A Flawed Tale of Cyberwarfare Is Fanning ‘Russiagate’ Obsession

Let’s start at the beginning of “Russiagate.”

Before Robert Mueller indicted three Russian entities and 13 Russian citizens for conspiring to undermine the 2016 presidential election in the United States …

Before the FBI sought and obtained a FISA warrant against Carter Page for allegedly conspiring with Russia to help tip that election in favor of the Republican candidate, Donald Trump …

Before President Trump fired FBI Director James Comey …

Before former FBI Director Mueller was appointed as a special prosecutor to investigate Russian interference in the American electoral process. …

Before all of that, there was a cyberattack against the computer server of the Democratic National Committee, or DNC.

The hacking of the DNC server, and all that has since transpired, has been described by many in punditry as an attack on American democracy, a modern-day “Pearl Harbor” that represents the worst attack on the homeland since 9/11.

Such comparisons are absurd. The surprise attack against Pearl Harbor took the lives of more than 2,400 Americans and led our nation into a world war, while the 9/11 terror attack killed just under 3,000 people and started a global war on terror that continues to this day.

No one lost his or her life because of the Russian hacking of the DNC server. And yet, largely due to the psychological conditioning brought on by such a dramatic analogy, cyberattacks have been raised to the level of weapons of mass destruction as a non-nuclear trigger for the release of American nuclear retaliation (courtesy of the recent Nuclear Posture Review document published by the White House).

While the specter of a nuclear holocaust may appear to be an extreme overreaction to the cyberattack on the DNC (and, by extension, American democracy), it is, in fact, a logical continuation of a premise which holds that America, as a whole, was attacked, and that this attack constituted an “act of war” (to quote the chairman of the Senate Armed Services Committee, Sen. John McCain).

At this late stage in the Russia-Trump drama that has gripped America for the past 20 months, it is taken as a given that Russia hacked the DNC server and subsequently published (i.e., “weaponized”) these communications by circulating them in a manner and time designed to influence the outcome of the 2016 presidential election. At a time when the actions, and associated rhetoric, of the American body politic head toward the boiling point, all parties involved must pause and take stock of where we are heading as a nation and how we got to where we are.

The DNC cyberattack serves as the genesis moment for the entire Russia-Trump collusion narrative and all that has transpired as a result—from the decision of President Obama to impose punitive economic sanctions on Russia and evict scores of Russian diplomats, to the recent indictment of Russian companies and citizens by the Department of Justice. It feeds the impression of America as a nation under siege and it colors all we do as a result.

Under closer scrutiny, however, there are fundamental flaws with how the public and the government have come to portray what occurred with the DNC. As a result, what many see as a normal reaction to Russian actions is a gross overreaction that threatens to consume America in a giant act of self-immolation.

When Russia’s president, Vladimir Putin, spoke to reporters gathered in St. Petersburg on May 31, 2017, he offered an insight into the mindset of Russia’s leadership that, while widely reported and commented upon in terms of the words he spoke, failed to register with the American public, media and body politic. They were (and are) preoccupied with the high drama surrounding allegations of collusion between the Trump campaign and Russian actors to interfere in the 2016 presidential election.

Putin did not reference the U. S., but rather commented on stories about Russian hackers interfering with the then-upcoming parliamentary elections in Germany, scheduled for September 2017. The Russian president compared Russian hackers to “painters,” calling them creative people who, “if they feel like it, they paint.” If, Putin noted, these hackers “wake up and read that something is going on in interstate relations,” they may decide to act.

“If they are patriotically minded,” he added, “they start making their contributions—which are right, from their point of view—to the fight against those who say bad things about Russia.”

What was certain, Putin declared, was that the Russian government had nothing to do with the actions of any Russian hackers. “We’re not doing this on the state level,” he said.

Recent developments have exposed both the truth and the lie behind Putin’s statement. A January 2018 report out of the Netherlands by the newspaper de Volkskrant, based on anonymous sources, claims Dutch intelligence services had hacked into the computer network within the Old Building of Moscow State University, adjacent to Red Square and the Kremlin. Only later did the Dutch realize that they had penetrated a hacking team which was using the university as cover. This hacking team employed malware and techniques associated with what cybersecurity specialists have termed Advanced Persistent Threat 29, or APT 29, also known as “Cozy Bear” (a term applied by the cybersecurity firm CrowdStrike). The Dutch achieved their breakthrough in mid-2014.

In early October 2014, the Dutch watched as the Russian hackers used a spear-phishing attack against an unsuspecting U.S. State Department official, infecting the unclassified email servers used by the State Department with malware that then moved laterally throughout the system, infecting thousands of computers throughout the United States and abroad, including American embassies. Communications about the crisis in Ukraine were specifically targeted and stolen, along with other information which, while unclassified, would be of interest to foreign intelligence services.

The Dutch notified their American counterparts of the breach, and by mid-November 2014 the FBI was prepared to move against the Russians. The Dutch had opened a direct line with the FBI through the National Security Agency (NSA), allowing for real-time interaction. Over the course of nearly 24 hours, during the weekend of Nov. 15-16, FBI computer specialists moved to cut communications between the Russian hackers’ command and control server and the malware that had infected the State Department computers.

At each step, the Russians were able to re-establish communications using specialized malware that hid inside the infected computers and automatically activated itself. A senior NSA official likened the interaction between the FBI cybersecurity specialists and the Russian hackers as “hand-to-hand combat” that amounted to “a new level of interaction between a cyberattacker and a defender.” The FBI eventually prevailed, but only because the Dutch were able to provide real-time tipoffs regarding every move the Russian hackers were planning.

Of special interest, however, was the fact that the Dutch also had taken control of the security camera that monitored access to the room used by the hackers, enabling them to see in reasonable quality the faces of those who went in and out of the room. While the majority of those involved were, in fact, private citizens—Putin’s so-called “painter-hackers”—the Dutch were able to detect others who visited the university office during the height of the online battle between the FBI and APT 29. After running the images of the faces of these individuals through their database, the Dutch were able to identify known officers of the Russian Foreign Intelligence Service, or SVR. The “state,” to quote Putin, may not have conducted the actual cyberattack against the State Department, but there was no doubt that Russian intelligence officers knew about it while the attack was taking place (and only the most naive would believe that the SVR did not play a critical role in defining content of interest once APT 29 gained entry and began mapping out the State Department email server).

In mid-2015, the Dutch detected a new effort by the APT 29 hacking team operating out of Moscow University—a spear-phishing attack against several American think tanks and political institutions, including the Democratic National Committee. This information was relayed to the NSA, which, in turn, passed it on to the FBI. The FBI, already intimately familiar with the Moscow University hackers and their tools and techniques, informed the DNC in September 2015 that its computer network was under attack, even going so far as to identify the specific attacker involved—APT 29.

The DNC did nothing until April 29, 2016, when its computer administrators detected suspicious activity and called in an outside computer security vendor—CrowdStrike—to investigate. By this time, the APT 29 hackers were long gone, having fully mapped out the DNC servers and exfiltrated untold amounts of data. The Dutch, NSA and FBI already knew the identity of those who had perpetrated the DNC attack: the Moscow University-based hacking team. Shortly thereafter, the Dutch lost access to the Moscow University computer server and the associated security camera system. APT 29 had gone dark.

According to CrowdStrike, it was able to detect traces of the presence of APT 29, but not its origin or specific activity. What CrowdStrike did claim to detect, however, was the active presence of a second hacking entity, this one allegedly using different tools and techniques known in the cybersecurity business as APT 28, or “Fancy Bear” by CrowdStrike. While the DNC had approached the FBI about the APT 28 intrusion, the FBI did not request direct access to the DNC’s infected servers. Instead, the FBI relied on CrowdStrike’s findings for the early stages of the investigation into the DNC server breach.

The DNC, together with CrowdStrike, opted to monitor the APT 28 intrusion, curiously allowing APT 28 to access and exfiltrate documents that would later prove to be politically damaging to the DNC when released on the eve of the Democratic National Convention in July 2016. For 37 days after the installation of its proprietary monitoring software on May 5, 2016, CrowdStrike mapped the activity of APT 28, finally evicting the hackers from the DNC network on June 12, 2016.

The next steps taken by CrowdStrike and the DNC were even more curious. Rather than turning over the results of its investigation to the FBI and waiting for the official results, the DNC and CrowdStrike opted to go public with allegations that it was Russia behind the cyberattack against the DNC. Neither the DNC nor CrowdStrike was privy to the Dutch intelligence linking the Russian SVR to the APT 29 activity, so the DNC and CrowdStrike attribution of Russian involvement was based upon assessment rather than certainty (for example, CrowdStrike wrongly claimed that APT 29 was controlled by the Russian Federal Security Service, or FSB, the Russian equivalent of the FBI).

But most peculiar of all was CrowdStrike’s attribution of the APT 28 activity to Russia, specifically Russian military intelligence, or GRU. The APT 28 toolset had, by the time of the DNC intrusion, gone “wild,” meaning that any hacking group could have access to it—not just the Russians.

Moreover, an IP address for the alleged command and control server that had been hardcoded into the malware—which had been active in a previous attack attributed to the APT 28, and thus cited by other computer security companies (using CrowdStrike-provided data) as evidence of current Russian involvement—was, in fact, a false trail. The server pointed to an IP address that had been disabled long before the APT 28 malware was installed on the DNC server, so it was apropos of nothing.

Even though there was no hard evidence cited by CrowdStrike linking Russia to the DNC server attack, both the DNC and CrowdStrike collaborated on a coordinated publicity campaign asserting just that, providing The Washington Post with exclusive access to the CrowdStrike claims for an above-the-fold article that ran on June 14, 2016. The findings subsequently were published in a CrowdStrike technical report, released the next day.

Complicating matters further was that immediately after the CrowdStrike/DNC public relations kickoff, a mysterious person/entity using the name “Guccifer 2.0” emerged. (The original Guccifer was a Romanian hacker who publicly claimed to have hacked the private email of Hillary Clinton and who subsequently was arrested, convicted and imprisoned in the United States for his actions.) Guccifer 2.0 dismissed the CrowdStrike/DNC claims of Russian attribution, stating that he alone was responsible for the DNC server attack.

To prove his claims, on June 15, 2016, Guccifer 2.0 published the first of a series of documents that appeared to have been sourced to the DNC server. Some of these documents were copied using a template that embedded Cyrillic text into the published document’s metadata, including the name of the founder of the KBG, Felix Dzerzhinsky, increasing the confusion surrounding the Guccifer 2.0 persona. The presence of the Cyrillic text, combined with the timing of the response, led many observers to contend that Guccifer 2.0 was nothing more than a poorly executed effort by Russian intelligence to undermine the DNC/CrowdStrike claims of Russian attribution. This proved to be the position of the U.S. intelligence community, which published its findings in a declassified National Intelligence Assessment in early January 2017.

The U.S. intelligence community, the DNC and others cited WikiLeaks’ publication of thousands of emails sourced from the DNC server (and, later, from Clinton campaign chairman John Podesta’s personal email account) as evidence of the politicized “weaponization” of the stolen data. This information then was presented as de facto evidence of collusion between WikiLeaks and the Russians to influence the outcome of the 2016 U.S. presidential election in favor of Donald Trump (indeed, the recent publication of internal communications within WikiLeaks seems to support the notion of an anti-Hillary Clinton sentiment on the part of Julian Assange and/or members of his entourage, though Assange denied he backed the GOP in 2016).

Assange’s animus toward Hillary Clinton, the former U.S. secretary of state, however, was no secret, and while the publication of the DNC/Podesta emails dealt a severe political blow to her campaign, there remains no publicly available evidence that either links the theft of the emails in question to the Russians or shows that Russia was the source of these emails to WikiLeaks. Speculation concerning the possible role of a DNC staffer, Seth Rich, in the theft of the emails, as well as the testimony of former British Ambassador Craig Murray, who claims to have played a role in the delivery of the stolen emails to WikiLeaks and who denies any role by Russian actors, creates an alternative theory of attribution that counters the “Russia did it” narrative, and has yet to be shown to be false.

Amid all this noise about both the Russian attribution of, and role, if any, APT 28 played in the theft and subsequent publication of the DNC emails is the proof from Dutch intelligence services, based on Dutch media reports, that Russian actors, with the explicit knowledge of the Russian foreign intelligence service (SVR), penetrated the DNC server for 10 months, spreading laterally throughout that server and any server it was in connection with (including, it seems, the private server of Hillary Clinton), mapping, collecting and exfiltrating a massive amount of information. This attack, carried out using the tools and techniques associated with APT 29 from an office inside Moscow State University, was a Russian act.

While President Putin can quip about “patriotic painter-like” Russian hackers, there is little doubt that this action, while not perpetrated by “state” actors, occurred with the knowledge and direction of the Russian SVR. The critical point here is that the Russians were aware of this, and they knew that the United States government was likewise cognizant of these facts.

The “hand-to-hand” cyber “combat” that took place over the course of Nov. 15-16, 2014, between APT 29 and the FBI confirmed on both sides who was involved. The SVR emerged from that incident fully cognizant of the reality that the hacking activities of APT 29 had been detected, and that foreign actors were present inside the APT 29 server. The quality of the SVR/FSB counterintelligence capabilities in the cyber realm is such that the hacking of the security camera by Dutch intelligence was likewise most probably detected, which means the SVR knew its role in managing the work of APT 29 was no longer a deniable secret.

One must look at the decision to deploy APT 29, using servers that the SVR knew were actively monitored by intelligence services reporting back to the United States, in the cyberattack against the DNC. While the intelligence that APT 29 collected on behalf of the SVR was of undoubted interest in terms of the insights provided into the internal workings of a major American political party, this information was never “weaponized” by Russia, and as such played no role in the 2016 presidential election. Moreover, much of the information that was stolen was never meant to be collected to begin with—the SVR was sending a message that Russia could get inside the American political system, one that should have been received and acted on by the United States early on in the process (indeed, had the DNC acted on the FBI tipoff in September 2015, the APT 29 intrusion would have been curtailed less than three months after it began, instead of continuing unencumbered for more than 10 months).

While APT 29 was able to mask from post-mortem investigators such as CrowdStrike the details of its activities—how the malware was delivered to the DNC server, and what information was exfiltrated—it left enough clues to allow its presence to be detected and attributed. APT 29 was hiding in plain sight. The public was intended to know the DNC server had been attacked, and the U.S. government was intended to know that Russia was behind the attack. This was the goal and objective of Russia—not to actively interfere in American democracy, but rather to create the impression that it could, by hinting at its possibility. There is no doubt that Russia intended the APT 29 attack on the DNC to be both detected and attributed back to Moscow. A logical inference was that this attribution was intended to generate concern over the inviolability of the American electoral process, creating an internal debate within the American body politic about the legitimacy of American elections that would prove disruptive in the short term, and over the long term help undermine confidence within America and abroad about the legitimacy of whoever emerged as the victor in the 2016 presidential election.

In their effort to hack into the political machinations involved in the 2016 U.S. presidential election, the Russians weren’t betting on a particular horse. Indeed, APT 29 had made a less successful attempt to penetrate the computer server of the Republican National Committee. Rather, the Russians were seeking to undermine confidence in the political race itself. Russia wanted America to know it had accessed the DNC emails. Moreover, there is every reason to believe Russia fully intended to inject into the American political dialogue the possibility, rather than the reality, of these emails being used to help one candidate (Trump) over another (Clinton). The suggestion by the Maltese professor Joseph Mifsud to George Papadopoulos, a low-level foreign policy adviser to the Trump campaign, that Russia had “thousands of emails” containing “dirt” on Hillary Clinton, and the June 6, 2016, meeting between Russian actors, fronted by a Russian lawyer, Natalia Veselnitskaya, with Kremlin connections, and senior members of the Trump campaign staff in which similar “dirt” had been promised by the Russians, are clear examples of this.

The Mifsud and Veselnitskaya proffers both were little more than empty promises, designed to create the impression that Russia was seeking to help the Trump campaign. Concurrently, the Russians were likewise feeding information to the Clinton campaign, through at least two opposition research efforts—one overseen by Christopher Steele, the former British intelligence officer, the other through Cody Shearer, a political operative and journalist with close ties to the Clinton family. The Steele and Shearer dossiers contained much of the same allegations, some designed to disparage the character of Donald Trump, others to sustain the perception of collusion between the Trump camp and Russia—including offers on the part of Russia to provide emails incriminating Hillary Clinton. Seen in this light, the actions of Mifsud, Veselnitskaya, Steel and Shearer were not individual acts, but rather part and parcel of a concerted effort by Russian actors to undermine the candidacy of Trump by creating the appearance of collusion. Moreover, these were not covert actions. Russia fully intended for its actions to be detected and acted on by the United States. (In another plot twist, Mifsud now has gone missing.)

What transpired, however, was beyond anything the Russians could have imagined—or orchestrated. The intrusion by APT 29 into the DNC server, Russia’s actual cyberattack on the DNC, barely registered on the American political radar. The controversy swirling around the APT 28 attack, Guccifer 2.0, and WikiLeaks’ publication of DNC emails overshadowed Russia’s actual cyberattack on the DNC.

The DNC and CrowdStrike, not the U.S. government, made the initial decision to publicly call Russia out on the DNC server attack. Likewise, Hillary Clinton’s campaign staff made the decision to attribute WikiLeaks’ publication of emails taken from the DNC server to Russia. When the FBI initiated its investigation into the Trump campaign, it was because of the FBI’s conflation of the Mifsud email proffer with WikiLeaks’ July 2016 publication of DNC emails, even though the two could never have been linked. (Mifsud approached Papadopoulos in mid-April 2016, before any of the emails WikiLeaks published were even compiled by the APT 28 malware, let alone exfiltrated from the DNC server.) And, in the end, Congress was energized by misinformation leaked by Russian sources about Carter Page’s visit to Moscow in July 2016 that was given political relevance only because of the publication of the DNC emails by WikiLeaks.

The American intelligence community can say, without any doubt, that Russia hacked the DNC servers. This was the action of APT 29, working out of Moscow State University under the direction of the Russian SVR. But APT 29 had nothing to do with the publication of the DNC emails, which were either a product of the APT 28 intrusion, independent action by a disgruntled DNC insider, or a combination of the two.

Julian Assange continues to assert that neither the Russian government nor Russian actors had anything to do with WikiLeaks’ acquisition and subsequent publication of the DNC emails. There is no publicly available evidence that APT 28 was a Russian actor. Indeed, the U.S. intelligence community assessment about APT 28 seems to be derived exclusively from CrowdStrike’s analysis, which is itself derived from a demonstrably inaccurate interpretation of factual data and, at best, inconclusive.

Another telling fact is that the Carter Page FISA warrant does not appear to contain any definitive proof that Russia possessed the emails claimed to have been offered to Page, a critical element of the alleged crime which was sustained by circumstantial evidence and hearsay as opposed to hard fact. Both the Devin Nunes memo and the Adam Schiff memo make it clear that the only source of information used to sustain the notion that Page collided with the Russians to gain access to emails damaging to Hillary Clinton was the Steele dossier. Everyone acknowledges that this report has not been corroborated, making it simple hearsay.

The flawed APT 28 attribution fuels much of the Russia-Trump collusion story. The environment of self-induced hysteria that has resulted from this incorrect attribution has caused historically bipartisan congressional committees to split on party lines (regardless of the facts), helped promote abuses of the FISA process for political purposes and led to the meaningless, politically motivated indictment of 13 Russians who will never see the inside of an American court, let alone be significantly impacted by so-called American “justice.”

When one examines the political fire that is consuming the American democratic enterprise today as a result of the so-called assault on American democracy perpetrated by Russia, it is seen to have been ignited and fanned by American, not Russian, actors, an act of self-immolation that Moscow could never have anticipated—and indeed, never sought—when it embarked on its election-meddling enterprise.