TheDemocratic National Committee cyber attacks took place in 2015 and 2016,[1] in which two groups of Russiancomputer hackers infiltrated theDemocratic National Committee (DNC)computer network, leading to adata breach.Cybersecurity experts, as well as the U.S. government, determined that thecyberespionage was the work of Russian intelligence agencies.
Forensic evidence analyzed by severalcybersecurity firms,CrowdStrike, Fidelis, andMandiant (orFireEye), strongly indicated that twoRussian intelligence agencies separately infiltrated the DNC computer systems. CrowdStrike, which removed the hacking programs, revealed a history of encounters with both groups and had already named them, calling one of themCozy Bear and the otherFancy Bear, names which are used in the media.[2][3][4][5][6]
On December 9, 2016, theCIA told U.S. legislators that theU.S. Intelligence Community had concluded Russia conducted thecyberattacks and other operations during the 2016 U.S. election to assistDonald Trump in winning the presidency.[7] Multiple U.S. intelligence agencies concluded that specific individuals tied to the Russian government provided WikiLeaks with stolen emails from the DNC, as well as stolen emails fromHillary Clinton's campaign chairman, who was also the target ofa cyberattack.[7] These intelligence organizations additionally concluded Russia hacked theRepublican National Committee (RNC) as well as the DNC, but chose not to leak information obtained from the RNC.[8]
Cyber attacks that successfully penetrated the DNC computing system began in 2015. Attacks by "Cozy Bear" began in the summer of 2015. Attacks by "Fancy Bear" began in April 2016. It was after the "Fancy Bear" group began their activities that the compromised system became apparent. The groups were presumed to have been spying on communications, stealingopposition research onDonald Trump, as well as reading allemail and chats. Both were finally identified by CrowdStrike in May 2016. Both groups of intruders were successfully expelled from the DNC systems within hours after detection. These attacks were part of a group of attacks targeting U.S. government departments and several political organizations, including 2016 campaign organizations.[2][3][4][5][6]
On July 22, 2016, a person or entity going by the moniker "Guccifer 2.0" claimed on aWordPress-hosted blog to have been acting alone in hacking the DNC.[9][10] He also claimed to send significant amounts of stolen electronic DNC documents toWikiLeaks. WikiLeaks has not revealed the source for theirleaked emails.[11] However,cybersecurity experts and firms, includingCrowdStrike, Fidelis Cybersecurity,Mandiant,SecureWorks,ThreatConnect, and the editor forArs Technica, have rejected the claims of "Guccifer 2.0" and have determined, on the basis of substantial evidence, that the cyberattacks were committed by two Russian state-sponsored groups (Cozy Bear and Fancy Bear).[12]
According to separate reports inThe New York Times andThe Washington Post,U.S. intelligence agencies have concluded with "high confidence"[13] that the Russian government was behind the theft of emails and documents from the DNC.[13][14] While the U.S. intelligence community has concluded that Russia was behind the cyberattack, intelligence officials toldThe Washington Post that they had "not reached a conclusion about who passed the emails to WikiLeaks" and so did not know "whether Russian officials directed the leak."[14] A number of experts and cybersecurity analysts believe that "Guccifer 2.0" is probably a Russian government disinformation cover story to distract attention away from the DNC breach by the two Russian intelligence agencies.[2][3][4][5][15]
President Obama and Russian PresidentVladimir Putin had a discussion aboutcomputer security issues, which took place as a side discussion during thethen-ongoing G20 summit in China in September 2016. Obama said Russian hacking stopped after his warning to Putin.[16]
In a joint statement on October 7, 2016, theUnited States Department of Homeland Security and the Office of the Director of National Intelligence stated that the US intelligence community is confident that the Russian government directed the breaches and the release of the obtained material in an attempt to "… interfere with the US election process."[17][18][19]
As is common among Russian intelligence services, both groups used similar hacking tools and strategies. It is believed that neither group was aware of the other. This type of operation is antithetical to Americancomputer intelligence methods, for fear of undermining or defeatingintelligence operations of the other. However, this has been common practice for the Russian intelligence community since 2004.[3][5][20]
This intrusion was part of several attacks attempting to access information from American political organizations, including the 2016U.S. presidential campaigns.[21] Both "Cozy Bear" and "Fancy Bear" are known adversaries of the United States, who have extensively engaged in political and economic espionage that benefits theRussian Federation government. Both groups are believed to be connected to the Russian intelligence services. Also, both access resources and demonstrate levels of proficiency matching nation-state capabilities.[citation needed]
"Cozy Bear" has in the past year infiltrated unclassified computer systems of theWhite House, theU.S. State Department, and theU.S. Joint Chiefs of Staff. According toCrowdStrike, other targeted sectors include: Defense, Energy,Mining, Financial, Insurance, Legal, Manufacturing, Media,Think tanks, Pharmaceutical,Research andTechnology industries as well as universities. "Cozy Bear" observed attacks have occurred inWestern Europe, Brazil,China, Japan, Mexico,New Zealand, South Korea,Turkey andCentral Asia.[3][5]
"Fancy Bear" has been operating since the mid-2000s.CrowdStrike reported targeting has includedAerospace, Defense, Energy, Government and the Media industries. "Fancy Bear" intrusions have occurred inUnited States, Western Europe, Brazil,Canada, China,Republic of Georgia,Iran, Japan,Malaysia andSouth Korea. Targeteddefense ministries and military organizations parallel Russian Federation government interests. This may indicate affiliation with theMain Intelligence Directorate (GRU, a Russian military intelligence service). Specifically, "Fancy Bear" has been linked to intrusions into theGerman Bundestag and France'sTV5 Monde (television station) in April 2015.[3][5]SecureWorks, a cybersecurity firm headquartered in the United States, concluded that from March 2015 to May 2016, the "Fancy Bear" target list included not merely the DNC, but tens of thousands of foes of Putin and the Kremlin in the United States, Ukraine, Russia, Georgia, and Syria. Only a handful of Republicans were targeted, however.[22]
On January 25, 2018,Dutch newspaperde Volkskrant and TV programNieuwsuur reported that in 2014 and 2015, the Dutch Intelligence agencyGeneral Intelligence and Security Service (AIVD) had successfully infiltrated the computers ofCozy Bear and observed the hacking of the head office of the State Department and subsequently the White House, as well as the Democratic Party, and were the first to alert theNational Security Agency about the cyber-intrusion.[23][24]
In 2015, the NSA apprised the FBI and other agencies of the DNC intrusions which the Dutch had secretly detected, and on August 15, 2015, the Washington field office first alerted DNC technical staff of the compromise of their systems.[25] Much later, the lack of higher level communications between the DNC and the FBI was seen by the DNC as an "unfathomable lapse" and it wasn't until April 2016 when legal authorizations to share sensitive technical data with the government finally apprised DNC leaders that their systems had been penetrated.[26]
"Cozy Bear" had access to DNC systems since the summer of 2015; and "Fancy Bear", since April 2016. There was no evidence of collaboration or knowledge of the other's presence within the system. Rather, the "two Russian espionage groups compromised the same systems and engaged separately in the theft of identical credentials".[5][20][27] "Cozy Bear" employed the "Sea Daddy" implant and an obfuscatedPowerShell script as a backdoor, launchingmalicious codeat various times and in various DNC systems. "Fancy Bear" employedX Agent malware, which enabled distantcommand execution,transmissions of files andkeylogging, as well as the "X-Tunnel" malware.
DNC leaders became aware of the compromise in April 2016. These attacks broadly reflect Russian government interest in the U.S. political system, as well as political leaders' policies, tendencies and proclivities while assessing possible beneficial outcomes. The attacks also broadly reflect Russian government interest in the strategies, policies, and practices of the U.S. Government. This also globally reflects foreign governments' interest in ascertaining information on Donald Trump as a new entry into U.S. political leadership roles, in contrast to information likely to have been garnered over the decades pertaining to the Clintons.[3][5]
The DNC commissioned the cybersecurity companyCrowdStrike to defeat the intrusions. Itschief technology officer,Dmitri Alperovitch, who is also a cybersecurity expert, stated:
CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016[...] We've had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Theirtradecraft is superb,operational security second to none and the extensive usage of 'living-off-the-land' techniques enables them to easily bypass many security solutions they encounter.[5]
Other cybersecurity firms, Fidelis Cybersecurity andFireEye, independently reviewed the malware and came to the same conclusion asCrowdStrike—that expert Russian hacking groups were responsible for the breach.[28] In November 2017, US authorities identified 6 Russian individuals who conducted the hack.[29] Beginning in December 2016 the Russian government arrestedSergei Mikhailov, a high ranking government cyber-spy, Ruslan Stoyanov, a private sector cyber-security expert, Georgy Fomchenkov, a former government cyber-spy, and Dmitry Dokuchaev, a Mikhailov associate and charged them with aiding U.S. intelligence agencies which the New York Times associated with the DNC hacking.[30][31]
Although the DNC claimed that no personal, financial, or donor information was accessed, "Guccifer 2.0" leaked what he, she or they claimed were donor lists detailing DNC campaign contributions toGawker andThe Smoking Gun.[32][33] However, this information has not been authenticated, and doubts remain about Guccifer 2.0's backstory.[34]
In June 2016, a person or person(s) claimed to be the hacker who had hacked the DNC servers and then published the stolen documents online.[35] "Guccifer 2.0" later also claimed to have leaked 20.000 emails toWikiLeaks.[36][37]
TheU.S. Intelligence Community tasked resources debating why Putin chose summer 2016 to escalate active measures influencing U.S. politics.[38]Director of National IntelligenceJames R. Clapper said after the2011–13 Russian protests that Putin's confidence in his viability as a politician was damaged, and Putin responded with the propaganda operation.[38] FormerCIA officer Patrick Skinner explained the goal was to spread uncertainty.[39] U.S. CongressmanAdam Schiff, Ranking Member of theHouse Permanent Select Committee on Intelligence, commented on Putin's aims, and said U.S. intelligence agencies were concerned with Russian propaganda.[38] Speaking about disinformation that appeared inHungary,Slovakia, theCzech Republic, andPoland, Schiff said there was an increase of the same behavior in the U.S.[38] Schiff concluded Russian propaganda operations would continue against the U.S. after the election.[38]
On December 9, 2016, theCIA told U.S. legislators theU.S. Intelligence Community concluded Russia conducted operations during the 2016 U.S. election to assist Donald Trump in winning the presidency.[7][40][41] Multiple U.S. intelligence agencies concluded people with specific individuals tied to the Russian government gaveWikiLeaks hacked emails from theDemocratic National Committee (D.N.C.) and additional sources such asJohn Podesta, campaign chairman forHillary Clinton.[7] These intelligence organizations additionally concluded Russia hacked theRepublican National Committee (R.N.C.) as well as the D.N.C.—and chose not to leak information obtained from the R.N.C.[8] The CIA said the foreign intelligence agents were Russian operatives previously known to the U.S.[7] CIA officials told U.S. Senators it was "quite clear" Russia's intentions were to help Trump.[40] Trump released a statement December 9, and disregarded the CIA conclusions.[7]
A senior law enforcement official told CNN:
The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated...These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.[1]
The FBI therefore had to rely on an assessment fromCrowdStrike instead,[1] who were hired by the DNC to investigate the cyber attacks.[42]
Members of theU.S. Senate Intelligence Committee traveled to Ukraine and Poland in 2016 and learned about Russian operations to influence their affairs.[43] U.S. SenatorAngus King told thePortland Press Herald that tactics used by Russia during the 2016 U.S. election were analogous to those used against other countries.[43] On November 30, 2016, King joined a letter in which seven members of the U.S. Senate Intelligence Committee asked President Obama to publicize more information from the intelligence community on Russia's role in the U.S. election.[43][44] In an interview with CNN, King warned against ignoring the problem, saying it was a bipartisan issue.[45]
Representatives in theU.S. Congress took action to monitor theNational security of the United States by advancing legislation to monitor propaganda.[46][47] On November 30, 2016, legislators approved a measure within theNational Defense Authorization Act to ask theU.S. State Department to act against propaganda with an inter-agency panel.[46][47] The legislation authorized funding of $160 million over a two-year-period.[46] The initiative was developed through abipartisan bill, theCountering Foreign Propaganda and Disinformation Act, written by U.S. SenatorsRob Portman (Republican) andChris Murphy (Democrat).[46] Portman urged more U.S. government action to counter propaganda.[46] Murphy said after the election it was apparent the U.S. needed additional tactics to fight Russian propaganda.[46]U.S. Senate Intelligence Committee memberRon Wyden said frustration over covert Russian propaganda was bipartisan.[46]
Republican U.S. Senators stated they planned to hold hearings and investigate Russian influence on the 2016 U.S. elections.[48] By doing so they went against the preference of incoming Republican President-elect Donald Trump, who downplayed any potential Russian meddling in the election.[48]U.S. Senate Armed Services Committee ChairmanJohn McCain andU.S. Senate Intelligence Committee ChairmanRichard Burr discussed plans for collaboration on investigations of Russiancyberwarfare during the election.[48]U.S. Senate Foreign Relations Committee ChairmanBob Corker planned a 2017 investigation.[48] SenatorLindsey Graham indicated he would conduct a sweeping investigation in the115th Congress.[48]
On December 9, 2016, President Obama ordered the entireUnited States Intelligence Community to conduct an investigation into Russia's attempts to influence the 2016 U.S. election — and provide a report before he left office on January 20, 2017.[49][50][51]Lisa Monaco,U.S. Homeland Security Advisor and chief counterterrorism advisor to the president, announced the study, and said the intrusion of a foreign nation into a U.S. national election was an unprecedented event that would necessitate further investigation by subsequent administrations in the executive branch.[49] The intelligence analysis will take into account data from the last three presidential elections in the U.S.[50] Evidence showed maliciouscyberwarfare during the2008 and 2016 U.S. elections.[50]
.jpg)