June 15, 2016
Russian Cyber Attacks in the United States Will ‘Intensify’
Russian intelligence hacked the Democratic National Committee’s network, says Atlantic Council’s Dmitri Alperovitch
By Mitch Hulse
Two Russian groups—codenamed FancyBear and CozyBear—have been identified as spearheading the DNC breach.
“We have a very high-level of confidence that these are Russian intelligence services—both of them. We have a medium-level of confidence that FancyBear is GRU,” said Alperovitch, a senior fellow with the Council’s Cyber Statecraft Initiative, referring to Russia’s military intelligence agency.
Alperovitch is chief technology officer at CrowdStrike, the cybersecurity firm that investigated the DNC breach. Senior DNC officials noticed suspicious network activity in April and called in CrowdStrike to identify the culprits and bolster the committee’s cyber defense.
“A lot of the evidence is based on their previous targets,” said Alperovitch.
“FancyBear has previously targeted ministries of defense all over Europe and they have targeted Georgian military assets extensively during the 2008 war as well as afterwards. A lot of their collection is in the military space, which is the remit of the GRU,” he added.
In May, a Romanian national, Marcel Lazăr Lehel, also known as Guccifer, confessed in a Virginia court to hacking Hillary Rodham Clinton’s private e-mail server. His sentencing is set for September. On June 15, a person who went by the name “Guccifer 2.0” claimed to be the “lone hacker” who infiltrated the DNC network and said accusations against Russia are false. This hacker published what was alleged to be part of the DNC’s file on Trump.
Alperovitch said in a statement provided to the New Atlanticist that CrowdStrike “stands by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016.”
He said CrowdStrike is investigating the authenticity and origin of the documents posted by Guccifer 2.0. “Regardless, these claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community,” he added.
The GRU’s sister organization, the FSB, operates in an internal security capacity within Russia. While both hacker groups have been identified as Russian, they operated independently throughout the breach.
“There was no indication that they even knew about each other, which is not surprising because Russian intelligence services almost never cooperate with each other and it’s a very adversarial relationship between them,” said Alperovitch.
“FancyBear actually came in in April…and they went straight for the opposition research [on Trump, the Republican Party’s presumptive presidential nominee]. They knew exactly who to go after and find the easiest way to get the data. The CozyBear actor actually came in last summer and they were sitting on the communications servers so they were monitoring e-mail traffic and chat traffic,” he added.
CozyBear has been identified as having ties with the FSB. Previously, the group was caught accessing unclassified networks in the White House, State Department, and the Joint Chiefs of Staff.
Cyberattacks on US presidential campaigns or political party organizations are not unprecedented. Earlier this year, US Director of National Intelligence, James Clapper, warned of hackers possibly targeting 2016 presidential campaigns.
“Russian intelligence interest in our elections is not going to end with this incident. In fact, this activity is only going to intensify as we get close to the general election. They are going to try and get back in,” said Alperovitch.
Dmitri Alperovitch spoke in an interview with the New Atlanticist’s Mitch Hulse. Below are excerpts from the interview:
Q: DNC executives became aware of the attack in April. Why the nearly two-month delay in publicly making the attack known?
Alperovitch: We had to conduct a remediation—a major event involving the entire network. The attackers were very well implanted into the network so, this past weekend, we shut off the entire network from the Internet. We rebuilt every machine and cleaned everything up. The announcement came out after that was done because we didn’t want to tip off the adversaries.
Q: Usually, there is a high degree of confidentiality when these attacks occur. Organizations generally don’t reveal that they have been compromised. Why did CrowdStrike and the DNC choose to go public with this attack?
Alperovitch: Well it wasn’t our decision—it was the DNC’s decision. They thought it was very important to highlight to the American public that this is a national security story and they wanted to highlight what the Russians were doing to the US political system—that was very important. Then, we were able to convince [the DNC] that if you are going to go public, would you allow [CrowdStrike] to release indicators actually related to the attack and tell the story of how the adversaries did it so that others can better protect themselves and [the DNC] was fully supportive of that. We do these things almost weekly and never can we talk about them but in this case, [the DNC] brought it up…and we were thrilled.
Q: Were these two firms hunting for the specific opposition research data or were they just seeing what they would come across and somehow use it later?
Alperovitch: The two actors were working completely independently. There was no indication that they even knew about each other, which is not surprising because Russian intelligence services almost never cooperate with each other and it’s a very adversarial relationship between them. FancyBear actually came in in April—we believe they are GRU, the Russian military intelligence—and they went straight for the opposition research. They knew exactly who to go after and find the easiest way to get the data. The CozyBear actor actually came in last summer and they were sitting on the communications servers so they were monitoring e-mail traffic and chat traffic.
Q: What evidence is there that these actors are connected to the FSB or GRU—the two primary Russian intelligence agencies?
Alperovitch: We actually have a lot of evidence. As you can imagine we can’t share everything, but we have a very high-level of confidence that these are Russian intelligence services—both of them. We have a medium-level of confidence that FancyBear is GRU. A lot of the evidence is based on their previous targets. FancyBear has targeted ministries of defense all over Europe. They have targeted Georgian military assets extensively during the 2008 war as well as afterwards. So a lot of their collection is in the military space, which is the remit of the GRU. We have a low-level of confidence that CozyBear is FSB, again based primarily on previous activity. We have a high-level of confidence that they are Russian intelligence but we are not sure which specific agency they are.
Q: What would the Russian government do with this kind of information?
Alperovitch: When you look at GRU, yes their primary mission is military intelligence, but they do a lot of human [intelligence] collection…they are always in competition with FSB for power and resources. Beyond just doing the military stuff, which is in their wheelhouse, they have been expanding to other areas. If they can demonstrate that they are better and more confident than the FSB, then they can get bigger and better missions and a budget.
Q: What are the possible consequences for these actors?
Alperovitch: These are Russian intelligence operators. This is traditional espionage. This is what the US government does day in and day out. This is what other foreign intelligence agencies are doing. Of course, this activity is illegal, but it’s a widely accepted practice so it’s highly unlikely that we will do much of anything going forward.
Q: These groups have attacked US government agencies in the past, which have greater cyber defense capabilities than organizations that do not deal with classified information. Does more work need to be done to strengthen and bolster the security of organizations that don’t really deal with classified information?
Alperovitch: Yes. A lot of people still assume these days—even after all the media publicity around these sorts of attacks—that if they are not a White House agency or a big bank, then I’m not going to get targeted. We saw this with the Sony case last year—the narrative that “Oh, I’m just a movie studio, no one is going to come after me.” The fact is that there is are a wide variety of reasons why all kinds of intelligence agencies—friendly or not friendly—would be highly interested in what you might have. This is something that more people need to become more aware of and the DNC has certainly done that—unfortunately by walking through the fire.
This is not going to be the end of it. Russian intelligence interest in our elections is not going to end with this incident. In fact, this activity is only going to intensify as we get close to the general election. They are going to try and get back in.
Mitch Hulse is an editorial assistant at the Atlantic Council. You can follow him on Twitter @mitchhulse.