There's overwhelming evidence that Russia hacked Democrats — but the government hasn't shared it

Trump and the Republicans have done their best to spread confusion and cloud the issue — and it's working

Published September 13, 2017 12:45PM (EDT)


Ever since last June, the American political scene has been rocked with numerous reports in established media outlets about alleged computer hacking during last year's presidential campaign, apparently conducted by cyber-criminals allied with the Russian government. The many stories have come with varying degrees of credibility. Some people, predominantly supporters of President Donald Trump and a few leftist critics of Hillary Clinton, have refused to believe them. Others have not only believed them, they’ve begun to concoct their own elaborate conspiracy theories about how Russia’s leader Vladimir Putin is lurking behind every tree.

While some people are going to believe what they want regardless of the facts, ultimately, it is the U.S. government under both Trump and his predecessor Barack Obama that is to blame for the public’s lack of clarity on this issue.

Partisan loyalty to Trump and the proliferation of fake-news purveyors have certainly increased skepticism about U.S. intelligence officials and mainstream media sources trying to uncover the truth. But in fact, the government’s refusal to declassify relevant attribution data, or even to reference credible private-sector research making the case for Russian connections to the hacking, has greatly harmed public trust.

Under Obama, the federal government published a pair of official analyses that administration officials seemed to believe would be persuasive. While the reports stated firm conclusions and descriptions of some of the hackers’ methods, neither contained any actual evidence specifically proving that Russian-affiliated hackers had stolen data from computers controlled by the Democratic National Committee and by the campaign of the party’s then-nominee, Hillary Clinton.

The first white paper, released by the FBI and the Department of Homeland Security in October 2016 to government computer technicians, and then to the public in December, was essentially a collection of tips for server administrators. It included a brief discussion of some of the techniques favored by the two teams accused of hacking the Democrats, but the summary was nowhere as detailed as the flood of documentation that Microsoft has made public in litigation designed to thwart some of the attacks, to cite just one private-sector entity.

Beyond being criticized for its sparse detail, the government report was also criticized for confusing the names of several hacking groups with the names of various computer viruses and programming techniques. Veteran security researcher and developer Jonathan Zdziarski (who now works for Apple) spoke for many within his community when he tweeted that “any antivirus company doing any amount of threat intelligence would be able to come up with more solid indicators than FBI released.”

The second document, released by the Director of National Intelligence in January of this year, was a stripped-down version of a classified report that was said to contain sourcing data not disclosed to the public, a statement repeated numerous times within the white paper’s 25 pages. While it was somewhat more detailed than the first analysis, much of the second one was actually reprinted from a 2012 government report that discussed Russian state-owned media outlets’ efforts to criticize American intelligence agencies and oppose American intervention in Syria, as well as to condemn the oil and gas extraction technique known as fracking.

Notably, neither government document cited any of the publicly available analysis produced by well-regarded security experts, which revealed in detail some of the methods that hackers used to target Democratic officials. This was a major failure on the government’s fault because these private-sector reports have demonstrated that the same link-sharing account used to compromise the Clinton campaign was also used to target people of interest to the Russian government.

One of those affected people was Clinton campaign chairman John Podesta, who received a forged email on March 19, 2016, pretending to be an alert from Google instructing him to reset his password. Egged on by a Clinton technical staffer named Charles Delavan who erroneously confirmed the email’s legitimacy (and later claimed he intended to do the opposite), a Podesta aide clicked the malicious link and handed over her boss’ credentials. The same “phishing” technique was also used to compromise the DNC itself, according to two sources within the party not authorized to speak publicly about the matter.

Neither intelligence agency report mentioned that one of the groups that targeted Democrats had been documented as writing its “malware” during working hours in the Moscow time zone. They also neglected to discuss the histories of either of the “advanced persistent threat” hacking groups they identified as APT28 and APT29, both of whom have long records of creating highly sophisticated malicious software used for espionage against prime targets of Russian intelligence operations rather than for identity theft or monetary gain, the usual goals of private-sector hackers.

Microsoft provided an extensive look at APT28 (which some researchers refer to as “STRONTIUM” or “Fancy Bear”) in a Nov. 20, 2015, report on the group’s activities and techniques:

Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. …

STRONTIUM typically begins its attack on an institution by identifying and profiling potential victims with connections to the institution. Microsoft has seen indications that STRONTIUM relies on open-source intelligence (OSINT), such as email lists and information harvested from public forums or social networking sites, to identify targets for spear phishing. Microsoft also believes that STRONTIUM relies on past successful phishing attacks to augment its dataset, by making use of any email communications it can identify between prior targets and the current target.

STRONTIUM casts a wide net with its reconnaissance activities, seeking login credentials for email and other systems from a large number of people, which it then weeds through to assess its value. Microsoft believes STRONTIUM used its spear phishing attacks to target several thousand individuals during the first half of 2015. Although STRONTIUM isn’t choosy with its targets, it is persistent. When STRONTIUM identifies an individual to target, the group will repeatedly conduct spear phishing attacks against it over a long duration, possibly a year or more, until one of the attempts succeeds.

None of the detailed descriptions above was included in any of the U.S. government’s official report designed to instill confidence in its decision to pin the DNC hacking on the Russian government. Intelligence officials also have declined to mention evidence showing that some of the servers used to control infected Democratic Party computers had been previously used in other attacks, including one against the government of German Chancellor Angela Merkel.

*  *  *

The vacuum created by the lack of formally declassified evidence pointing to Russia has left news organizations, lower-level elected officials, political activist groups and average citizens to their own devices — in some cases, leading to false or misleading stories receiving wide circulation. In large measure, these mistakes have happened as people without computer science backgrounds have attempted to process highly technical charges and counter-charges.

The uncertain news environment surrounding the hacking attacks against Democrats has made Russian attempts to muddy the waters much easier according to Thomas Rid, a professor of security studies who has written extensively on the history of espionage and testified before Congress on Russian involvement in the 2016 election.

“There will always be people who find there is no good evidence. That is the nature of active measures," Rid told Salon, referring to the longstanding Russian intelligence method of spreading false information in order to manipulate behavior. “The goal is to drive wedges in the political landscape but also within the cybersecurity community.”

While the hacking of Democratic officials began in 2015, the public disinformation campaign began almost immediately in June of 2016, after the Washington Post published a story on the June 14 relaying claims from the DNC and independent security firm CrowdStrike that party-owned computers had been breached by two separate hacking groups believed to be connected to Russian intelligence agencies.

Within hours, an anonymous website and Twitter account operated under the name “Guccifer 2.0” suddenly appeared on the web, pushing back strenuously against the idea that Democrats had been compromised by Russian attackers.

“DNC’S SERVERS HACKED BY A LONE HACKER,” the site’s first blog post read. Guccifer 2.0 proved highly interested in making the case to journalists via email and Twitter direct messages. "He" claimed to be a Romanian hacker, just like the original Guccifer, Marcel Lazăr Lehel. The persona was also in contact with Trump operative Roger Stone, by the political consultant’s own admission, as well as with a Florida Republican strategist named Aaron Nevins.

Almost immediately, journalists and security companies began poking holes in the lone-wolf narrative. Cybersecurity firm ThreatConnect performed an analysis of all the documents posted by Guccifer 2.0 and discovered that they had been posted in three separate batches. Within the first two batches, all the files posted had modification dates after the publication of the Post article. The security group also found that many of the files had tightly packed modification times, suggesting they had been hastily created all at once.

This theory that the documents had been created rapidly and under pressure was further boosted when a security consultant Matt Tait began noticing that some of the documents' hidden metadata contained Russian-language settings which had not been removed. Another Twitter user discovered an associated PDF that contained Russian error messages.

The Guccifer persona also gave conflicting explanations about how the DNC had been compromised. In an email interview with The Smoking Gun, he claimed that “first I breached into mail boxes of a number of Democrats.” But in a discussion with the tech blog Motherboard, Guccifer 2.0 later claimed to have exploited a vulnerability within the website of NGP Van, a campaign software vendor that caters to Democratic candidates and organizations.

The email entry claim is in line with the known operations of both Russian hacker groups, APT28 and APT29. Though ThreatConnect did not note the disparate entry claims in the report mentioned above, the company pointed out that it seemed improbable Guccifer 2.0 had used Democratic campaign software to get into the party’s records, since NGP Van is a small company unlikely to be known to an independent Romanian hacker.

According to the report: “Rather than accessing NGP VAN platforms via software installed on a DNC computer, most of these products require a user to login via a webservice, and a threat actor would likely be more successful by simply obtaining login credentials for these products rather than attempting to develop directly or use a costly remote zero-day software vulnerability.”

"The Democratic National Committee networks were not hacked through NGP VAN," DNC Communications Director Adam Hodge told Ad Age last October. NGP Van did not respond to a request to comment for this story.

Guccifer 2.0’s claim to be from Romania were also undermined by Motherboard writer Lorenzo Franceschi-Bicchierai, who interviewed the persona in Romanian via Twitter and then compared notes with native speakers of the language. Franceschi-Bicchierai’s Romanian speakers found that Guccifer 2.0 exhibited strange behaviors, such as the inclusion of accent marks in an informal chat and the persona's use of an obscure Romanian word for "watermark" instead of borrowing the English word, as most Romanians would do.

*  *  *

Despite the many holes in the Guccifer 2.0 persona and the suggestions that he may have been invented to cover the tracks of Russian intelligence, many Americans remain intrigued by the possibility that he is who he claims to be. Part of the reason for that is undoubtedly the highly technical nature of the story, and the fact that the details undermining Guccifer 2.0's claims have been largely unreported by the general interest media.

In other cases, the specialized nature of cybersecurity has led to media outlets running inaccurate stories that relied on inadequate sourcing and poor technical understanding. Last November, writing for Slate, journalist Franklin Foer claimed that Donald Trump's business had set up a server that communicated directly with a Russian bank. Other news organizations had previously passed on these allegations, and once the story was published, security researchers and other publications began tearing it apart. The Washington Post made a similar mistake in December when it incorrectly reported that Russian hackers had breached America's electrical grid via a Vermont power plant.

"The initial headline and erroneous sentence in the piece were swiftly corrected, and an editor’s note was published at the top of the story," Post spokeswoman Kris Coratti told Salon in an email. "We also published a corrective story three days later, which you can see here. We held ourselves accountable and we made sure our readers were well served."

While more than a few Democrats seem to believe that Russian hackers did many more things than they have actually been accused of doing, many more Republicans (along with a handful of left-wing critics of the Democrats) seem willing to disbelieve the accusations altogether.

One of the most persistent myths of the larger story is that the DNC did not fully cooperate with law enforcement officials trying to investigate the intrusion. That claim is completely false, according to Democratic Party spokeswoman Adrienne Watson.

“The DNC coordinated with the FBI and provided everything it requested, including complete digital copies of DNC servers,” she said in an interview. “Conspiracy theories suggesting otherwise are false.”

According to DNC sources not authorized to speak on the record, the party was utilizing sophisticated “virtual machine” software to host its email in a way that could be easily copied from one computer to another depending upon need. Once the FBI had requested access to the DNC’s data, the party’s technology staff simply made a duplicate copy of the virtual machines and provided them to the law enforcement agency. Providing physical access to the hardware on which the virtual machines had originally been hosted would have yielded no additional information since the computers had not been compromised via physical access.

This fact seems not to have reached many journalists and political leaders.

President Trump's own erratic and confusing public statements have been a major reason why. Even though Trump has acknowledged multiple times since becoming president that he now believes Russia hacked Democrats, he has persisted in raising specious doubts about the idea.

“When will the Fake Media ask about the Dems dealings with Russia & why the DNC wouldn't allow the FBI to check their server or investigate?” he asked in a May tweet.

Trump raised the issue again in June in another tweet: “Everyone here is talking about why John Podesta refused to give the DNC server to the FBI and the CIA. Disgraceful!”

But Trump is far from the only person to spread incorrect statements about the DNC’s cooperation with the FBI. Josephine Wolff, a professor of public policy and computing security at the Rochester Institute of Technology, questioned the idea as well in an article headlined “The FBI Relied on a Private Firm’s Investigation of the DNC Hack — Which Makes the Agency Harder to Trust.” In January, BuzzFeed ran an article claiming that it was "unclear" why the FBI was not given physical access to the DNC servers.

Acting either in coordination with the White House or because they simply did not understand the technical details, several Republican congressmen have apparently bought into the idea that Democrats refused to cooperate with the FBI. At a hearing in March, GOP lawmakers repeatedly asked former FBI Director James Comey about this allegation. Comey answered correctly, but did not explain why having access to a disk image copy of a virtual machine is the same as physical access to the hard drive that stores it.

“We got the forensics from the pros that they hired,” he said, referring to CrowdStrike. “Best practice is always to get access to the machines themselves, but this -- my folks tell me was an appropriate substitute.”

At a June hearing, Rep. Trey Gowdy, a South Carolina Republican who is a member of the House Intelligence Committee, seemingly couldn’t believe why the DNC would not turn over the servers to law enforcement.

"So if you're investigating, either from law enforcement or from an intelligence standpoint, the hacking by foreign, hostile government, wouldn't you want the server?" he theatrically asked Jeh Johnson, the former Secretary of Homeland Security under Obama. "Wouldn't that help you, number one, identify who -- who the attacker was? ... Why would the victim of a crime not turn over a server to the intelligence community or to law enforcement?"

Johnson, whose former agency does not oversee the FBI and has not been involved in investigating the DNC hacks, was unaware of how to respond. "I'm not going to argue with you, sir. That was a leading question, and I'll agree to be led," he replied.

GOP leaders' efforts to obfuscate on the question of Russia appear to have worked among Republicans nationally. A Fox News survey conducted in May found that just 13 percent of self-identified Republican respondents believed that Russian hackers had aided Trump in the 2016 election. In an August poll conducted by the Pew Research Center, just 36 percent of GOP respondents said they considered Russia a major national security threat.

Beyond Trump and the GOP's efforts to raise spurious arguments about Russian involvement in the 2016 election, conservative media outlets have also played a significant role in shaping center-right perception on the matter, according to John Ziegler, a columnist for Mediaite who is also a former conservative radio host.

"We are now living in a world where if Fox, [Matt] Drudge and Rush [Limbaugh] simply decide to pretend something isn't real, then it isn't real because no one else is to be trusted," he said in an interview.

Many conservative media figures do not want the allegations to be true, Ziegler argues, because to acknowledge them might be bad for Republicans.

"The whole thing is too threatening for them or their audience to accept," he said. "As long as it remains mostly the focus of the 'fake news' MSM they can pretend it isn't real. It's kind of like suspecting you might have cancer but not getting tested out of fear of what you might find."

By Matthew Sheffield

Matthew Sheffield is a national correspondent for The Young Turks. He is also the host of the podcast "Theory of Change." You can follow him on Twitter.

MORE FROM Matthew Sheffield