News Analysis
It’s generally understood that the Democratic National Committee (DNC) was first hacked in April of 2016. This is not entirely accurate. Russia’s cyberattack on the DNC began only weeks after Trump announced his candidacy for president of the United States in June 2015.
We know this through a combination of prior
reporting and some new details provided in the
DNC’s lawsuit against Russia and the Trump campaign.
“In July 2015, Russian Intelligence gained access to Democratic National Committee networks and maintained that access until at least June 2016,” the DNC complaint reads.
Analysis by private cybersecurity firm CrowdStrike Services, along with the Intelligence Community’s
Grizzly STEPPE report, concluded that the DNC’s computer systems had been hacked by two independent entities—“Cozy Bear” and “Fancy Bear”—also known as Advanced Persistent Threat 29 (APT 29) and Advanced Persistent Threat 28 (APT 28), respectively.
Forensic analysis found evidence that Cozy Bear had infiltrated and remained present in the DNC’s network since at least July 27, 2015. The DNC was notified multiple times by the FBI regarding the Cozy Bear intrusion.
The
first set of warnings came in September 2015 when FBI agent Adrian Hawkins called the DNC regarding their computer network. He was transferred to Yared Tamene at the DNC Help Desk.
Hawkins told Tamene that Russian hackers known as “The Dukes” had compromised at least one DNC computer. Tamene reportedly scanned the system networks but found nothing.
Hawkins called back repeatedly over the next several weeks, but the calls were never returned. Tamene later noted he was unsure if it was really the FBI making contact; “I had no way of differentiating the call I just received from a prank call.”
Tamene did write a memo detailing his contact with Hawkins and specifically
noted “the Special Agent told me to look for a specific type of malware dubbed ‘Dukes’ by the U.S. intelligence community and in cybersecurity circles.”
The DNC claimed the FBI never attempted to reach anyone beyond or above the DNC Help Desk. The FBI disputed the DNC’s account,
telling CNN “it made repeated attempts to alert more senior DNC staff, including sharing information on how to identify breaches in their systems.”
Hawkins continued to call the DNC Help Desk in October 2015, but didn’t visit in person. Email was not considered an option, out of concerns that hackers would be alerted to the FBI’s suspicions.
The second round of warnings, somewhat more urgent this time, came in November 2015. This time, the message from Hawkins was more ominous. A DNC computer was “calling home, where home meant Russia.”
A DNC computer was now transmitting information back to Russia.
A
memo from Tamene noted, “SA Hawkins added that the F.B.I. thinks that this calling home behavior could be the result of a state-sponsored attack.”
DNC executives again claimed they were never contacted by the FBI. However, The New York Times
reported that Tamene and his IT team had met in person with the FBI at least twice by March 2016.
It turns out there was one final warning attempt made by the FBI. Email phishing attacks began in March 2016—including the famous hack of John Podesta. Late that same month, the FBI
visited the Clinton campaign headquarters in Brooklyn “where they were received warily, given the agency’s investigation into the candidate’s use of a private email server while secretary of state.”
Despite the ongoing warnings and new phishing attempts, the DNC waited until the middle of April 2016 to install a “robust set of monitoring tools.” It was through the use of this new monitoring system that on April 28, 2016, the DNC first detected the infiltration by “Fancy Bear,” which, according to Crowdstrike, is connected with the GRU, Russia’s foreign military intelligence agency. The DNC lawsuit provides a
definitive date for the actual start of the “Fancy Bear” hack—April 18, 2016:
“On April 18, 2016, Russia launched a second phase of its cyberattack on DNC servers located in Virginia and Washington DC. This attack was executed by GRU agents,” the DNC complaint reads.
Immediately following the April 28, 2016, detection, DNC CEO Amy Dacey
called Michael Sussmann, a DNC lawyer and partner with Perkins Coie. After speaking with Dacey, Sussmann contacted Shawn Henry,
CSO and president of CrowdStrike.
It strikes as mildly odd that the DNC’s first call would be to outside legal counsel. Dacey would later resign as CEO of the DNC on Aug. 2, 2016.
Despite DNC characterizations that the FBI failed to provide proper notification, it appears the FBI was persistent in attempts to warn the DNC regarding their ongoing vulnerability. But DNC resistance to FBI overtures didn’t end with the FBI’s final set of warnings in March. FBI attempts to investigate the April 2016 DNC server breach were surprisingly rebuffed.
Former FBI Director James Comey stated during testimony before the Senate Intelligence Committee that the FBI made “multiple requests at different levels,” but wasn’t granted access to the DNC servers. Instead, the FBI was forced to rely on data provided by CrowdStrike.
Responding to inquiries, Eric Walker, the DNC’s deputy communications director,
told BuzzFeed News that “the FBI never requested access to the DNC’s computer servers.”
But a senior law enforcement official strongly disputed the DNC’s version of events in a
statement to CNN: “The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated. This left the FBI no choice but to rely upon a third party for information. These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”
Surprisingly, the DNC waited until June 10, 2016, to notify staff members of the intrusion. DNC Chief Operating Officer Lindsey Reynolds
informed about 100 staff members of the hacks at an “all-hands” meeting.
Laptops were to be shut off and no disclosure of the announcement was allowed. Ironically, the DNC never notified their sister organization, the Democratic Congressional Campaign Committee, of the hacks.
Two days after the staff disclosure, on June 12, 2016, WikiLeaks founder Julian Assange
promised to release more Clinton emails. On June 14, 2016, two days after Assange’s disclosure, the DNC
went public, saying their servers had been hacked.
The story behind the DNC servers has always had glaring unanswered questions. Why ignore the multiple warnings from the FBI? Why refuse the FBI access to the servers? Why the significant delay in notifying DNC staff of the threat? Why the complete failure to ever notify the Democratic Congressional Campaign Committee of the hacks? None of it seems to make sense—or to be a logical response by the DNC.
The March 2016 phishing efforts were fairly simplistic in nature–the phishing attempts weren’t noticeably different than the types found in most junk-mail folders. And Wikileaks founder Julian Assange, whose organization published the emails from the DNC, has repeatedly
said that Russia wasn’t his source.
The
DNC lawsuit, while providing us with the April 18, 2016, initiation date of the second Russian hack, is surprisingly short on material detail.
Information on events during 2015 are vague at best and no mention is made of the FBI’s repeated warning attempts. The lawsuit completely ignores the phishing attempts made in March 2016 that led to the actual hacking in April 2016.
Which brings us back to a question that’s never been adequately explained. Why did the DNC refuse the FBI physical access to their servers.
The consistency of the FBI’s repeated warnings lend credence to their stated position that they repeatedly requested direct access to the DNC servers. Comey
testified under oath to this same position. No explanation has been given that adequately explains why the DNC was so protective of its servers. Their attempted denials of the FBI’s formally stated position appear stranger still.
The
DNC lawsuit states that their systems were hacked by Russians on April 18, 2016, following Russian phishing attempts in March 2016. Around the same time, a number of significant coinciding events took place. Which could, or could not, have been related to each other.
On March 9, 2016, one day before the first phishing attempts were reportedly made on the Clinton Campaign, then-NSA Director Admiral Mike Rogers became aware of potential problems when he discovered the FBI was using independent contractors who were allowed improper access to surveillance data.
A declassified Foreign Intelligence Surveillance Court (FISC) document released in April 2017 showed that the FBI had provided private contractors access to raw Section 702 surveillance data. This access wasn’t controlled or monitored. These private contractors have never been disclosed by the government.
“Their access was not limited to raw information for which the FBI sought assistance and access continued even after they had completed work in response to an FBI request,” wrote the FISC in its report.
On the same day as Rogers’s discovery, FBI agent Peter Strzok, who was the lead agent on both the Clinton email investigation and the counterintelligence investigation into the Trump campaign,
sent a text referencing a “HUGE f-up.”
On April 18, 2016, Rogers
shut down the FBI’s outside contractor access to the FISA search system. On that same day, the DNC was officially hacked by Russia, according to their
lawsuit.
Jeff Carlson is a CFA® Charterholder. He has worked for 20 years as an analyst and portfolio manager in the high-yield bond market. He runs the website TheMarketsWork.com