April 19, 2016

Russian Government Hackers Plan to Disseminate Stolen Documents

Aleksandr Vladimirochich Osadchuk
Artem Andreyevich Malyshev
Pavel Vyacheslavovich Yershov
Nikolay Yuryevich Kozachek
Sergey Aleksandrovich Morgachev
Aleksey Vitorovich Lukashev
Ivan Sergeyevich Yermakov
Dmitry Sergeyevich Badin
Boris Alekseyevich Antonov
Viktor Borisovich Netyshko
Aleksey Aleksandrovich Potemkin

According to the July 2018 Special Counsel indictment, Russian military intelligence agents register the domain dcleaks.com, which is later used to release stolen documents.

One of the first public signs that the Russian government was attempting to interfere in the 2016 election was the hacking and publication of emails from the servers of the Democratic National Committee, or DNC. The hacked emails, which WikiLeaks began to release on the eve of the Democratic National Convention in July 2016, led to, among other things, public protests outside of the convention in Philadelphia and the resignation of Congresswoman Debbie Wasserman Schultz as the head of the DNC.

According to The New York Times, a hacking group believed to be tied to the Russian government, known in the cybersecurity world as Cozy Bear, began “sending spear-phishing emails to a long list of American government agencies, Washington nonprofits and government contractors,” including the DNC, to steal vulnerable data. The Federal Bureau of Investigation reportedly first contacted employees at the DNC to inform them that the Russian hackers had “compromised at least one computer” in September 2015; however, The New York Times has reported that the DNC did not immediately act on the information, and the FBI did not follow up on its initial warning. Reporting indicates that in April 2016, another Kremlin-linked hacking group, called Fancy Bear, also sent phishing emails to the DNC as part of the attack that ultimately led to their acquisition of John Podesta’s emails. On April 29, the DNC discovered an unauthorized person accessing their servers, and subsequently contracted the cybersecurity firm CrowdStrike, which determined within a day that the intrusion had been carried out from Russia.

Perhaps due to the lack of effective communication between the DNC and the FBI, the hack did not become public until well into 2016. On May 18, 2016, the Director of National Intelligence James Clapper reported that the U.S. intelligence community had found evidence of foreign spy services attempting to hack digital networks used by American presidential campaigns, including the DNC and the Democratic Congressional Campaign Committee, or DCCC. Almost a month later, The Washington Post first reported that Russian hackers had penetrated DNC databases, and had gained access to both internal email and chat traffic among employees and the opposition research the organization had compiled on Trump. The next day, after the online news outlets Gawker and The Smoking Gun published files purporting to be the DNC’s opposition research on Trump, a hacker using the pseudonym Guccifer 2.0 claimed credit for the hack, saying that he had given the stolen emails to WikiLeaks and publishing some of the documents himself. Though Guccifer 2.0 claimed he was Romanian and neither understood Russian nor had connections to the country’s government, metadata from the hacked documents and his inability to write fluently in Romanian suggested that he was in fact operating out of Russia. On March 22, 2018, Guccifer 2.0 was revealed as a front for a unit of the GRU, Russia’s military intelligence directorate.

WikiLeaks began publishing emails hacked from the DNC on July 22, 2016, three days before the Democratic National Convention was set to begin in Philadelphia. On July 25, the FBI announced that it was investigating the DNC hack. The next day, intelligence officials reportedly told the White House that they had “high confidence” that Russia had carried out the hack, although, according to The New York Times, they had not yet concluded whether the operation was intended as “fairly routine cyberespionage … or as part of an effort to manipulate the 2016 presidential election.” On July 29, the DCCC announced that it had been hacked by the same Russian actors behind the DNC hack; Guccifer then released documents from the DCCC regarding House races in several states, including Florida, Pennsylvania, New Hampshire, Ohio, Illinois, and North Carolina.

Even after the intelligence community concluded that Russia had been behind the DNC and DCCC hacks, WikiLeaks continued to not only publish the emails but deny that they had come from Russia, ultimately releasing a final batch of emails on November 6, 2016, mere days before the election.

On July 13, 2018, the Special Counsel’s Office filed an indictment against 12 Russian military officers in connection to the DNC and DCCC hack. The indictment confirmed prior news reports and included new details of the methods and objectives of the hack and release program operated by the GRU during the 2016 election.

Russian Hackers
Trump Campaign