Close your eyes and imagine that a hacking group backed by Russian President Vladimir Putin broke into the email system of a major U.S. political party. The group stole thousands of sensitive messages and then published them through an obliging third party in a way that was strategically timed to influence the United States presidential election. Now open your eyes because that’s what just happened. On Friday, Wikileaks published 20,000 emails stolen from the Democratic National Committee. They reveal, among other things, thuggish infighting, a push by a top DNC official to use Bernie Sanders’ religious convictions against him in the South, and attempts to strong-arm media outlets. In other words, they reveal the Washington campaign monster for what it is. But leave aside the purported content of the Wikileaks data dump (to which numerous other outlets have devoted considerable attention) and consider the source. Considerable evidence shows that the Wikileaks dump was an orchestrated act by the Russian government, working through proxies, to undermine Hillary Clinton’s Presidential campaign. “This has all the hallmarks of tradecraft. The only rationale to release such data from the Russian bulletproof host was to empower one candidate against another. The Cold War is alive and well,” Tom Kellermann, the CEO of Strategic Cyber Ventures told Defense One.
Here’s the timeline: On June 14, cybersecurity company CrowdStrike, under contract with the DNC, announced in a blog post that two separate Russian intelligence groups had gained access to the DNC network. One group, FANCY BEAR or APT 28, gained access in April. The other, COZY BEAR, (also called Cozy Duke and APT 29) first breached the network in the summer of 2015.
Cybersecurity company FireEye first discovered APT 29 in 2014 and was quick to point out a clear Kremlin connection. “We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT 29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg,” they wrote in their report on the group. Other U.S. officials have said that the group looks like it has sponsorship from the Russian government due in large part to the level of sophistication behind the group’s attacks.
It’s the same group that hit the State Department, the White House, and the civilian email of the Joint Chiefs of Staff. The group’s modus operandi (a spearphishing attack that uploads a distinctive remote access tool on the target’s computer) is well known to cyber-security researchers.