tl;dr: Putin was probably not in charge of the Russian “hacking” of the DNC.
This is my first article here at Medium. I’m going to go over some things that I’ve written over the last few months on the subject of the penetration, extraction, and release (hacking&leaking) of data from the DNC (and other Democrat systems). Much of this was written in comments at Judith Curry’s blog Climate Etc., in July 2016 and recently.
AFAIK all the data involved in this analysis, and every other analysis available to readers on the WWWeb, has been openly available on that Web since June or July 2016. Many analyses have been made, and mixtures of analysis, information, speculation, and tendentious “news” have been bouncing around since then, especially over the last few weeks.
My purpose here is not to inform IT professionals, who are best advised to go directly to the CrowdStrike report and other links below. Rather, it’s to help non-experts understand the parameters involved in all the rhetoric being thrown around.
Let’s start with a picture:
This is pretty high-level, but explains enough of the process for us to distinguish two separate tasks:
- Break in and extract the data.
- Produce the “leak”.
In the first task, a way is found past the security (if any), and the data is identified on the system and extracted and stored in a file in the culprit’s possession. This could be a thumb drive, or a file on the culprit’s own computer, or a file somewhere on a system the culprit has access to.
In the second task, the data is taken from storage, modified to improve the effect, depending on the purposes of the “leak”, and released: put on a Web server as a publicly downloadable file, handed to a newspaper or WikiLeaks, etc.
Note that when intelligence services are involved, there’s no reason to expect that they will have to wait until they decide to “leak” to do the break-in.
Contrariwise, it makes sense for intelligence services to break in to as many targets as possible, and extract and store the data. This way if they need it they don’t have to break in and get it, it’s already on their servers.
For intelligence purposes, there are many other reasons to value such stolen data besides public leaks. The most important (in this case) is clues to the thinking of the players involved, as well as knowing who did what, knows about what, relationships among players, etc.
Now, according to the June 2006 CrowdStrike report that appears to be the earliest reliable public information about the DNC penetration, they found evidence of two actors, both “advanced persistent threats” (APT’s). This type of actor usually breaks in, covers the tracks of their entry, then lurks in the system extracting new information as it comes in. At some point, they may cover their tracks and withdraw, after which time they may be much harder to detect.
[… W]as called by the Democratic National Committee (DNC), the formal governing body for the US Democratic Party, to respond to a suspected breach.
The technology they deployed, called Falcon Host, is designed to recognize active penetration and other threats by matching activity against a set of threat profiles.
[…I]mmediately identified two sophisticated adversaries on the network — COZY BEAR and FANCY BEAR. We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.
CrowdStrike normally associates these two APT’s with the Russian FSB and GRU respectively. This may not be correct, their methods are well known and it wouldn’t be impossible that one or both of these groups had moved on, and their methods were/are being used by less-sophisticated “copycat” actors.
But let’s assume not. In this case, two different Russian services were simultaneously present in the DNC system. Per CrowdStrike:
At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services — Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations. [my bold]
This is key. It’s good evidence (IMO) that until after the leaks began there was no direct supervision by Mr. Putin, as it’s doubtful he would have tolerated two of his intelligence services blundering around without even knowing about each other.
OK, here’s another picture, summarizing the actual conditions of the break-in(s) and leak(s).
The GRU and FSB penetrations/extractions are shown at top. It’s also possible (likely, IMO) that other actors also broke in and extracted. This would include other nations’ intelligence services, and various private actors, up to Mr. Trump’s “somebody sitting on their bed that weighs 400 pounds”. These latter are portrayed labeled “Other 1”.
I’ve left the sources of the data unnamed, to represent an unknown number of targets. The DNC, various campaign operations, and a variety of people’s email accounts were probably targets. From a story at Naked Capitalism, quoting Washington’s Blog:
Washington’s Blog asked the highest-level NSA whistleblower in history, William Binney — the NSA executive who created the agency’s mass surveillance program for digital information, who served as the senior technical director within the agency, who managed six thousand NSA employees, the 36-year NSA veteran widely regarded as a “legend” within the agency and the NSA’s best-ever analyst and code-breaker, […] — what he thinks of such claims:
Snowden is right and the MSM is clueless. Here’s what I said to Ray McGovern and VIPS with a little humor at the end. [McGovern is a 27-year CIA veteran, […].]
Ray, I am suspicious that they may have looked for known hacking code (used by Russians). And, I’m sure they were one probably of many to hack her stuff. But, does that mean that they checked to see if others also hacked in?
As mentioned above, this sort of information would be valuable to a variety of nations, even large corporations and NGO’s. They don’t have to be enemies, even friendly states would value that information. These are valid intelligence targets, and AFAIK the legal situation regarding spying on “friends” is very cloudy. (Not one of my areas of expertise.)
I’ve shown two other possibilities, as they are important. Private actors, probably in or closely associated with Russia, might have broken into one of the state services’ systems and re-stolen the data. There’s a great deal we don’t know about the actual situation involving such activity in Russia, but given the number of criminal actors in Russia who have penetrated Western systems, it’s not impossible.
For that matter, it may be that some criminal or “business” organizations in Russia actually have humint assets within one or several state services. We can only speculate. I’ve portrayed these as “Other 2” and “Other 3".
As for the second stage, we don’t know who did the release. Given the GRU’s known penetration, if they didn’t leak it they would have been suspected.
What happened after June, when CrowdStrike released their report is much more murky. At this point, I would guess that Mr. Putin had taken control of both operations (FSB & GRU), and no independent leakage took place.
However, whether or not any of the leakage was under Mr. Putin’s control, it seem unlikely that he was coordinating anything until after the June report. His background is intelligence (KGB), so I’m sure he’s aware (probably from personal experience) the kind of embarrassing blow-ups can result from two different agencies blundering around without knowing of each other’s presence.