A month and a half before the publication of the DNC emails, Assange teased the release during an interview with Britain’s ITV. “We have upcoming leaks in relation to Hillary Clinton, which is great.”47
With that said, Operation LUCKY-7 had its cut-out. The FSB’s Information Warfare Management Cell (IWMC) would create a false flag source to feed Assange the data taken from the DNC and any subsequent hacks through Guccifer 2.0. Assange was desperate to be relevant and the IWMC was going to create a new era where his own hatreds and agenda could be skillfully manipulated by the FSB’s active measures officers, while the cyber teams would keep him well fed. Assange was primed to do LUCKY-7’s bidding and now only needed the data they had stolen. WikiLeaks was now a wholly owned subsidiary of the FSB and essentially the cyber equivalent of a Laundromat, a Russian laundry—ready to clean and give a white appearance to the dirt.
8
WHEN CYBER BEARS ATTACK
Once is happenstance. Twice is coincidence. Three times is enemy action.
Cyber Bears! Attack!
At some point early in fall of 2015 the National Security Agency and the FBI cyber division had indications of unusual activity related to Democratic National Committee servers. The signature of the attempts was familiar, since this had not been the first time that foreign entities had attempted to penetrate related to the US political parties’ networks, high profile persons, or U.S. government agencies. Individual hackers would attempt these penetrations for personal notoriety and bragging rights among the tight and secretive hacking community, but this practice had long since expanded into a global business worth billions in stolen data. Some hacking thieves stole Social Security numbers, credit cards, and identity theft information belonging to ordinary people, in sophisticated exploits that skimmed cash at the blink of an eye. Other groups specialized in stealing large-volume banking data or attempting large-scale fraud.
It has long been a dictum of warfare that forewarned is forearmed. In business and politics as well, the strengths of an opponent can be exploited, their weaknesses taken advantage of and manipulated. To this end a small, elite network of individual hackers or hacker gangs specialize in stealing corporate secrets to sell or use for blackmail. A hacker of this ilk will sell the stolen data to business rivals. Whether it be the size of the bid on a contract or the nude photos of an opposing CEO’s mistress, such data that could never have been previously available without physically breaking and entering a file or safe could now safely be extracted from a third party that often does it for a reasonable fee. Throughout the 1990s hacking groups performing these services had formed in Eastern Europe, then to West Africa, China, and South Asia. Foreign intelligence agencies often subcontracted their services to see what they could find on targets in America as well.
It was always advisable for the FBI and cyber security companies to give the political parties warnings before the run-up to an election season. Clearly, a history of hacks had occurred before, and the FBI told the DNC to be on the lookout for “unusual activity.”1 Director of National Intelligence James Clapper said that the Department of Homeland Security and FBI had been working “to educate campaigns against potential cyber threats.” Clapper added, “I anticipate as the campaigns intensify, we’ll probably have more of those [attempts].”2
Given the size and scope of their systems, IT divisions have to deal with many different and routine hacks and exploits occur on a regular basis, including nuisance messages, offensive and malicious emails with links to archaic viruses, or offers from Nigerian Princes. A more critical method of attacking the servers is to flood the networks with a massive email tsunami of spam, all at once, and from multiple sources. This is called a Denial-of-Services or DoS attack. The vast amount of data filling the entryways to the server slows down or blocks authorized messages from entering the system, akin to an internet brown-out. As each bit of valid data competes with the massive quantity of hacker-fed data, the entire system grinds to a halt in a cyber traffic jam. Hence, service is denied.
Though the DNC IT security staff did not receive warnings about specific activity, they should have been well aware of previous political exploits. At a minimum, all of the security personnel and their subcontractors should have received briefings about the previous hacks and signatures that could indicate a real threat coming down the pike. In the end, they were left to fend for themselves. The hackers most likely knew that, since the DNC is a private political organization, they would only be as good as the local IT security; a human factor weakness to be exploited. The National Security Agency and Cyber Command were not responsible for political security outside of government agencies. For all of their vast protective power, the federal agencies gave what was minimally required… a bit of advice.3
The DNC took what precautions they thought were appropriate for the level of risk. Yet others were watching with greater interest. In October 2015, InfoSec Institute, an information security training center, carried out a protective hack known as advanced penetrative testing. White Hat hackers at IT security companies performed these defensive hacks to test the perimeter of the network’s security walls and reveal the holes in the security system. Such tests sometimes reveal minor vulnerabilities, but most of the time these tests expose holes so extensive that a cyber-tractor trailer could pass through without any chance of detection.
It is important to identify and share information on threats as they have developed and as they currently operate. There are also ways to detect the location of adversaries by examining the available metadata found in the files captured, by accessing the C2 (Command-and-Control) servers, and by finding where data is routed or retrieved, by examining timestamps in the meta to determine build times, and by examining the deployment of files and routine checkins conducted by the attackers. IPs found in C2 servers, locations where files are retrieved for operations, and IP info in emails can help determine the source of the attack.
InfoSec Institute’s tests revealed threat the DNC servers had massive security flaws, setting themselves up for a hack the exact same way the Chinese exploited the Obama and McCain campaigns in 2008. The best defense to these threats is a regular security update at the client end, so the developers could stay on top of the latest exploits and 0day vulnerabilities. Sometimes all of these efforts can be overlooked, not shared, or just fall by the wayside. That is how the DNC got hacked: The sum efforts of sharing, comparing, and preparing was like a small rainstorm and the CYBER BEARS managed to dance between the raindrops.
The Bears Arrive
In April 2016 DNC chief executive officer Amy Dacey contacted DNC lawyer Michael Sussman. Dacey called him to let him know that the DNC’s IT department noticed strange behavior on their system. Sussman was a partner at Perkins Coie, a firm focused on cybercrimes. Sussman contacted Shawn Henry, president of cybersecurity firm CrowdStrike, to conduct an assessment and determine if there was a breach and how deep it went.4 CrowdStrike revealed that the DNC computers had been breached and that data on contributors, opposition research on candidates, and even the day-to-day inter-office chats and email had been stolen. The whole system had been professional compromised.