Russian Intelligence, the Breach of the Democratic National Committee, and the 2016 Presidential Election
This article covers how the SVR, Russia’s foreign intelligence services, first breached the Democratic National Committee, only to be followed by the far more aggressive GRU, Russian Military Intelligence. It is the third article in the series “Russian Military Intelligence, Disinformation, and the 2016 U.S. Presidential Election.” While it is not necessary to read previous entries, it is recommended.
The first article provides definitions for the concepts “Active Measures” and “Disinformation” and provides a history past Russian interference efforts.
The second article provides a description of Russian hacking and cyber warfare efforts in the lead up the the 2016 U.S Presidential Election.
This article is an excerpt from my book, While We Slept: Vladimir Putin, Donald Trump, and the Corruption of American Democracy, available here.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Russian Foreign Intelligence and the Infiltration of the Democratic National Committee
In the summer of 2015, hackers from Russia’s foreign intelligence service, the SVR, breached the Democratic National Committee’s network. This was not unusual. Political organizations and campaigns have long been the target of cyber espionage.
In 2008, the US government discovered a cyber-espionage campaign against the Obama and McCain campaigns conducted by hacking units connected to China.
Like the Chinese before them, the SVR hackers appeared to be engaging in the traditional espionage activity of clandestine information gathering.
It would only be later that the GRU would weaponize the stolen information by publicizing it to the wider world. Later analysis by cybersecurity experts would find no evidence that the SVR and GRU hackers were working in tandem or even aware of the others presence.
The SVR is known for its human intelligence espionage operations. In 2010, the FBI arrested ten deep cover SVR agents operating in the United States. These “illegal” agents, referring to the Soviet and later Russian practice of running long-term espionage operations using deep cover sleeper agents operating outside of official diplomatic cover, used forged documents to present themselves as everyday Americans.
The purpose of the operation was multifaceted, including gathering information on nuclear weapons, Congressional politics, CIA leadership and American foreign policy vis-a-vis Iran.
In 2009, SVR “illegal” agent Lydia Guryev came close to gaining access to the inner circle of the new American Secretary of State, Hillary Clinton. Operating under the false name Cynthia Murphy, Guryev lived with her husband Vladimir Guryev (AKA Richard Murphy) in Montclair, NJ.
Under the cover of Cynthia Murphy, Guyrev had been a long-term employee of the financial advising firm Morea Financial Services.
In February 2009, she sent a clandestine message to her SVR handlers in Moscow informing them that she had gained access to Alan Patricof, a wealthy New York financier and close confidant and fundraiser for Bill and Hillary Clinton.
Moscow Center replied that Patricof was “a very interesting target,” and that Guryev should “try to build up little by little relations with him moving beyond just [work].”
Higher-ups at the SVR hoped Patricof could provide “remarks re US foreign policy,” as well as “rumors” about the oddly phrased White House internal “kitchen.”
What Guryev and the SVR didn’t know was that the FBI had been monitoring the illegals since the early 2000s. The Guryev’s home was bugged and periodically searched by FBI agents when they were out.
By June 2010, the FBI grew concerned about Guryev’s attempts to infiltrate then Secretary of State Hillary Clinton’s inner circle, as well as flight risk issues pertaining to other members of the illegals.
On June 27th, confident that they knew the full extent of the ring, the FBI arrested ten Russian illegals in a case that was complacently treated in the American media as an almost comical throwback to the Cold War.
While this episode shows that the SVR was heavily involved in its traditional human intelligence activities within the United States, hackers with links to the agency were also involved in extensive cyber espionage activities. The analysis of malware believed by cybersecurity experts to be used by Russian hackers in the SVR indicates that they have been active since 2008 and began targeting governments in 2010.
In one of their earliest known operations, SVR hackers in 2010 targeted a Washington, DC-based private research institute with spear phishing emails containing links to a comedic video entitled “Office Monkeys.” If clicked, the user’s computer would be compromised by SVR malware.
In the Summer of 2014, the General Intelligence and Security Services of the Netherlands (AIVD) scored an intelligence coup after penetrating the computer servers of a hacking group operating out of a university building adjacent to Red Square in Moscow.
Remarkably, the Dutch were able to gain access to security camera footage so they were not only able to see what the Russians were doing, but exactly who was doing it. WIth this information, they later determined that the hacking group, referred to by cyber security professionals by several names including “Cozy Bear,” was in fact led by the SVR.
The Dutch watched as the SVR launched a series of ever more aggressive cyber assaults against the United States.
In November of 2014, SVR hackers targeted the US State Department and gained access to its unclassified network. After quietly being tipped off by the Dutch, FBI and NSA cyber defenders were able to kick the Russians out.
Undeterred, the SVR hackers next attempted to gain access to President Barack Obama’s emails. While they were unable to crack into the carefully guarded servers that controlled Obama’s personal Blackberry, they did manage to exfiltrate data from officials who were in contact with Obama and thus see some of the messages the President sent and received.
In 2015, SVR hackers launched a cyber assault against the Pentagon’s email system and succeeded in temporarily shutting it down.
A Comedy of Errors: Miscommunication Between the FBI and the Democratic National Committee
Sometime in the Summer of 2015, Dutch intelligence warned their American counterparts that the SVR had gained access to the internal servers of the Democratic National Committee. The information prompted a remarkably inept attempt by the FBI to warn DNC officials about the compromise.
On August 6th, 2015, FBI Special Agent Adrian Hawkins called the DNC front desk and was transferred to an IT contractor named Yared Tamene. Agent Hawkins explained to Tamene, who wasn’t a cybersecurity expert, that there were signs that the DNC had been compromised and provided several IP addresses that he said would help them locate the intrusion.
Incredibly, Tamene was unsure during the conversation whether the voice on the other end of the line was really an FBI agent, or whether he was a victim of a prank.
Agent Hawkin’s cryptically suggested that Tamene look into malware created by “the Dukes,” yet another name used by cyber security professionals referring to the SVR hackers.
After the call, a confused Tamene conducted a brief and inadequate search of the DNC’s log files but was unable to detect any malign activity. He informed Andrew Brown, the DNC’s chief technology officer of the odd incident and pursued the matter no further.
Two months passed before the FBI followed up with the DNC, during which time the SVR was burrowed deeper into the DNC’s internal servers.
Sometime in October, Agent Hawkins called and left Tamene two voice mails which he never responded to. When Hawkins finally re-established contact with Tamene in November, months after their initial conversation, he provided him with a DNC IP address that the FBI claimed had been hijacked and was being used by the Russians.
The FBI’s internal deliberations took so long, however, that by the time Agent Hawkins told Tamene to look into the IP address, the Russians had already switched to using another one.
In December, Agent Hawkins personally traveled the few short blocks between the FBI and DNC respective headquarters but Tamene wasn’t there so he left a message with a lobby security guard for Tamene to call the FBI.
It wasn’t until February of 2016, a full seven months after their initial contact, that Agent Hawkins met with Tamene and two of his DNC colleagues in person at a restaurant called Joe’s Cafe in Sterling, VA.
It was only then that Tamene realized that Agent Hawkins was indeed a Special Agent with the FBI. Internal DNC documents reveal that Tamene had been unsure whether the calls from Agent Hawkins were legitimate or pranks.
While the failure of the FBI and DNC to effectively communicate provided the SVR with months of unfettered access to the DNC’s internal servers, this set of hackers appeared to be engaging in the traditional espionage. The DNC and FBI were even less prepared for the GRU hackers, who would not only steal information for intelligence purposes but planned to use it in an attempt to sway the American election. However, before we explore this operation, we must turn to important US domestic political developments.
A Tale of Two Campaigns: The Clinton Email Scandal and Trump’s Praise of Putin
Hillary Clinton announced her candidacy on April 12th, 2015. Her bid for the nation’s highest office was widely expected by friend and foe alike. As far back as early 2014, Congressional Republicans were preparing an all out assault on the former First Lady.
In a meeting with Roger Ailes, then Republican Speaker of the House John Boehner told the head of Fox News that he was shortly going to launch a Congressional Select Committee to investigate in Secretary of State’s actions during an attack against an American diplomatic compound in Benghazi, Libya that left four people, including a US Ambassador, dead.
Boehner hoped to use the investigation to convince Ailes to stop featuring the most extreme elements of the Republican congressional caucus on prime time television. Radical Republican House members, particularly in the Freedom Caucus, were receiving regular air time on Fox News, making Boehner’s job as Speaker impossible.
The ploy backfired when the mention of Benghazi prompted Ailes to regale Boehner with conspiracy theories of his own, including the falsehood that President Obama was in fact a Muslim and had been born outside of the United States.
Ailes further believed that the White House was monitoring him and, he told a startled Boehner, he had hired combat ready security guards and had built “safe rooms” in his home.
The House Select Committee looking into the Benghazi attacks was established in May, 2014, and was led by Republican Congressman Trey Gowdy. It was the sixth House committee to look into the attacks.
The Senate Select Committee on Intelligence had identified several mistakes and failures with the American response, but pointed out that “that there were no efforts by the White House or any other Executive Branch entities to ‘cover-up’ facts or make alterations for political purposes.”
Echoing this, the House Intelligence Committee also found that the Obama administration was not guilty of deliberate wrongdoing.
Unswayed by these findings, Gowdy’s Committee requested Clinton’s emails during her tenure as Secretary of State from the State Department. State Department lawyers discovered that Hillary hadn’t been using government servers, but rather sent and checked emails from a personal BlackBerry device that was linked to a private email server located in Clinton’s home in Chappaqua, NY.
The State Department reached out to Clinton and other living former Secretaries to request the return of all relevant correspondence. Hillary Clinton’s chief of staff Cheryl Mills and two lawyers ultimately looked through over sixty thousand emails. Of those, roughly thirty thousand were delivered to the State Department in 12 boxes.
Mills and Clinton’s lawyers determined that the other 32,000 emails were unrelated to her work as Secretary of State.
In December of 2014, Mills instructed a technician working with Platte River Networks, the IT-Support company used by Clinton, to change the email retention policy on Clinton’s server to delete emails after 60 days. The technician, however, mistakenly failed to make the change.
Clinton’s use of a private email server became public knowledge on March 2nd, 2015, when Michael S. Schmidt of The New York Times broke the story.
Two days later, on March 4th, Gowdy’s Special Committee on Benghazi issued a subpoena for Benghazi related emails.
A week after that, Cherly Mills informed the Platte River Network technician about the request to retain. The technician would later tell the FBI that sometime between March 25th and 30th, he experienced an “oh shit moment” upon remembering that he had failed to carry out Mills’ earlier request to set the personal emails to be deleted after sixty days.
Following his realization, the technician used a free utility called BleachBit to delete the emails. This act, which would be misrepresented as “bleaching” or “acid washing” the server, served as the predicate for countless unsubstantiated accusations and conspiracy theories.
The Clinton email scandal, which plagued her campaign throughout the 2016 election dovetailed in curious ways with the Russian interference campaign. Congressional Republicans were candid about the goal of their investigations, which was to hobble Clinton politically.
“Everybody thought Hillary Clinton was unbeatable, right?” Republican Congressman Mark Meadows told Fox News host Sean Hannity. “But we put together a Benghazi Special Committee, a select committee. What are her numbers today? Her numbers are dropping.”
Another email related issue that arose was the question of whether Clinton had sent classified material over her personal email server, which would have violated federal law.
On July 6th, 2015, the intelligence agency inspector general Charles McCullough III referred the matter to the FBI. Four days later, the FBI opened an investigation into the Clinton email matter codenamed “Midyear Exam.”
The FBI’s Clinton email investigation and the behavior of FBI Director James Comey, also amplified the impact of impending Russian operations.
Hillary Clinton entered the 2016 Presidential race as not simply the presumptive Democratic primary frontrunner, though the Democratic Socialist Senator from Vermont Bernie Sanders would seriously test that proposition, but also as the odds-on favorite to succeed Barack Obama in the oval office.
When Donald Trump descended the escalator in Trump Tower to announce his candidacy, it was seen in a very different light. While Trump was lavished with the kind of frenzied media attention he had courted since the mid-1970s, most serious observers scoffed at the real estate developer’s chances and even questioned whether the entire exercise was anything more than a publicity stunt.
The American political class failed to appreciate the potential power of a Trump candidacy. When he launched his campaign on June 16th, 2016, most political observers perceived Trump’s crude racial appeals and controversial antics as disqualifying scandals. In fact, they were effective appeals to the Republican base.
Trump’s weaponization of racial resentment was not new to Republican politics. Political strategists in the Nixon White House articulated what became known as the Southern Strategy, which used African American support for Democrats to stoke the resentments of White voters and drive them toward the Republicans.
John McCain’s selection of Alaska Governor Sarah Palin as his running mate in 2008, who became a darling of the Republican base, further primed Republican voters for outsider candidates and stoked resentments against the so-called “elite.”
The emergence of the Tea Party during Obama’s first term further paved the way in the Republican electorate for an exotic, outsider candidate.
Perhaps most importantly, the American media provided Trump with billions of dollars worth of free media attention.
In these regards, the Trump candidacy was in many ways the logical conclusion of powerful forces that have shaped the Republican Party for decades. One critical exception, however, marked him apart from all who came before. Donald Trump’s repeated, effusive and public praising of Vladimir Putin is unique in the history of American presidential politics.
In particular, his repeated positive references to the Russian strongman seemed bizarre for the would-be standard bearer of a party that had been defined since the 1980s by the legendary Cold Warrior Ronald Reagan.
Trump repeatedly and publicly praised Putin in the lead up to the 2013 Miss Universe Pageant held in Moscow. This continued long after the event was held and into the presidential campaign. Trump paired his praise for Putin with attacks on Obama.
Read my description of Donald Trump’s relationship with the organized crime-linked Azerbaijani oligarch Aras Agalarov and his involvement in the 2013 Miss Universe Pageant in Moscow here.
On March 21st, 2014, in the aftermath of the Maidan Revolution in Ukraine and shortly after the Russian invasion of Crimea, Trump tweeted, “I believe Putin will continue to re-build the Russian Empire. He has zero respect for Obama or the U.S.!”
A few weeks later, Trump praised Putin’s illegal annexation of Crimea.
“Well, he’s done an amazing job of taking the mantle,” Trump said of Putin during an interview with Fox Business News. “And he’s taken it away from the President, and you look at what he’s doing. And so smart. When you see the riots in a country because they’re hurting the Russians, OK, ‘We’ll go and take it over.’ And he really goes step by step by step, and you have to give him a lot of credit.”
“I was over in Moscow two years ago and I will tell you — you can get along with those people and get along with them well,” Trump told Fox News host Bill O’Reilly on June 16th, 2015, the day he announced his bid for the presidency. “You can make deals with those people. Obama can’t.”
Trump’s public outreach to Putin continued into the Presidential election. In early July, he told CNN’s Anderson Cooper that if he were President, Putin would return the fugitive NSA whistleblower Edward Snowden to the US. “I think I get along with him fine,” Trump said of Putin. “I think he would be absolutely fine. He would never keep somebody like Snowden in Russia. He hates Obama. He doesn’t respect Obama. Obama doesn’t like him either. But he has no respect for Obama. Has a hatred for Obama. And Snowden is living the life. Look if that — if I’m president, Putin says, hey, boom, you’re gone. I guarantee you this.”
While Trump lavished praise of Putin throughout the early stages of his campaign, unbeknownst to the American public Michael Cohen and Felix Sater were negotiating a deal to build a Trump Tower Moscow.
Read my description of Felix Sater’s connections to Eurasian organized crime, his involvement with U.S. Intelligence, and his business relationship with the Trump family here.
On October 28th, 2015, Trump signed a letter-of-intent for the project. Thus, his pro-Putin commentary in this period must be seen in the light of a potentially highly lucrative business deal.
Trump’s praise of Putin was not only a one way street. On December 17th, 2015, Putin told ABC News that Trump was, “a very colorful person. Talent, without any doubt.” Putin continued, “[H]e is absolutely the leader in the Presidential race. He wants to move to a different level of relations, to more solid, deeper relations with Russia and how can Russia not welcome that — we welcome that.”
“[I]t is always a great honor to be so nicely complimented by a man so highly respected within his own country and beyond,” Trump replied to ABC News.
Two days later, while on the program Morning Joe, Trump defended Putin against accusations that he was behind the deaths of opposition reporters. “He’s running his country and at least he’s a leader, unlike what we have in this country,” Trump told Joe Scarborough. Trump insisted on equating the United States with Russia, “I think our country does plenty of killing also, Joe, so you know. There’s a lot of stupidity going on in the world right now, a lot of killing going on, a lot of stupidity.”
“[I]n all fairness to Putin, you’re saying he killed people. I haven’t’ seen that,” Trump said two days later on ABC’s This Week, doubling down on his defense of Putin. “I don’t know that he has. Have you been able to prove that? Do you know the names of the reporters that he’s killed? Because I’ve been — you know, you’ve been hearing this, but I haven’t seen the name. Now, I think it would be despicable if that took place, but I haven’t’ seen any evidence that he killed anybody in terms of reporters.”
Read my description of the Putin Regime’s alleged acts of political terrorism and assassination here.
On February 2nd, 2016, a day after the Republican Primary season began, the Russian neo-fascist Aleksandr Dugin wrote a screed online praising Trump. In it, he describes Trump as, “tough, rough, says what he thinks, rude, emotional and, apparently, candid.”
While Dugin didn’t think that Trump had a chance to win the election, “as the globalist elites and financial oligarchy control practically everything in the USA,” he did mention that Russia wanted “to put trust in Donald Trump.” The article ended with Dugin admonishing Americans to, “Vote for Trump, and see what will happen.”
As Trump entered the beginning of primary season as the undisputed leader of the Republican field, however, the Russian security services, in particular the GRU, were poised to do a lot more than simply encourage American voters to support their favorite candidate.
From Espionage to Active Measures: Russian Military Intelligence Enters the Fray
On March 10th, 2016, the GRU commenced its cyberassault on the Democratic Party, the Clinton campaign, and American democracy. Under the command of Viktor Netyksho, Unit 26165 was primarily responsible for infiltrating the DNC, the Democratic Congressional Campaign Committee (DCCC) and the personal email accounts of high level Clinton campaign staffers. They later received valuable assistance from Unit 74455.
Both units were divided into specialized departments, with some focused on developing various kinds of malware while others conducted spear phishing campaigns that gained access to their adversaries.
The department responsible for spear phishing and other computer intrusion activities was led by Boris Alekseyevich Antonov, who held the title “Head of Department.”
His “Assistant Head of Department” was the Dmitriy Badin, who in May of 2015 led the successful cyber intrusion into the German Bundestag.
Two other GRU officers operating within Antonov’s department who would play a major role in the hack were 25-year old Senior Lieutenant Aleksey Viktorovich Lukashev and 29-year old Ivan Sergeyevich Yermakov.
Lukashev’s specialty was creating emails that resembled official google security warnings but in fact functioned to fool recipients into giving away their passwords and security information.
Starting on March 10th, up to fifty of these kinds of emails were sent each day to employees and volunteers affiliated with both Clinton’s current and earlier campaign efforts. One of the first people targeted was a low level organizer from Clinton’s 2008 campaign in Texas. While obsolete email addresses and Clinton campaign cybersecurity procedures initially frustrated the GRU hackers, they persisted.
By March 19th, Lukashev’s spear phishing tactics changed and instead of targeting official campaign email addresses he focused on breaking into the personal google email accounts of senior Clinton staffers. Individuals targeted included campaign manager Robby Mook, senior advisor Jake Sullivan, political consultant Philippe Reines and campaign chairman John Podesta.
At 11:28am Moscow time on the 19th, Lukashev and his team generated a malicious link and embedded it in an email made to look like a google security alert that was sent to Podesta six minutes later. Upon receipt, Podesta’s staff forwarded the mysterious email to the campaign IT help desk. Clinton’s IT security responded within minutes, recognizing the threat and suggesting that Podesta change passwords and activate additional security protocols.
In a critical failure of communication, Podesta’s staff misinterpreted the advice and proceeded to click the link in the email, springing Lukashev’s trap. After being directed to a GRU website designed to look like an official google page, the staffers entered the new password and Russian military intelligence gained access to Podesta’s private correspondence.
Two days later, Lukashev exfiltrated five gigabytes of data, over 50,000 emails, from Podesta’s inbox.
In the days that followed, the 22nd, 23rd and 25th, numerous other Clinton Campaign staffers were targeted, including communications director Jennifer Palmieri and Clinton’s close aide and confidant Huma Abedin.
By April 6th, Lukashev created an email address posing as a well known member of the Clinton campaign by changing the spelling of their name by a single letter and sent spear phishing emails from the account to over 30 members of the Clinton campaign.
They successfully managed to get an employee of the DCCC to open a document labelled “hillary-clinton-favorable-rating.xlsx” that actually directed them to a GRU created website. At that point, Lukashev’s colleague Ivan Yermakov began scanning the DCCC’s network connections to identify ways to break in.
Six days later, on April 12th, the GRU gained access to the DCCC computer network and installed a customized malware known as X-Agent on at least ten DCCC computers. This X-Agent malware had been developed, customized and was monitored by 26-year old Lieutenant Captain Nikolay Yuryevich Kozachek, who worked in Unit 26165’s department responsible for developing malware under the command of Lieutenant Colonel Sergey Aleksandrovich Morgachev.
X-Agent allowed the GRU hackers to monitor and record all the activities of the infected computers as well as steal passwords. On April 15th, GRU hackers logged onto a DCCC computer searched the keywords “hillary,” “cruz” and “trump” in an attempt to locate the Democrats opposition research into Trump.
While up to this point the GRU appeared to be pursuing the kind of digital espionage similar to what their counterparts at the SVR were doing, the first evidence that something very different was afoot emerged on April 12th, the day they gained access to the DCCC network. That day, the GRU paid $37 worth of Bitcoin to a Romanian web hosting company to register the domain name ElectionLeaks.com.
While the site never became operational, it is the first evidence that instead of a traditional espionage operation the GRU was planning to weaponize the information it had stolen in order to exert an influence on the outcome of the 2016 election.
On April 18th, Lukashev stole the credentials of a DCCC employee with access to the DNC’s network. Once inside, the GRU installed X-Agent malware on thirty-three DNC computers. The hackers proceeded to exfiltrate large quantities of data from both the DCCC and the DNC using another piece of malware called X-Tunnel that moved documents through encrypted channels.
Among the documents stolen by the GRU from the DNC network on April 22nd was the Democrats’ opposition research into Trump.
Three days later they stole over 70 gigabytes of data from a single DCCC file server. The GRU hackers even managed to compromise the DNC’s telephone system, which enabled them to listen into phone calls and voicemails during a heated primary battle between Hillary Clinton and her progressive challenger Bernie Sanders.
The GRU continued stealing data from Democratic networks until at least May 25th.
On April 19th, a day after the breach of the DNC, Unit 26165 paid in Bitcoin to register DCLeaks.com using the same Romanian web hosting company they had used for ElectionLeaks.com.
Over the course of May, the GRU worked to ready DCLeaks.com for public consumption. The first tranche of stolen files uploaded to the site prior to it going live were emails stolen a year earlier from the former supreme commander of NATO forces Philip Breedlove.
The site went public on June 8th and eventually published thousands of documents stolen from the personal email accounts of individuals affiliated with the Clinton Campaign.
At some point during this timeframe, the GRU’s Unit 26165 passed along the contents of John Podesta’s email inbox to hackers in Unit 74455, known to cybersecurity experts as “Sandworm,” which was commanded by Colonel Aleksandr Vladimirovich Osadchuk.
Officers from Unit 74455 attempted to make the site appear to be the product of “American Hacktavists.”
After establishing DCLeaks Facebook page and Twitter handle, @dcleaks_, Unit 74455 then utilized an array of fake social media avatars, much in the same manner they had attempted to do in earlier Ukrainian operations, to promote the website.
Despite these efforts, the GRU initially failed to attract much attention to the site.
Warning signs began to appear in March that the Democratic Party and the Clinton campaign were the targets of a sophisticated foreign cyber assault. FBI Special Agent Lafayette Garrett emailed the DNC’s IT team twice over the course of the month informing them that DNC staffers had been the targets of spear phishing emails.
By late March, FBI agents met with Clinton Campaign lawyer Marc Elias and senior staffers at her campaign headquarters in Brooklyn to warn them that foreign hackers were targeting them with spear phishing emails.
In April, FBI Special Agent Adrian Hawkins contacted Yared Tamene, the DNC IT contractor he had played phone tag with in 2015 regarding the breach of the DNC by the SVR, and requested computer logs that would assist the FBI in identifying the IP addresses being used to penetrate the DNC’s network.
Hawkins was put in contact with Michael Sussman, a cybersecurity expert and lawyer with the firm Perkins Coie who represented the DNC. Sussman recommended to DNC higher-ups that they cooperate with the FBI. By this point, however, the GRU was so deeply embedded and had exfiltrated so much data that the damage was done.
On April 20th, DNC Consultant Alexandra Chalupa received a warning from Yahoo that her account was the target of state-sponsored hackers. She took a screenshot of the warning and shared it with her colleagues.
Eight days later, DNC IT staff discovered that their network had been compromised by unauthorized users.
At around 4pm on April 28th, DNC Executive Director Amy Dacey was informed that the DNC’s network had been compromised. Dacey contacted Michael Sussmann, who proceeded to enlist the services of CrowdStrike, an elite cyber security firm based out of Silicon Valley. As they didn’t want to alert the hackers that they were on to them, the compromise of DNC’s network was kept secret.
On Friday, May 6th, CrowdStrike installed advanced threat detection software onto the DNC network and within two hours discovered the existence of two “sophisticated adversaries” lurking within.
CrowdStrike later reported that they found no evidence that either foreign actor was aware of the presence of the other as there didn’t appear to be any evidence of coordination between the two.
What followed was a game of cat-and-mouse between CrowdStrike, which was attempting to remove the intruders, and the GRU which was attempting to both cover its tracks and maintain a hidden presence on the DNC’s network.
In order to be confident that they had removed the hackers from the DNC’s network, CrowdStrike proposed a solution that required the DNC shut their entire system down and suggested May 20th as the date to carry this out.
The DNC, however, didn’t want to disrupt its system before a candidate secured the nomination. At the time, though Clinton was leading, her progressive opponent Bernie Sanders was a viable challenger.
Furthermore, the Democrats were operating under the assumption that the state-sponsored hackers they faced were engaged in traditional espionage activities, not suspecting that the Russians intended to weaponize the stolen data. As a result, they delayed the systems shut down for weeks, waiting until June.
Meanwhile, as the cyber intrusion was being kept secret from most DNC staffers, they continued to behave as if their internal communications and activities were secure.
Meanwhile, GRU hackers reacted to events as they unfolded.
On May 31st, Yermakov conducted an open source investigation into CrowdStrike and attempted to determine how much the cyber security firm knew about the GRU malware programs X-Agent and X-Tunnel.
The next day, the GRU used the computer program CCleaner in an attempt to delete any evidence of their presence on the DCCC’s server. To an extent, they succeeded. A linux version of the X-Agent malware remained on the DNC’s network until October.
Finally, on June 10th, after weeks of prevaricating, the DNC shut down its server. During a meeting with 100 staffers, DNC Chief Operating Officer Lindsey Reynold’s instructed everyone to hand over their laptops and mobile devices and maintain absolute secrecy.
Two days later, after a marathon work session by CrowdStrike, the DNC’s system was up and running again.
The next installment in the series will cover the role Wikileaks played in the 2016 U.S. presidential election.