In the closing days of the 2016 election campaign, hackers believed to be working for Russian intelligence launched a new wave of attacks on Hillary Clinton’s campaign and the Democratic National Committee — a previously unreported cyberoffensive that heightened concerns, now endorsed by the CIA, that the Russian government was seeking to influence the outcome of the election in favor of Donald Trump, according to sources familiar with the investigations into the attempted intrusions.
The attacks came in the form of so-called “phishing” emails sent to up to nearly a dozen campaign and committee staffers in a renewed effort at penetrating their networks, said Dmitri Alperovitch, the co-founder and chief technology officer of CrowdStrike, the cybersecurity firm hired by the DNC to repel attacks on its network. Staffers at that point were alert enough to reject entreaties to click on the unsolicited email messages that would have allowed the hackers into their computers, he said.
But at least one top Clinton campaign staffer, communications director Jennifer Palmieri, told Yahoo News Sunday that she received an alert from Google in mid-October informing her that her personal Gmail account had been targeted by a “foreign state” actor and that her password needed to be changed.
“They were targeting us throughout the election,” said another former senior Clinton campaign staffer, who asked not to be identified. “They never stopped trying to get back in.”
The disclosure of the late campaign attack could fuel a mounting controversy over U.S. intelligence findings that link Russian intelligence to the cyberattacks for the express purpose of throwing the election as part of a campaign, orchestrated in Moscow, to defeat Clinton.
The Washington Post reported Saturday that the CIA has briefed members of Congress on an assessment that the Russians targeted Democratic political organizations and campaign officials as part of a specific effort to defeat Clinton and elect Trump. This goes beyond an earlier public finding that U.S. intelligence officials were “confident” that the Russian government was behind the cyberattacks, but did not ascribe a motive for the Russians doing so.
One piece of damning evidence behind the new finding is that the CIA and the FBI have both identified specific individuals associated with or close to the Russian government who provided the DNC emails to WikiLeaks, which began publishing them in July, a senior law enforcement official told Yahoo News. Despite reports of a clash between the CIA and the FBI over the motive behind Russia’s intelligence service in launching the operation, the differences are more a matter of “degree” and emphasis, with the FBI believing there may have been “mixed” motives for the Russian effort, the official said. Still, “we all agree they did these things,” the official said.
But President-elect Trump doubled down on his rejection of the intelligence findings in an interview with Fox News anchor Chris Wallace that aired Sunday, dismissing any conclusion that points to Russian government involvement.
“If you look at the story and you take a look at what they said, there’s great confusion,” Trump added. “Nobody really knows, and hacking is very interesting. Once they hack, if you don’t catch them in the act you’re not going to catch them. They have no idea if it’s Russia or China or somebody. It could be somebody sitting in a bed someplace. I mean, they have no idea.”
Alperovitch of CrowdStrike, the cybersecurity firm that first publicly linked the cyberattacks to Russian intelligence, said Sunday that he was “puzzled” by Trump’s remarks and assumes he has not yet been fully briefed on the matter. (CrowdStrike, whose principals include Shawn Henry, the former chief of the FBI’s cyber division, was initially hired by the DNC to investigate the cyberattacks and defend its network last May.)
“At this point, the matter of attribution on the intrusions has been settled,”Alperovitch said. “There is nobody that looks at the evidence who disputes this.” Asked his level of confidence in his firm’s findings, he responded “100 percent.”
Much of the evidence, he said, revolves around the nature of the sophisticated tools used by the attackers on the DNC and forensic evidence showing strong similarities to Russian cyberattacks that have occurred in Ukraine and other Eastern European countries — as well as to intrusions of the Joint Chiefs of Staff, the White House and the State Department and other U.S. government agencies. “The digital fingerprints are of the same origin,” said Alperovitch.
CrowdStrike initially identified two sets of attackers on the DNC’s servers: One, dubbed “Cozy Bear,” was associated with the Russian FSB (the successor to the Soviet KGB) and which first breached the DNC’s network in the summer of 2015. Another, dubbed “Fancy Bear,” has been associated with Russia’s military intelligence service, the GRU. The latter infiltrated the DNC’s network in late April of this year in what turned into a far more devastating attack, resulting in the disclosure of 20,000 internal DNC emails to WikiLeaks — an act, according to Alperovitch, of “information warfare.” (He acknowledged that a third Russian intelligence service, the SVR, which has responsibility for foreign intelligence operations, may also have been involved.)
“When we look at this over 10 years — literally hundreds of intrusions — [and] you look at the tradecraft, you look at the victims, it all points to Russian intelligence services,” Alperovitch said.
In addition, he said, there was another separate cyberattack discovered in late September from an undetermined party that penetrated DNC computers with software containing sensitive voter analytic data that was being provided in regular memos to Clinton campaign manager Robby Mook, the sources said.
The breach was detected by CrowdStrike, and the cyberinvaders were expelled from a cloud server housing the data; this server was distinct from the DNC’s internal computer network that had been previously breached, he said. But the intruders were never identified, and it was never determined whether the data — containing detailed reports on voter registration and estimates of likely voter participation in the November election — was ever actually stolen.
Alperovitch said he doesn’t know whether these hackers were associated with Russian intelligence; they used different methods and publicly available cybertools to pull it off — also he said the DNC never authorized his firm to conduct a full investigation. But he said the late October “phishing” attacks on the DNC and the Clinton campaign resembled the earlier Fancy Bear attacks, leading him to conclude they were likely the work of the GRU.
Moreover, attacks by the Cozy Bear intruders have continued throughout the fall, targeting multiple organizations, including think tanks and universities whose scholars work on Russian policy issues, he said.
And even more recently, he said, there was evidence that the separate “Fancy Bear” hackers are now also attacking political organizations in Germany and elsewhere in Europe in an apparent attempt to meddle in their elections as well. (The chief of German domestic intelligence said last week that there has been a recent increase in “aggressive cyberespionage” against German politicians and warned about “growing evidence for attempts to influence the [German] federal elections next year.”
“These activities have not stopped,” said Alperovitch. “Now that they were executed [in the United States] and they have a successful playbook, I fully expect they are going to continue.”