January 13, 2015: Clinton’s press secretary has “teed-up stories” for a New York Times reporter before and she has “never disappointed.”

Maggie Haberman (Credit: public domain)

Maggie Haberman (Credit: public domain)

Nick Merrill, Clinton’s campaign press secretary, writes an email memo to Clinton’s other core staffers (including John Podesta and Robby Mook) who are developing a strategy that is described as being “designed to plant stories on Clinton’s decision-making process about whether to run for president.”

The email names Maggie Haberman who at the time writes for Politico, but will switch to covering the election for the New York Times one month later. Merrill writes, “We have ha[d] a very good relationship with Maggie Haberman of Politico over the last year. We have had her tee up stories for us before and have never been disappointed. … [F]or this we think we can achieve our objective and do the most shaping by going to Maggie.”

According to a later article by the Intercept, “The following month, when she is at the Times, Haberman publishes two stories on Clinton’s vetting process.”

The Intercept will be given this email and others by the hacker known as Guccifer 2.0 in October 2016. The Intercept will comment that the email is just one of many “Internal strategy documents and emails among Clinton staffers” that “shed light on friendly and highly useful relationships between the campaign and various members of the US media, as well as the campaign’s strategies for manipulating those relationships. … At times, Clinton’s campaign staff not only internally drafted the stories they wanted published but even specified what should be quoted “on background” and what should be described as “on the record.” (The Intercept, 10/09/2016) (Wikileaks, 10/13/2016)

Summer 2015—May 2016: One or more hackers access the DNC’s computer network.

CrowdStrike logo (Credit: CrowdStrike)

CrowdStrike logo (Credit: CrowdStrike)

In June 2016, it will be reported that the computer network of the DNC [Democratic National Committee] was compromised for about a year. Around May 2016, the security company CrowdStrike is hired by the DNC to investigate and stop the hacking attack. According to CrowdStrike, there actually are two different groups that successfully break into the network, both of them linked to the Russian government.

The first group is said to be known by the nickname Cozy Bear. In 2015, it allegedly successfully infiltrated the unclassified networks of the White House, State Department, US Joint Chiefs of Staff, and others. This group gets into the DNC’s network in the summer of 2015 and is not stopped until May 2016.

The second group is said to be known by the nickname Fancy Bear, and it also has had many other successful attacks. It gets into the network in April 2016 and also is stopped in May 2016.

On June 15, 2016, someone going by the nickname “Guccifer 2.0” posts DNC files on the Internet. This person claims to have no connection to the Russian government, but also claims to have accessed the DNC network for “almost a year,” which is similar to what CrowdStrike says about Cozy Bear. (CrowdStrike.com, 6/15/2016) (The Washington Post, 6/15/2016)

March 2016: The same hacking group that allegedly breaches the DNC [Democratic National Committee] computer network may also breach computers of some Clinton presidential campaign staffers.

Clinton's Deputy Communications Director, Kristina Schake (Credit: Getty Images)

Clinton’s Deputy Communications Director, Kristina Schake (Credit: Getty Images)

The hacker or hacking group is known by the nickname Fancy Bear, and is alleged to be working for the Russian government. Fancy Bear gets into the DNC network in April 2016, which makes it separate from the efforts of Cozy Bear (alleged also to be linked to Russia) or Guccifer 2.0 (alleged to be a “lone hacker”) which in either case got into the network for about a year. Fancy Bear’s attack on Clinton’s staffers is said to start in March 2016, according to the security firm SecureWorks. Targets include Clinton’s communications and travel organizers, speechwriters, policy advisers, and campaign finance managers.

The hackers use the “spear phishing” technique of sending an email from a seemingly trusted source in order to get the target to click on a link. In this case, the links are shortened by an Internet service known as Bitly to make it hard to notice that they’re bogus. They take the target to a fake Google login page, since most or all of Clinton’s staffers use Gmail. Once the target gives their user name and password, the hacker can log into the real account and access all the data. The hackers create 213 links targeting 108 hillaryclinton.com addresses. Twenty of those are clicked, raising the possibility that some accounts are successfully breached. (Forbes, 6/16/2016)

June 15, 2016: A hacker nicknamed Guccifer 2.0 posts files showing they were behind the DNC hack.

(Credit: public domain)

(Credit: public domain)

One day after the Washington Post reported that alleged Russian hackers broke into the DNC’s [Democratic National Committee] computer network, a man using the nickname “Guccifer 2.0” creates a new website on the Internet showing that person got the DNC files. Guccifer 2.0 likely has no connection to Guccifer, who is now in a US prison, but seems inspired to take the name due to Guccifer’s earlier hacking notoriety.

He posts a 200-page opposition research file on Republican presumptive presidential nominee Donald Trump dating from December 2015, as well as other computer files from the DNC. The files include a sample of donor information, contradicting the DNC’s claim from the day before that no financial information had been stolen.

Guccifer 2.0 also claims to have given “thousands of files and mails” to WikiLeaks. This comes several days after WikiLeaks head Julian Assange promised to post more of Clinton’s emails soon. The security firm CrowdStrike was hired to investigate the DNC hack, and they claimed to be confident that it was a sophisticated operation done by two hacking groups with ties to the Russian government.

However, Guccifer 2.0 claims to be working independently, and says of CrowdStrike, “I’m very pleased the company appreciated my skills so highly. But in fact, it was easy, very easy.”

However, CrowdStrike stands by their original claim and suggests the new website could be “part of a Russian intelligence disinformation campaign.” (Wired, 6/15/2016) (Vice News, 6/15/2016) 

NBC News reports that “several Democratic sources familiar with the party’s opposition research efforts said they believed opposition research book to be authentic. It also includes links to data stored on internal DNC servers, which would not accessible to people outside the committee.” (NBC News, 6/15/2016)

June 16, 2016: Various clues suggest that “Guccifer 2.0” could be a front for Russian hacking efforts.

Copy of the metadata and the nickname for Felix Dzerzhinsky, written in the Cyrillic alphabet. (Credit: Ars Technica)

Copy of the metadata and the nickname for Felix Dzerzhinsky, written in the Cyrillic alphabet. (Credit: Ars Technica)

On June 15, 2016, someone going by the name “Guccifer 2.0” claimed to be the “lone hacker” behind the breach of the DNC [Democratic National Committee] computer network reported in the media the day before.

However, various clues support the assertion by security experts hired by the DNC that the hacking effort is connected to the Russian government or at least originates from Russia:

  • The metadata of one file sent by Guccifer 2.0 to Gawker contains metadata indicating the last person to change the file used the nickname for Felix Dzerzhinsky (Феликс Эдмундович), a long-dead Russian statesman best known for founding the Soviet secret police.
  • The nickname is written in the Cyrillic alphabet, which means Guccifer 2.0’s computer was configured to use the Russian language and was connected to a Russian-language keyboard.
  • Another file contains some broken web links. The error message is also written in Russian, using the Cyrillic alphabet.
  • A blog post written by Guccifer 2.0 uses “)))” to indicate a smiley face. This is common in Eastern Europe and Russia but very uncommon elsewhere, due to differences with the Russian-language keyboard. (Ars Technica, 6/16/2016)
  • Other metadata indicates the person who saved the files used a cracked version of Office 2007, which is popular in Russia.
  • Vice News reports that Guccifer 2.0 had no online history prior to June 15, and “multiple security sources said they’d never heard of nor seen anyone by that alias” before that date. (Vice News, 6/16/2016)
  • Dave Aitel, CEO of Immunity Security, comments, “You don’t have the FBI or DHS [Department of Homeland Security] coming out and saying: ‘Hey we don’t think it’s Russia.’ If it is Russia, a nation state, it’s a pretty big deal. Otherwise the FBI would say: ‘We’re conducting an investigation.’ But they’re not saying that.”

Ars Technica comments, “Of course, it’s still possible that the Russian fingerprints were left intentionally by someone who has no connection to Russia, or by a Russian-speaking person with no connection to the Russian government, or any number of other scenarios.” (Ars Technica, 6/16/2016)

June 17, 2016: Some cybersecurity experts doubt the Russian government is behind recent hacking attacks.

Nathaniel Gleicher (Credit: Carmen Holt)

Nathaniel Gleicher (Credit: Carmen Holt)

Time Magazine notes that although CrowdStrike, the cybersecurity firm hired by the DNC [Democratic National Committee] to stop the hacking of their computer network, claims the Russian government is behind the attacks, other security experts are skeptical. Someone calling themselves “Guccifer 2.0” has posted some files that appear to come from the DNC hack, and that person claims to be a “lone hacker.”

CrowdStrike asserts this is just an effort to sow confusion about Russian involvement, but some experts doubt that as well.

Nathaniel Gleicher, the former director for cybersecurity policy on the NSC [National Security Council], says, “Attribution is incredibly difficult—I wouldn’t say impossible, but it’s very difficult.”

Reg Harnish, the CEO of the cybersecurity company GreyCastle Security, says the final answer may still be unknown, with political intrigues complicating the picture. “I’ve been personally involved in hundreds of these investigations, and you just don’t end up in the same place where you began. […] I think there’s a lot of misinformation out there right now.”

Scott Borg, the head of the US Cyber Consequences Unit, echoed the skepticism. “Our best guess is that the second (and apparently less skillful) of the two intruders was not Russian intelligence. We are also uncertain about the first group.”

So far, the FBI has not made any comment. (Time, 6/17/2016)

June 18, 2016: Guccifer 2.0 publishes more of the DNC’s financial documents.

A sample of the data released by Guccifer 2.0, revealing personal information of DNC donors. (Credit: Guccifer 2.0)

A sample of the data released by Guccifer 2.0, revealing personal information of DNC donors. (Credit: Guccifer 2.0)

Two days after emerging to post some DNC [Democratic National Committee] documents on the Internet, the hacker known by the nickname Guccifer 2.0 publishes some more.

This person comments on their new website, “It appears there are a lot of financial reports, donors lists, and their detailed personal information, including e-mail addresses and private cell phone numbers…I got tons of files and docs.” This person also promises to post more soon.

Business Insider notes: “The Washington Post’s initial report stated that the hacker’s avoidance of donor information indicates that the breach was likely the work of ‘traditional espionage,’ but the new information posted by Guccifer 2.0, if legitimate, seems to discredit that line of thinking.”

The DNC has not confirmed that the documents are genuine, but has not denied it either. It is unknown who Guccifer 2.0 is, but security experts hired by the DNC assert the Russian government is behind the leaks. (Business Insider, 6/18/2016)

June 21, 2016: The Clinton Foundation’s computer network was recently successfully hacked by alleged Russian hackers.

Bloomberg News reports this is according to three unnamed “people familiar with the matter.” Clinton Foundation officials say they haven’t been notified of the attack and refuse to say more. The breach was discovered as recently as one week earlier.

The attack appears to be part of a larger sweep of attacks that has targeted at least 4,000 email accounts of people connected to US politics since about October 2015. Many of the targets appear to be linked to Clinton.

Bloomberg News comments, “The thefts set the stage for what could be a Washington remake of the public shaming that shook Sony in 2014, when thousands of inflammatory internal emails filled with gossip about world leaders and Hollywood stars were made public.”

Someone going by the nickname “Guccifer 2.0” has been releasing documents from a hack on the DNC [Democratic National Committee] but it is unknown if this person is linked to the foundation attack. (Bloomberg News, 6/21/2016)

June 21, 2016: Guccifer 2.0 releases 261 more files from the DNC hack.

This is the third release by Guccifer 2.0 of files from the DNC [Democratic National Committee] in a week. Guccifer 2.0 claims on his website, “It’s a big folder of docs devoted to Hillary Clinton that I found on the DNC server.” The files are compilations of news reports and other publicly available documents on existing or likely Democratic candidates from around April 2015, and the vast majority of the files contain information from that time or earlier. Nearly all the files are about Clinton, noting stories that could hurt her and often countering them with pro-Clinton talking points.

The DNC has neither confirmed nor denied that Guccifer 2.0 files come from the DNC breach, but Mother Jones notes that the “new trove of documents [were] apparently pilfered from the [DNC].” (Mother Jones, 6/21/2016)

June 21, 2016: Democrats hope that blaming recent hacking attacks on the Russian government will limit the political fallout.

Glen Caplin (Credit: Global Strategy Group)

Glen Caplin (Credit: Global Strategy Group)

Bloomberg News reports, “If the Democrats can show the hidden hand of Russian intelligence agencies, they believe that voter outrage will probably outweigh any embarrassing revelations, a person familiar with the party’s thinking said.”

In the same article, Clinton spokesperson Glen Caplin refuses to comment on details about recent hacking attacks or confirm if any of Clinton’s campaign staff got successfully hacked. However, Caplin does say, “What appears evident is that the Russian groups responsible for the DNC hack are intent on attempting to influence the outcome of this election.”

The DNC [Democratic National Committee] similarly won’t comment on details or confirm reports of successful attacks. However, the DNC issues a written statement that it believes recent leaks by Guccifer 2.0 are “part of a disinformation campaign by the Russians.”

The Russian government has denied any involvement. (Bloomberg News, 6/21/2016)

June 21, 2016: Guccifer 2.0 is interviewed and claims to be Romanian, not Russian.

Starting June 15, 2015, someone using the nickname “Guccifer 2.0” created a website and started posting files that appear to come from a recent hack of the DNC [Democratic National Committee] computer network. He claims to be a “lone hacker” while some have suggested that he is a front for the Russian government.

For the first time, he is interviewed, by Vice News, through Twitter, so his appearance and location remain unknown. He says he is from Romania, just like the original hacker nicknamed Guccifer, who is now in a US prison. However, Vice News asks him to answer a question in Romanian and he declines to do so. He does make a few comments in Romanian, but they have numerous errors. He says he deliberately left Russian metadata in the leaked documents as his personal “watermark.” Yet he claims, “I don’t like Russians and their foreign policy. I hate being attributed to Russia.”

He says he first breached the DNC network in the summer of 2015. “Then I installed my Trojans on several PCs. I had to go from one PC to another every week so CrowdStrike couldn’t catch me for a long time. I know that they have cool intrusion detection system. But my heuristic algorithms are better.” He claims he finally got kicked out of the network on June 12, 2016, when the DNC “rebooted their system.”

He says he has had other successful hacking attacks, but he refuses to name the targets because “my safety depends on it.” He says he doesn’t care about Donald Trump but targeted the DNC to emulate the work of the original Guccifer. (Vice News, 6/21/2016)

July 22, 2016: WikiLeaks releases almost 20,000 DNC emails as the first of a series of Clinton-related leaks.

WikiLeaks publicly releases 19,252 emails and 8,034 email attachments recently hacked from the Democratic National Committee (DNC). The emails are from seven DNC officials: Communications Director Luis Miranda (10,770 emails), National Finance Director Jordon Kaplan (3,797 emails), Finance Chief of Staff Scott Comer (3,095 emails), Finance Director Zachary Allen (1,611 emails), Finance Director of Data and Strategic Initiatives Daniel Parrish (1,472 emails), Senior Advisor Andrew Wright (938 emails) and Northern California Finance Director Robert (Erik) Stowe (751 emails). The emails are from January 2015 until May 25, 2016.

160722DNCMontage

The seven DNC officials are left to right Luis Miranda (Credit: public domain), Jordan Kaplan (Credit: Facebook), Scott Comer (Credit: Linked In), Zachary Allen (Credit: Twitter), Daniel Parrish (Credit: Linked In), Andrew Wright (Credit: Linked In), Robert (Erik) Stowe (Credit: Linked In)

In announcing the release, WikiLeaks mentions this is “part one of our new Hillary Leaks series.” (WikiLeaks, 7/22/2016)

Julian Assange, head of WikiLeaks, mentioned in a June 2016 interview that other coming releases will relate to the Clinton Foundation and to Clinton’s emails (although it’s not clear how many there are or where and when they are from). It also was reported in June 2016 that the DNC computer network had been recently hacked, along with other political entities, such as the Clinton campaign. It also was suspected that the Russian government was behind the DNC hack. However, a previously unknown hacker named Guccifer 2.0 emerged and claimed to be behind the hack, and also claimed to have no ties to Russia. He furthermore claimed to have given thousands of documents to WikiLeaks.

WikiLeaks has a policy of never revealing the sources of their leaked material, and has maintained that policy for this release.

July 22, 2016: Guccifer 2.0 takes credit for the DNC emails posted by WikiLeaks.

160722Guccifer2Tweet

Tweet posted by Guccifer 2.0 on July 22, 2016. (Credit: Guccifer 2.0 / Twitter)

Shortly after WikiLeaks publishes almost 20,000 emails from the Democratic National Committee (DNC), the hacker known as Guccifer 2.0 takes credit. His website is not updated, but he writes at his Twitter account: “@wikileaks published #DNCHack docs I’d given them!!!” (Twitter, 6/22/2016)

He has previously posted many DNC files on his own website, starting on June 15, 2016. And on that same day, he claimed that he had given “thousands of files and mails” to WikiLeaks.

 

July 25, 2016: WikiLeaks discourages suggestions that the Russian government is behind its release of DNC emails.

160725WikileaksDNCLogo

Wikileaks cartoon that accompanied the DNC documents release. (Credit: Latoff / Wikileaks)

In an interview with NBC News, Wikileaks leader Julian Assange won’t say who gave WikiLeaks the Democratic National Committee (DNC) emails they have recently made public, as the group has a policy to never reveal their sources.

However, Assange discourages the widespread speculation that the emails come from hackers linked to the Russian government. Assange suggests that the DNC’s security was so weak that it could have been hacked by multiple groups. He also insists, “The emails that we have released are different sets of documents to the documents of those [that] people have analyzed.”

A hacker or hacking group going by the name of Guccifer 2.0 claims to have given the emails to WikiLeaks, but WikiLeaks has not confirmed this.

A WikiLeaks representative also comments, “Our publication of leaked DNC emails and the many DNC hacks over the last two years are separate incidents and should not be conflated.” (The Daily Beast, 7/26/2016)

July 26, 2016: A cybersecurity group claims to have new evidence that Guccifer 2.0 is actually a team of Russian hackers.

Guccifer 2.0 is a hacker who claims he broke into the Democratic National Committtee (DNC) computer network and then gave the emails he found to WikiLeaks. He also claims to be an East European with no connection to Russia.

160726ThreatConnectLogopublic

Threat Connect Logo (Credit: public domain)

However, the cybersecurity research group ThreatConnect claims to have new evidence linking Guccifer 2.0 to an Internet server in Russia and to a digital address that has been linked to previous Russian online scams. They conclude that Guccifer 2.0 is actually an “apparition created under a hasty Russian [denial and deception] campaign” to influence political events in the US.

Their report concludes, “Maintaining a ruse of this nature within both the physical and virtual domains requires believable and verifiable events which do not contradict one another. That is not the case here.” For instance, Guccifer 2.0 claims to have broken into the DNC network in the summer of 2015 using a software flaw that didn’t exist until December 2015.

Furthermore, the Guccier 2.0 entity is “a Russia-controlled platform that can act as a censored hacktivist. Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives.” (The Daily Beast, 7/26/2016)

 

August 12, 2016: Whoever hacked DNC and other Democrat-related emails in the last year may have also targeted Republicans.

The Daily Beast reports that cybersecurity experts believe the hacker or hackers who stole emails from the DNC (Democratic National Committee) are behind a website known as DCLeaks. The site went public in June 2016 to little media attention. But the site contains emails from hundreds of Republican and Democratic US politicans, including staffers to Republican Senators John McCain and Linsey Graham, plus staffers to former Republican Repesentative Michelle Bachmann.  An unnamed “an individual close to the investigation of the Democratic Party hacks” says the evidence is growing that both parties have been targeted. “Everyone is sweating this right now. This isn’t just limited to Democrats.”

160812McCainGrahamKevinLamarqueReuters

Senators John McCain (left) and Linsey Graham (right) (Credit: Kevin Lamarque / Reuters)

The cybersecurity company ThreatConnect has been investigating the recent hacks of US political targets, and they call DCLeaks a “Russian-backed influence outlet.” In particular, they have linked it to Fancy Bear (a.k.a. APT 28), a hacking group also accused of hacking the DNC, an believed by many to be working for the Russian government. “DCLeaks’ registration and hosting information aligns with other Fancy Bear activities and known tactics, techniques, and procedures.” They also claim that the hacker or hacking group known as Guccifer 2.0, who claims to be behind the hacking of the DNC emails that WikiLeaks publicly posted in July 2016, is linked to DCLeaks.
The Daily Beast reports that “researchers, at ThreatConnect and elsewhere, also now believe that Guccifer 2.0 was WikiLeaks’ source and that the group is acting as a front for the Russian government.” (The Daily Beast, 8/12/2016)

October 7, 2016: The US government formally accuses the Russian government of hacking and publishing emails related to US political entities.

161007JamesClapperMarkWilsonGetty

James Clapper (Credit: Mark Wilson / Getty Images)

Director of National Intelligence James Clapper releases a statement in conjunction with the Department of Homeland Security claiming that leaked emails that have appeared on a variety of websites “are intended to interfere with the US election process. … We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”

The New York Times comments that the statement does “not name President Vladimir V. Putin of Russia, but that appear[s] to be the intention.”

Many thousands of emails and other documents have been posted in recent months on the WikiLeaks website, but WikiLeaks won’t say where their leaks come from. Two newly created websites attributed to DCLeaks and Guccifer 2.0 have also posted leaks. Both groups claim to have no ties to the Russian government, but the US government claims otherwise.

The statement adds that US intelligence agencies are less certain who is responsible for “scanning and probing” online voter registration lists in various US states in recent months. Those “in most cases originated from servers operated by a Russian company,” but the statement doesn’t assert that the Russian government is responsible.

161007KerryLavrovGenevaAFP

Kerry (left) and Russian Minister for Foreign Affairs Sergei Lavrov meet in Geneva to discuss the Syrian crisis on September 9, 2016. (Credit: Agence France Presse)

The Times notes that the “announcement [comes] only hours after Secretary of State John Kerry called for the Russian and Syrian governments to face a formal war-crimes investigation over attacks on civilians in Aleppo and other parts of Syria. Taken together, the developments mark a sharp escalation of Washington’s many confrontations with [Russia] this year.”

US officials had debated for months whether or not to formally accuse Russia, and if so, when. An unnamed “senior administration official” says that with only about a month to go before the November presidential election, President Obama was “under pressure to act now,” in part because the closer the declaration would be to election day, the more political it would seem.

It is unclear what action the US will take in an attempt to punish Russia, if any. A range of options are being considered, including economic sanctions and covert cyber attacks against Russian targets. (The New York Times, 10/7/2016)