC deception is the most detailed and most significant case study so far. The technical details are as remarkable as its strategic context.

The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named“Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round. More comprehensive details here from Motherboard.