It was a bombshell. Operatives from two Russian spy agencies had infiltrated computers of the Democratic National Committee, months before the US national election. One agency — nicknamed Cozy Bear by cybersecurity company CrowdStrike — used a tool that was “ingenious in its simplicity and power” to insert malicious code into the DNC’s computers, CrowdStrike’s Chief Technology Officer Dmitri Alperovitch wrote in a June blog post. The other group, nicknamed Fancy Bear, remotely grabbed control of the DNC’s computers. By October, the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security agreed that Russia was behind the DNC hack. On Dec. 29, those agencies, together with the FBI, issued a joint statement reaffirming that conclusion. And a week later, the Office of the Director of National Intelligence summarized its findings (PDF) in a declassified (read: scrubbed) report. Even President Donald Trump acknowledged, “It was Russia,” a few days later — although he told “Face the Nation” earlier this week it “could’ve been China.”
On Tuesday, the House Intelligence Committee will hear testimony from top intelligence officials, including FBI Director James Comey and NSA Director Mike Rogers. But the hearing is closed to the public, and new details on the hacking attacks haven’t emerged from either the House or the Senate’s investigations into Russia’s alleged attempt to influence the election.
We’ll probably never really find out what the US intelligence community or CrowdStrike know or how they know it. This is what we do know: CrowdStrike and other cyberdetectives had spotted tools and approaches they’d seen Cozy Bear and Fancy Bear use for years. Cozy Bear is believed to be either Russia’s Federal Security Service, known as the FSB, or its Foreign Intelligence Service, the SVR. Fancy Bear is thought to be Russia’s military intel agency, GRU.
It was the payoff of a long game of pattern recognition — piecing together hacker groups’ favorite modes of attack, sussing out the time of day they’re most active (hinting at their locations) and finding signs of their native language and the internet addresses they use to send or receive files.