Summer 2015—May 2016: One or more hackers access the DNC’s computer network.

CrowdStrike logo (Credit: CrowdStrike)

CrowdStrike logo (Credit: CrowdStrike)

In June 2016, it will be reported that the computer network of the DNC [Democratic National Committee] was compromised for about a year. Around May 2016, the security company CrowdStrike is hired by the DNC to investigate and stop the hacking attack. According to CrowdStrike, there actually are two different groups that successfully break into the network, both of them linked to the Russian government.

The first group is said to be known by the nickname Cozy Bear. In 2015, it allegedly successfully infiltrated the unclassified networks of the White House, State Department, US Joint Chiefs of Staff, and others. This group gets into the DNC’s network in the summer of 2015 and is not stopped until May 2016.

The second group is said to be known by the nickname Fancy Bear, and it also has had many other successful attacks. It gets into the network in April 2016 and also is stopped in May 2016.

On June 15, 2016, someone going by the nickname “Guccifer 2.0” posts DNC files on the Internet. This person claims to have no connection to the Russian government, but also claims to have accessed the DNC network for “almost a year,” which is similar to what CrowdStrike says about Cozy Bear. (CrowdStrike.com, 6/15/2016) (The Washington Post, 6/15/2016)

October 2015—Mid-May 2016: Hackers, alleged to be Russian, target almost 4,000 Google accounts related to US politics.

Center for American Progress logo (Credit: public domain)

Center for American Progress logo (Credit: public domain)

According to a June 17, 2016 Bloomberg News article, during this time period, the same allegedly Russian hackers who breach the computers of the DNC [Democratic National Committee] and Clinton’s presidential campaign “[burrow] much further into the US political system, sweeping in law firms, lobbyists, consultants, foundations, and the policy groups known as think tanks, according to a person familiar with investigations of the attacks.” Almost 4,000 Google accounts are targeted by “spear phishing,” which involves tricking targets to give log-in information so their data can be accessed. The Center for American Progress, a think tank with ties to Clinton and the Obama administration, is one known target.

Bloomberg News will further report that, “Based on data now being analyzed, various security researchers believe the campaign stems from hackers linked to Russian intelligence services and has been broadly successful, extracting reams of reports, policy papers, correspondence and other information.”

The Russian government denies any involvement, but cybersecurity experts who have investigated the attacks believe the hackers are working for Russia. It is believed that either or both of two major Russian hacking groups, Fancy Bear (or APT 28) and Cozy Bear (or APT 29) are behind the attacks. (Bloomberg News, 6/17/2016)

March 2016: The same hacking group that allegedly breaches the DNC [Democratic National Committee] computer network may also breach computers of some Clinton presidential campaign staffers.

Clinton's Deputy Communications Director, Kristina Schake (Credit: Getty Images)

Clinton’s Deputy Communications Director, Kristina Schake (Credit: Getty Images)

The hacker or hacking group is known by the nickname Fancy Bear, and is alleged to be working for the Russian government. Fancy Bear gets into the DNC network in April 2016, which makes it separate from the efforts of Cozy Bear (alleged also to be linked to Russia) or Guccifer 2.0 (alleged to be a “lone hacker”) which in either case got into the network for about a year. Fancy Bear’s attack on Clinton’s staffers is said to start in March 2016, according to the security firm SecureWorks. Targets include Clinton’s communications and travel organizers, speechwriters, policy advisers, and campaign finance managers.

The hackers use the “spear phishing” technique of sending an email from a seemingly trusted source in order to get the target to click on a link. In this case, the links are shortened by an Internet service known as Bitly to make it hard to notice that they’re bogus. They take the target to a fake Google login page, since most or all of Clinton’s staffers use Gmail. Once the target gives their user name and password, the hacker can log into the real account and access all the data. The hackers create 213 links targeting 108 hillaryclinton.com addresses. Twenty of those are clicked, raising the possibility that some accounts are successfully breached. (Forbes, 6/16/2016)

June 14, 2016: Hackers allegedly linked to the Russian government broke into the DNC’s files.

Democratic National Committee headquarters in Washington, DC. (Credit: public domain)

Democratic National Committee headquarters in Washington, DC. (Credit: public domain)

The Washington Post reports that the emails, text messages, and other computer files of The DNC [Democratic National Committee] were accessed by two groups allegedly linked to Russia. Opposition research on Republican presidential candidate Donald Trump was stolen.

One group known as Cozy Bear broke into the DNC’s network a year ago and maintained access without getting caught. The other group known as Fancy Bear, apparently working independently, did so much more recently. These same hackers also probed the networks of both the Trump and Clinton campaigns, as well as some Republican political action committees, but it is unknown if those attacks succeeded.

The first hacking group typically uses “spear phishing” to gain access. This is when an email appears to come from a someone the recipient knows but actually is meant to trick that person into activating embedded malicious code by clicking on an attachment or link. (Wired, 6/14/2016) (The Washington Post, 6/14/2016

Forbes comments that the “Holy Grail of Russian intelligence is uncovering compromising material that can be used to embarrass, manipulate, or blackmail foreign political leaders.” Furthermore, “If the DNC’s cyber secrets are open to Russian intelligence hackers, the odds are overwhelming that they have Clinton’s private emails as well, especially given that Clinton’s private server was a target of the highest value.” This means Clinton could be blackmailed or otherwise manipulated by Russia as well. Forbes also notes how both cases involved spear phishing. (Forbes, 6/14/2016) 

Clinton was targeted by spear phishing at least three times, twice in May 2011, and once in July 2011. It is unknown if any of those attacks succeeded. (US Department of State, 10/30/2015) (US Department of State, 3/5/2015) (US Department of State, 5/25/2016)

June 20, 2016: Two more cybersecurity companies support CrowdStrike’s conclusion that the Russian government was behind the recent hack of the DNC computer network.

Michael Buratowski (Credit: FidelisCybersecurity)

Michael Buratowski (Credit: FidelisCybersecurity)

The companies are Fidelis Cybersecurity and Mandiant. They base their analysis on five malware samples used in the hacking attack. Fidelis executive Michael Buratowski says, “Based on our comparative analysis, we agree with CrowdStrike and believe that the Cozy Bear and Fancy Bear…groups were involved in successful intrusions at the DNC [Democratic National Committee] . […] The malware samples matched the description, form and function that was described in the CrowdStrike blog post. In addition, they were similar and at times identical to malware that other [research firms] have associated to these actor sets.”

However, the Washington Post reports, “It is also possible, researchers said, that someone else besides the Russians were inside the DNC’s network and had access to the same documents.” (The Washington Post, 6/20/2016) 

A law firm reviewing the DNC attack, Baker & McKenzie, has begun working with three cybersecurity companies to review CrowdStrike’s findings. Fidelis Cybersecurity is one of them, along with FireEye and Palo Alto Networks, Inc. (Bloomberg News, 6/21/2016) (Fidelis Cybersecurity, 6/20/2016)

July 26, 2016: US intelligence agencies have “high confidence” that the Russian government is behind the hack of DNC emails.

160726RussianFederalSecurityService

Emblem of the Russian Federal Security Service (Credit: public domain)

The New York Times claims this is according to unnamed “federal officials who have been briefed on the evidence.” But these officials are uncertain if the hack is part of “fairly routine cyberespionage” or part of an effort to manipulate the 2016 US presidential election. The DNC (Democratic National Committee) emails were  published by WikiLeaks on July 22, 2016, causing political turmoil for Democrats and resulting in the resignation of Debbie Wasserman Schultz, from her position as DNC chair.

The federal investigation, involving the FBI and other intelligence agencies began in April 2016, when the hack was first detected. It has concluded that the Russian Federal Security Service (Federal’naya Sluzhba Bezopasnosti or FSB) entered the DNC’s computer network in the summer of 2015. (This corresponds with previous reports of a hacking by a Russian group known as Cozy Bear or APT 29.) The Rusian Main Intelligence Directorate (Glavnoje Razvedyvatel’noje Upravlenije or GRU) independently penetrated the same network later. (This corresponds with previous reports of a hacking by a Russian group known as Fancy Bear or APT 28.) Investigators believe the GRU has been playing a larger role in publicly releasing the emails.

The Times says the intelligence community’s conclusion puts pressure on President Obama to publicly accuse Russia of orchestrating the hacking, which could negatively impact the diplomatic relationship between the US and Russia in general. (The New York Times, 7/26/2016)

September 1, 2016: Putin denies that Russia was involved in the DNC hack.

Russian President Vladimir Putin says in an interview about accusations of Russian government in the hacking of Democratic National Committee (DNC) emails: “Listen, does it even matter who hacked this data? The important thing is the content that was given to the public …. There’s no need to distract the public’s attention from the essence of the problem by raising some minor issues connected with the search for who did it. … But I want to tell you again, I don’t know anything about it, and on a state level Russia has never done this.”

However, an internal probe conducted by CrowdStrike Inc. traced the source of the hack to two Russian hacking groups connected with Russian intelligence, “Cozy Bear” and “Fancy Bear.”

John Lewis (Credit: public domain)

James Lewis (Credit: public domain)

James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, claims that Russia has engaged in state hacking in the past and that Putin’s denials are “not credible.”

Putin continues: “You know how many hackers there are today? They act so delicately and precisely that they can leave their mark — or even the mark of others — at the necessary time and place, camouflaging their activities as that of other hackers from other territories or countries. It’s an extremely difficult thing to check, if it’s even possible to check. At any rate, we definitely don’t do this at a state level.” (Bloomberg News, 9/1/2016)