Daniel had prided himself on the Obama administration’s work to set clear boundaries on state-sponsored hacker provocations. Working together with Obama administration officials from the Department of Justice to the Pentagon to the Departments of State and Commerce, his team had answered misbehavior by foreign hackers with rigorous retaliation. In 2014, for instance, after Chinese cyberspies had for years pillaged American intellectual property, the Obama Justice Department had identified and levied criminal charges against five members of a Chinese People’s Liberation Army hacking unit by name. The next year, the State Department threatened China with sanctions if the economic espionage continued. China’s president, Xi Jinping, more or less capitulated, signing an agreement that neither country would hack the other’s private sector targets. Security companies such as CrowdStrike and FireEye reported an almost immediate drop-off in Chinese intrusions—90 percent according to CrowdStrike—an unprecedented victory for cybersecurity diplomacy.
North Korea’s Sony attack had received almost as forceful a response. And the administration would later indict a group of Iranian state hackers, too, accusing them of DDoS attacks against American banks and of probing the computer systems of a U.S. dam in upstate New York. (The Bowman Avenue Dam they’d targeted was only about twenty feet tall. The hackers might have intended to hit the far larger and more critical Bowman Dam in Oregon.) The message of all those hard-line disciplinary actions was this: No foreign state gets away with hacking American companies or digitally disrupting U.S. infrastructure.
Then came an actual, full-blown act of cyberwar against Ukraine, and all the same diplomats and security officials went silent. Why?
Michael Daniel’s immediate train of thought when he first learned of the blackout may offer an answer: When a phone call from the DHS alerted him to Sandworm’s attack the day after Christmas, his first reaction was alarm. “The thing we’ve been worried about has actually happened,” he thought. But moments later, he remembers having a very different feeling: “My second reaction was a little bit of relief that it wasn’t domestic to the U.S.”
Daniel was deeply troubled by the notion that Russian hackers were willing to attack civilian infrastructure. Worse, these seemed to be the same hackers who’d been probing U.S. infrastructure only a year earlier. He had no illusions that the techniques used in the blackout attacks were limited to Ukrainian targets. “We have those systems in the United States, and we can’t claim those systems to be any more secure than what Ukraine is running,” he later told me. In fact, the greater automation in the American grid might mean that it provided even more points of attack. “We were equally if not more vulnerable.” (By the time the U.S. delegation had returned from Ukraine, Daniel also had few doubts that the Russian government was indeed behind the attacks. “If it walks like a duck and quacks like a duck…,” he said.)
But even so, when Sandworm had finally pulled the trigger, it had carried out its attack in Ukraine, four thousand miles away from U.S. borders. This was the source of Daniel’s relief: Ukraine was not America. It wasn’t even a member of NATO. As a result, for the U.S. government, it was officially someone else’s problem.
16
FANCY BEAR
Perhaps the Obama administration, given enough time, would have gotten around to calling out Sandworm’s acts of cyberwar and making an example of the attackers with speeches, indictments, or sanctions. But by June 2016, its attention had been entirely hijacked by another hacker provocation—one that hit far closer to home.
On June 14, The Washington Post revealed that the Democratic National Committee had been penetrated for months by not one but two teams of state-sponsored Russian hackers. The security firm CrowdStrike, which the DNC had brought in to analyze its breach two months earlier, published a blog post identifying the pair of intrusion crews inside the Democrats’ network as Cozy Bear and Fancy Bear, teams it had watched carry out spying campaigns for years, hitting everyone from the U.S. State Department and the White House to aerospace and defense contractors.
Based on past years of detective work, CrowdStrike tied Fancy Bear to the Russian military intelligence agency known as the GRU. Cozy Bear, it would later be revealed, worked within Russia’s SVR foreign intelligence agency. (The two “bear” names derived from CrowdStrike’s system of labeling hacker teams with different animals based on their country of origin—bears for Russia, pandas for China, tigers for India, and so on.) “Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services,” CrowdStrike’s analysis read.
In other words, these were teams that seemed to be focused on silent cyberespionage of the kind Russia had carried out since the days of Moonlight Maze, not the louder, more disruptive cyberwar tactics Sandworm had only just begun to demonstrate. (CrowdStrike had in fact tracked Sandworm’s attacks too. Its own code name for the group was Voodoo Bear.)
But while the DNC hack wasn’t an act of disruptive cyberwar, neither would it prove to be an ordinary espionage operation. Just twenty-four hours after news of the breach broke, a figure calling himself Guccifer 2.0 appeared on Twitter, posting links to a blog that introduced him to the world. The post was titled “DNC Servers Hacked by a Lone Hacker.”
“Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by ‘sophisticated’ hacker groups,” Guccifer 2.0 wrote glibly. “I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy.”
What came next in the post shocked the world: a sample of actual stolen documents from the DNC’s servers. They included a file of opposition research on the Republican presidential front-runner, Donald Trump, policy documents, and a list of donors by name and amount. “The main part of the papers, thousands of files and mails, I gave to WikiLeaks. They will publish them soon,” Guccifer 2.0 wrote. “Fuck the Illuminati and their conspiracies!!!!!!!!!”
That “Illuminati” reference and Guccifer 2.0’s name were meant to convey a kind of rogue hacktivist, stealing and leaking the documents of the powerful to upend the corrupt social order. The original Guccifer had been a Romanian amateur hacker named Marcel Lehel Lazăr who had broken into the email accounts of high-profile figures like Colin Powell, the Rockefeller family, and the sister of former president George W. Bush.
Guccifer 2.0 took on the persona of a cocky eastern European cyberpunk who idolized figures like the original Guccifer, Edward Snowden, and Julian Assange. “Personally I think that I’m among the best hackers in the world,” he would write in a FAQ.
When CrowdStrike maintained that Guccifer 2.0 was a thin disguise meant to obscure the Russian state hackers behind the DNC intrusion, Guccifer 2.0 shot back with vague denials. “They just fucked up! They can prove nothing!” he wrote. “All I hear is blah-blah-blah, unfounded theories and somebody’s estimates.”
But in reality, the Russians’ mask almost immediately showed cracks. A former staffer for the British intelligence service GCHQ, Matt Tait, found that the very first document the Russians released, the Trump opposition file, contained Russian-language formatting-error messages. Moreover, the metadata from the file showed that it had been opened on a computer with the username “Feliks Dzerzhinsky.” That clue was almost comically revealing: Dzerzhinsky was the founder of the Soviet secret police, whose bronze statue had once stood in front of the KGB headquarters.
When the tech news site Motherboard reached out to Guccifer 2.0 via Twitter and the hacker agreed to an instant-message interview, Motherboard’s reporter Lorenzo Franceschi-Bicchierai cleverly threw him off guard with a series of questions in English, Romanian, and Russian. Guccifer 2.0 answered those questions in broken English and Romanian and protested that he couldn’t understand the Russia
n. Franceschi-Bicchierai then showed the chat logs to Romanians and language experts who pointed out small linguistic clues that Guccifer wrote like a Russian and appeared to be pulling his Romanian answers from Google Translate. The Russian hackers seemingly hadn’t even bothered to recruit a real Romanian for their cover story.
* * *
■
The flimsiness of the Guccifer 2.0 lie hardly mattered. The hackers sent the news site Gawker the Trump opposition research document, and it published a story on the file that received half a million clicks, robbing the Democrats of the ability to time the release of their Trump dirt. Soon, as promised, WikiLeaks began to publish a steady trickle of the hackers’ stolen data, too; after all, Julian Assange’s secret-spilling group had never been very particular about whether its “leaks” came from whistle-blowers or hackers.
The documents, now with WikiLeaks’ stamp of credibility, began to be picked up by news outlets including The New York Times, The Washington Post, The Guardian, Politico, BuzzFeed, and The Intercept. The revelations were very real: It turned out the DNC had secretly favored the candidate Hillary Clinton over her opponent Bernie Sanders as the presumptive Democratic nominee for president, despite the committee’s purported role as a neutral arbiter for the party. DNC officials had furtively discussed how to discredit Sanders, including staging public confrontations about his religious beliefs and an incident in which his campaign’s staff allegedly accessed the Clinton campaign’s voter data.
The DNC chairwoman, Debbie Wasserman Schultz, was hit the hardest. The stolen emails revealed that she had privately written that Sanders’s campaign manager was a “damn liar” and that Sanders “isn’t going to be president.” A little over a month after the hacked emails first began to appear, she resigned.
But the hackers weren’t content to rely on WikiLeaks, nor was the DNC their only victim. Over the next several months, Guccifer 2.0’s stolen DNC emails also began to appear on a new site called DCLeaks, along with emails stolen from other targets ranging from Republican and Democratic lawmakers to General Philip Breedlove, an air force official who had pushed for a more aggressive response to Russia’s invasion of Ukraine. Despite DCLeaks’ attempt to appear as another whistle-blowing “leak” site, the security firm ThreatConnect quickly identified it as a cover for Russia’s Fancy Bear hackers, based on overlapping target data with known Fancy Bear intrusion operations and clues in DCLeaks’ registration data.
If anyone still doubted that Fancy Bear was behind the serial data dumps, that uncertainty lifted in September 2016, when the group launched a new attack on the World Anti-Doping Agency. Putin’s government had been furious at the agency’s recommendation that all Russian athletes be banned from that year’s Summer Olympics after multiple athletic teams from the country were found to be part of widespread programs of performance-enhancing drug use. In retaliation, Fancy Bear published the stolen medical records of the tennis stars Venus and Serena Williams and the gymnast Simone Biles, showing they too had used medications that could be interpreted—at a stretch—as offering athletic advantages. This time, in a blatant mockery of critics, the leaks were published on Fancybears.net, a website covered with clip art and animated GIFs of bears.
Fancy Bear had emerged as brash practitioners of what intelligence analysts call “influence operations.” More specifically, they were using an old Russian intelligence practice known as kompromat: the tradition, stretching back to Soviet times, of obtaining compromising information about political opponents and using it to leverage public opinion with tactical leaks and smears.
Sandworm’s hackers were stealthy, professional saboteurs. Fancy Bear, by contrast, seemed to be shameless, profane propagandists. And now, in the service of Vladimir Putin, they were tasked with helping Donald Trump to win the presidency.
The 2016 presidential race wasn’t Fancy Bear’s first time using its skills to influence elections. In May 2017, a group of security researchers at the University of Toronto called the Citizen Lab would find forensic evidence that the group was also behind CyberBerkut, the pro-Putin hacktivist group that had in 2014 hacked Ukraine’s Central Election Commission. Like Guccifer 2.0 and DCLeaks, CyberBerkut was just another cover story.
Most of the group’s techniques were simple. Next to an operation like Sandworm’s 2015 Christmas blackout, they were practically primitive. But one of Fancy Bear’s crudest tactics turned out to be its most effective of all: a rudimentary spoofed log-in page.
On October 7, WikiLeaks began publishing a new series of leaks, this time stolen directly from the email account of Hillary Clinton’s campaign chair, John Podesta. The previous March, Podesta had fallen prey to a basic phishing email, directing him to a fake Gmail site that asked for his username and password, which he handed over. The site, of course, was a Fancy Bear trap.
WikiLeaks would trickle out its resulting stash of Clinton campaign kompromat for weeks to come. The revelations included eighty pages of closely guarded speeches Clinton had given to private Wall Street audiences. One included a reference to politicians’ need to have separate “public” and “private” positions, which her critics interpreted as an admission of deception. Another seemed to call for “open borders,” enraging immigration hard-liners. The daily media bombs would keep the campaign off balance through its final days.*1
The Podesta hack also eradicated any last doubts about Fancy Bear’s role: The security firm Secureworks found the link to the fake Gmail site that had tricked Podesta was created with an account on the URL-shortening service Bitly that had also been used to target hundreds of other Fancy Bear victims, from Ukrainian officials to Russia-focused academics and journalists.
Trump, of course, brushed aside the evidence of Russia’s involvement and reveled in the flood of scandals. “I love WikiLeaks!” he declared at one rally. At another point, he quipped that he hoped the Russian hackers had also breached the controversial private email server Clinton had set up in her home, and asked the hackers to release thousands more of her emails. But for the most part, Trump nihilistically denied that those leaks had been enabled by the Kremlin, instead suggesting that the hackers might just as easily be Chinese or a “400-pound” loner or that the Democrats had hacked themselves. Trump’s obfuscation served Fancy Bear well: Even months later, in December 2016, only about a third of Americans believed Russia had meddled in the U.S. election, while 44 percent doubted it, and a quarter were unsure.*2
Whether the Kremlin actually expected to swing the 2016 race with its influence operation has never been clear. Putin, whose hatred of Hillary Clinton since her days as secretary of state under Obama could barely be concealed, might have simply wished to saddle her presidency with crippling political baggage. Russian officials, of course, repeatedly denied any hand in the attacks. But regardless of what outcome they imagined, they had successfully thrown the core of American democracy into chaos.
When I met up with CrowdStrike’s chief technology officer, Dmitri Alperovitch, at a park in Manhattan’s financial district in October 2016, with the election just weeks away, he seemed to almost grudgingly admire the effectiveness of the hackers whose operation his firm had first uncovered four months earlier.
“I think they’ve gotten medals already,” he said ruefully. “They’ve had success beyond their wildest dreams.”
In fact, Fancy Bear’s real moment of glory came three weeks later: Donald Trump won the U.S. presidential election.
* * *
■
When J. Michael Daniel had become Obama’s most senior official concerned solely with cybersecurity in 2012, one of his first big moves had been to fly to Moscow in 2013 to finalize a “cyber hotline.” Using a protocol first established to prevent nuclear Armageddon half a century earlier, the hotline was intended to serve as an open channel between the White House and the Kremlin for sending messages about cyberattacks, a kind of safety valve to avoid misunderstand
ings that might lead to unnecessary escalation and war. Daniel describes the setup as a “glorified, dedicated email system.”
On October 7, 2016, Daniel used that hotline for the first and only time in his tenure, to send a message to Putin in response to Russia’s blatant election interference. He paraphrases the message: “We know that you are carrying out these kinds of activities. And stop. Knock it off.” The same day, the Department of Homeland Security and the Office of the Director of National Intelligence released a public statement that U.S. intelligence agencies had officially come to a consensus that the Russian government was the source of the stolen emails, as cybersecurity researchers had been pointing out for four months.
Eventually, in the waning days of Obama’s presidency, the administration would escalate its response to include new economic sanctions against Russian intelligence agencies as punishment for their election hacking, effectively preventing them from doing any business with American citizens and companies. The order would eject thirty-five Russian diplomats from the United States and seize control of two Russian government compounds on U.S. soil. James Lewis, a cybersecurity-focused fellow at the Center for Strategic and International Studies, would describe the reaction as “the biggest retaliatory move against Russian espionage since the Cold War.”
But on the subject of Russia’s blackout attacks, the hotline from the White House to the Kremlin remained silent. Sandworm had been sent an implicit signal. It could now proceed with impunity.
*1 The most powerful effect of those leaks may have been to distract from a shocking video released by The Washington Post on October 7, in which Trump bragged on the set of the TV show Access Hollywood that he had grabbed women’s genitals without their consent. WikiLeaks published the first Podesta leaks just hours after that tape surfaced.
Sandworm Page 13