The Daily Beast’s Spencer Ackerman and Kevin Poulsen are reporting that the hacking of the Democratic National Committee (DNC) in 2016 was done by a “lone hacker” who worked for Russian military intelligence, the GRU, citing U.S. investigators.
“Guccifer 2.0, the ‘lone hacker’ who took credit for providing WikiLeaks with stolen emails from the Democratic National Committee, was in fact an officer of Russia’s military intelligence directorate (GRU), The Daily Beast has learned,” Ackerman and Poulsen write.
There’s only one problem. The claim contradicts one of the key findings from Crowdstrike, the firm originally hired by the DNC to investigate the hack in 2016 and to date the only group who ever actually got access to the server. Then, the finding was that there was more than one set of hackers on the DNC’s server.
According the Washington Post’s Ellen Nakashima, who broke the story on June 14, 2016, “The firm identified two separate hacker groups,” both of which were attributed to Russia but let’s leave the attribution aside for a moment.
The Post continues, “One group, which CrowdStrike had dubbed Cozy Bear, had gained access last summer and was monitoring the DNC’s email and chat communications, Alperovitch said. The other, which the firm had named Fancy Bear, broke into the network in late April and targeted the opposition research files. It was this breach that set off the alarm. The hackers stole two files, Henry said. And they had access to the computers of the entire research staff — an average of about several dozen on any given day.”
So, per Alperovitch, Cozy Bear was responsible for getting the DNC emails, which were ultimately published on Wikileaks, and Fancy Bear was responsible for getting the opposition research files, which were never published by Wikileaks.
Critically, Nakshima writes, “The two groups did not appear to be working together, Alperovitch said. Fancy Bear is believed to work for the GRU, or Russia’s military intelligence service, he said. CrowdStrike is less sure of whom Cozy Bear works for but thinks it might be the Federal Security Service, or FSB, the country’s powerful security agency, which was once headed by Putin.”
To put a fine point on this, there was always more doubt about who got the DNC emails, even from Crowdstrike, with the attribution being “less sure” and qualified with a “might.”
Nor was it clear how they did it: “CrowdStrike is not sure how the hackers got in. The firm suspects they may have targeted DNC employees with ‘spearphishing’ emails… ‘But we don’t have hard evidence,’ Alperovitch said.”
UPDATE 3/29/18: This is confirmed by DNC Chairmwoman Donna Brazile’s account, “Hacks,” where she writes of Special Agent Adrian Hawkins who had called the DNC in 2015 to alert the committee to the presence of Cozy Bear on their servers, before finally meeting with DNC officials in Jan. 2016: “They met with Agent Hawkins in January in an FBI office in Virginia. Agent Hawkins showed them logs of Internet traffic between the DNC and the Russian entity known in hacking circles as Cozy Bear. Cozy Bear was well-known to the FBI, having hacked the State Department and the White House. Still our IT department could not find the evidence the FBI was pointing to. This went on until April, when the DNC tech department observed intruders logging onto our servers. The hacker, the DNC would later come to discover, was a different hacker popularly known as Fancy Bear.” That was when Crowdstrike was brought in. Here, Brazile is confirming what Crowdstrike would later publish, that there were two separate hackers.
On Nov. 17, 2016 former National Intelligence Director James Clapper echoed that uncertainty, telling the House Intelligence Committee: “As far as the WikiLeaks connection, the evidence there is not as strong and we don’t have good insight into the sequencing of the releases or when the data may have been provided.”
Compare that to the certitude expressed now by the Daily Beast that “Security firms and declassified U.S. intelligence findings previously identified the GRU as the agency running ‘Fancy Bear,’ the ten-year-old hacking organization behind the DNC email theft…”
Again, Crowdstrike never attributed the emails to Fancy Bear. The DNC emails were attributed to Cozy Bear. To review the chain of events:
On June 15, 2016, Crowdstrike published its analysis of the DNC hack.
Guccifer 2.0 then suddenly appeared and began publishing documents, including an opposition research file on Trump, with Russian fingerprints.
The WordPress blog by Guccifer 2.0 appeared, taking credit for the DNC hack described in the Washington Post story. The blog posted some of the documents as proof of the hack. Critically, Guccifer 2.0 claimed, “The main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon.” Here, Guccifer 2.0 associated itself with Wikileaks and was outing itself as Wikileaks’ source.
The same day, it was revealed that metadata in one of the files posted by Guccifer 2.0 was modified by a user whose name in Cyrillic was “Felix Edmundovich,” a reference to a founder of the Soviet-era secret police. This became confirmation for many that the Russians did it.
Meaning, if Guccifer 2.0 was Russian military intelligence agency, the GRU, as reported by the Daily Beast, and let’s say they were, it wanted the entire world to think it was responsible for the DNC hacks, all of them, and left a trail of breadcrumbs leading back to Russia on purpose. They wanted to be caught.
Or, Guccifer 2.0 could have possibly been taking credit for something he or she was not responsible for. The claims only appeared after the Washington Post had already published its story, revealing everything that had been taken from the DNC servers, and after Julian Assange appeared on ITV on June 12, 2016 stating he had emails related to Hillary Clinton that were to be published.
Guccifer 2.0 could have been responsible for taking the opposition research — the blog did post some of those documents after all — but not the emails, which it never posted. They really could have been separate groups, as Crowdstrike had found. We still don’t know.
Meaning, despite the open and shut nature of the Daily Beast story, we may be no closer to solving the mystery of who hacked the DNC emails and gave them to Wikileaks, which has to this day denied any connection to Russia. It might be easier to just say that Guccifer 2.0 was the “lone hacker,” but it still might not be true.
Robert Romano is the Vice President of Public Policy at Americans for Limited Government.