The Perfect Weapon
Page 24
Texas seemed particularly ripe for meddling. Few of the trolls and bot makers had been there, but they had read about it online and seen it in the movies. It didn’t take much of a leap of imagination to form a “Heart of Texas” group that appeared to be based in Houston, but was actually operating near Red Square. They promoted a rally called “Stop Islamization of Texas,” as if there were much Islamization to worry about. Then, in a masterful stroke, the Russians created an opposing group, “United Muslims of America,” which scheduled a counter-rally, under the banner of “Save Islamic Knowledge.” The idea was to motivate actual Americans—who had joined each of the Facebook groups—to face off against each other and prompt a lot of name-calling and, perhaps, some violence.
It was a testament to how easy it is to mislead some subgroups of American citizens on the web with a few cheap bots and someone imitating a local resident. But no one was more amazed than the young Russians in Saint Petersburg, who, their own emails later showed, could not believe their targets were so gullible.
* * *
—
If you are going to catch a Russian inside your networks, hiring a Russian who thinks the way the attackers think isn’t a bad idea. By that measure, Dmitri Alperovitch was the right man for the job.
In his mid-30s, with sandy hair and broad smile, he was already a fixture in the Washington firmament: a cyber specialist who was a regular at foreign policy forums and seemed as interested in the geopolitics of the business as the bits and bytes. But it was hardly preordained that Alperovitch would get so far.
He was the son of Soviet nuclear scientist Michael Alperovitch, and spent his childhood and early teen years in Moscow, in the waning days of the Soviet Union. In 1986, when Dmitri was about five years old, Michael narrowly escaped an assignment that would have left his son fatherless. A fire had broken out at the Chernobyl nuclear power plant, and panicked Soviet officials wanted Michael and his colleagues to check it out. Michael had a bad feeling and declined. The scientists who went all developed cancer and died soon after.
His life spared by good luck, Michael began to think it might be time to get out. His opportunity came shortly after the breakup of the Soviet Union. The Alperovitch family left Moscow in 1994, moving first to Toronto before settling in Chattanooga when Michael had landed a job at the Tennessee Valley Authority. Dmitri eventually enrolled at Georgia Tech, graduating with what was, at the time, a rare degree in cybersecurity.
Out of college, Alperovitch bounced around a number of the digital stations of the cross, eventually joining McAfee, known for its early virus-protection products. His job was to analyze state sponsors of cyberattacks, and he did it well, publishing a long paper about a China-based group called “Shady Rat,” which was behind the theft of intellectual property from American companies. McAfee had been acquired by Intel, the country’s leading chipmaker, and the paper took off as one of the best-researched pieces of work tying the Chinese government to what Keith Alexander, then the head of the National Security Agency, used to call the “greatest transfer of wealth in history.”
Unsurprisingly, the Chinese didn’t care much for the research. Suddenly they were showing up in Intel’s offices in Beijing, inspecting business licenses—completely unrelated to Alperovitch’s work, naturally. One day, he recalled, he got a call from one of the company’s top executives. “Do you realize we do 60 percent of our business in China?” he remembers the executive asking.
Actually, he hadn’t known that. He resigned the next week and in 2011 moved on to create the cybersecurity firm CrowdStrike with entrepreneur George Kurtz. Alperovitch knew how to follow the bits. His partner knew how to manage the law-enforcement landscape.
It was good timing; the Russians were coming.
* * *
—
“Why don’t you come up and we’ll do a little health check?”
That was the seemingly benign invitation that Shawn Henry—a former FBI cyber expert whom CrowdStrike had recruited to serve as their chief security officer and president of their information security team—received from Michael Susman that April. Susman had prosecuted cybercrimes for the Justice Department, then moved to Perkins Coie, a law firm that counted both the Hillary Clinton campaign and the DNC among its clients.
CrowdStrike was accustomed to such calls, and soon their forensic engineers were tapped into the computers at the DNC, scanning them for signatures of known bad actors in cyberspace. Reams of data began flowing back to Henry and Alperovitch.
It took less than a day to find what they were looking for, but the full result was startling. It was at that moment that they discovered the DNC had been hacked by not one Russian intelligence group but two. And both had left plenty of fingerprints.
Alperovitch and his colleagues had long before nicknamed the first group “Cozy Bear,” the one the FBI referred to as “the Dukes.” It was a play on the Bear nicknames of the Cold War era. (Others called the group “APT 29” for “advanced persistent threat.”) Cozy Bear was the first group to infiltrate the DNC, the evidence suggested, the one Hawkins had seen when he first called the committee.
It wasn’t until March 2016 that “Fancy Bear,” a competing Russian group associated with the GRU, the military intelligence unit, broke into the computers of the Democratic Congressional Campaign Committee before moving into the DNC networks as well. That was the hack that Robert Hannigan’s spies at GCHQ had detected. Fancy Bear probably didn’t know that the SVR-linked Cozy Bear group was already there. At least, that was Alperovitch’s theory.
“These guys are deeply competitive with each other,” he told me. “They want approval from Putin, they want to say ‘Look what I did!’ ” And Fancy Bear was clearly busy—they were the ones sorting through Podesta’s email trove.
Once it was clear where the invaders were coming from, Alperovitch threw himself into the investigation. The mystery was what the Russian groups planned to do with the information they had stolen. As Alperovitch noted dryly to me one day, “No one expected what this turned out to be.”
* * *
—
Alperovitch knew what he needed to do at the DNC: replace its entire computer infrastructure. Otherwise, he would never know for sure where the Russians had buried implants in the system.
For the six weeks after CrowdStrike moved into the DNC headquarters, it worked quietly to prepare for a total replacement of the committee’s hardware, making the usual excuse that there were maintenance operations under way. Then, on one weekend in late spring, everything was shut down. DNC employees were told to turn in their laptops and phones for a “system upgrade.”
“There were people who thought this was a front for layoffs,” since the DNC was perpetually broke, Alperovitch recalled. They were relieved to discover that their jobs were safe, but when they got the equipment back the next week, the hard drives had been wiped clean and new software installed.
By now the DNC leadership had moved from total ignorance to total panic. They began meeting with senior FBI officials in mid-June, fully nine months after Agent Hawkins had been switched to the help line. Babies had been conceived and born in the time it took the DNC, and the US government, to wake up. Now the debate was over whether to make public what was going on.
The motivation of the DNC and its chairwoman, Debbie Wasserman Schultz, seemed clear: She wanted to gain a bit of sympathy for the Democrats, who had been attacked by the Russians, and put Donald Trump on the spot, since he had been nothing but complimentary about Putin. In mid-June, the DNC leadership decided to give the story of the hack to the Washington Post. It would leak soon enough anyway, they thought.
The Post ran with it, but it was a sign of how little thought was being given to Russian manipulation at the time that, as we played catch-up in the Times newsroom that day, it was difficult to get much interest in the story from the editors managing coverage of the st
rangest presidential campaign of modern times. At that moment, a few Russians mucking in the DNC didn’t exactly seem like a repeat of Watergate. The story was buried deep in the political pages.
The Obama administration also had a difficult time getting excited. They resisted demands from the DNC that the government do a quick “attribution,” as they had in the Sony case, and have the intelligence community publicly name the Russians as the offenders. The FBI said its own investigation was being hindered by the DNC, which it still viewed as being less than fully cooperative; the DNC would not allow the FBI access to its main servers, so the FBI was getting evidence secondhand, from CrowdStrike.
The government’s reluctance to “attribute” the hack to the Russians was hardly unusual. There was always concern in the intelligence agencies about revealing sources and methods. And while it was one thing for a private security firm like CrowdStrike to name the Russians, the US government had to have a much higher level of certainty. “If you do it,” one senior intelligence official said to me, “you have to be prepared to answer the question, ‘So what are you going to do about it?’ ”
Susman, the lawyer for the DNC, thought that the government’s argument was pretty ridiculous; CrowdStrike didn’t need secret sources to figure this out, and the Russians had not exactly hidden their tracks. “You have a presidential election under way here and you know that the Russians have hacked into the DNC,” he recalled saying at one meeting with DNC executives and their lawyer. “We need to tell the American public that. And soon.”
The day after the Post and the Times ran their stories, though, it became clear that the Russians had a larger plan.
A persona with the screen name Guccifer 2.0 suddenly burst onto the web, claiming that he—not some Russian group—had hacked the DNC. His awkward English, which became a hallmark of the Russian effort, made it clear he was not a native speaker. He contended he was just a very talented hacker, writing:
Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups.
I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy.
Guccifer may have been the first one who penetrated Hillary Clinton’s and other Democrats’ mail servers. But he certainly wasn’t the last. No wonder any other hacker could easily get access to the DNC’s servers.
Shame on CrowdStrike: Do you think I’ve been in the DNC’s networks for almost a year and saved only 2 documents? Do you really believe it?
Guccifer 2.0 offered a few DNC documents, which he advertised as just a sampling of a vast trove. They included a lengthy piece of opposition research prepared by the DNC as they struggled to understand Trump, with chapter headings like: “Trump Is Loyal Only to Himself” and “Trump Has Repeatedly Proven to Be Clueless on Key Foreign Policy Issues.” There was also a chart listing major donors to the DNC, where they lived, and how much they had given.
“And it’s just a tiny part of all docs I downloaded from the Democrats’ networks,” he wrote, adding that the remainder, “thousands of files and mails,” were now in the hands of WikiLeaks.
“They will publish them soon,” he predicted.
It was clear that morning that the hack was not simply about campaign intelligence gathering. It was intended to be the cyberattack equivalent of broadcasting the conversation about Ukraine between Victoria Nuland and Geoffrey Pyatt. There was only one explanation for the purpose of releasing the DNC documents: to accelerate the discord between the Clinton camp and the Bernie Sanders camp, and to embarrass the Democratic leadership. That was when the phrase “weaponizing” information began to take off. It was hardly a new idea. The web just allowed it to spread faster than past generations had ever known.
Anyone who had followed the Russian hacking groups knew that there was little chance that Guccifer 2.0 was simply a savvy, lone hacker. But the name he chose was a clever play: It was taken from “Guccifer,” the screen name of a Romanian hacker who was then sitting in jail, after famously breaking into the email accounts of former Secretary of State Colin Powell and former President George W. Bush.
It didn’t take long for online sleuths to puncture the tale and point to evidence that Guccifer 2.0 was far more likely a committee of hackers somehow linked to the GRU, the Russian military intelligence unit. Lorenzo Franceschi-Bicchierai, who wrote for Vice, had the inspired idea of sending Guccifer 2.0 a direct message. He got an instant answer: Guccifer 2.0 said he was Romanian.
So Franceschi-Bicchierai used Google Translate to ask Guccifer 2.0 some questions in stilted Romanian. The answers came back in equally stilted Romanian. It quickly became clear that Guccifer 2.0 didn’t speak the language; he was using Google Translate too. A deep look at the documents he was posting showed they had been written in a Russian version of Microsoft Word, and were edited by someone who identified himself as Felix Edmundovich. That name seemed a tip of the hat to the founder of the Soviet secret police, Felix Edmundovich Dzerzhinsky. (Dzerzhinsky Square in Moscow, where the KGB headquarters was located, got renamed after the fall of the Soviet Union, but Dzerzhinsky would soon have a bit of a revival.)
The more Franceschi-Bicchierai conversed online with Guccifer 2.0, the more he became convinced that he was dealing with “a group of people” who were not very skilled at covering their tracks. In fact, they didn’t really seem to want to cover them. And another outlet for the documents suddenly appeared: “DC Leaks,” a site established just a few months before, but not active until the end of June. It was another indication that making selected stolen documents public was part of a larger plan, one that had been formulated months in advance.
* * *
—
By the time Donald Trump arrived in Cleveland, Ohio, in the third week of July 2016 to accept the nomination of a Republican Party still stunned by his rise, questions about his campaign’s connections to Russia were already in the air. The millions of dollars that Paul Manafort, Trump’s campaign chairman, made in Ukraine on behalf of the now-exiled, pro-Putin former president of the country was under growing scrutiny—which would lead to his resignation, and eventually his indictment. The digital break-in at the DNC was strange enough, but Trump’s insistence that there was no way it could be definitively traced to the Russians was even stranger.
As I arrived in Cleveland, though, the biggest mystery seemed to be Trump’s own refusal to say anything remotely critical of Russia, and especially of Vladimir Putin. Every other Republican candidate for president I had covered—Bob Dole, George W. Bush, John McCain, Mitt Romney—had gone out of their way to stress their suspicions of Russia’s motives, and particularly Putin’s.
Yet Trump kept declaring he admired Putin’s “strength,” as if strength was the sole qualifying characteristic of a good national leader. In an interview with Fox News he refused to say if he had ever spoken to Putin. That seemed odd, because he was also attempting to make the case that he could handle foreign leaders more skillfully than his opponent, a former Secretary of State. He never criticized Putin’s moves against Ukraine, his annexation of Crimea, or his support of Bashar al-Assad in Syria. Instead, he brushed past all that with the declaration, “Wouldn’t it be nice if we actually got along with Russia? Wouldn’t that be good?”
So when Maggie Haberman and I were preparing on July 20 to conduct our second foreign-policy interview with Trump—the day before he would accept the party’s nomination—Russia was high on our list of questions. We stepped into his hotel room in Cleveland just as he was finishing a meeting with Manafort, who shook our hands and quickly stepped out of the room, before any questions might be directed his way.
Trump was distracted and a bit irritated by something he had just heard about himself on television, but he settled in when the questions began, eager to prove himself familiar with every global ho
t spot. About halfway through the interview, I saw an opening and noted to Trump, “You’ve been very complimentary of Putin himself.”
“No! No, I haven’t,” he insisted.
SANGER: You said you respected his strength.
TRUMP: He’s been complimentary of me. I think Putin and I will get along very well.
We pursued that non sequitur for a while; I was trying to draw him out on why the fact that Putin had been complimentary of the soon-to-be-nominee would in any way affect Trump’s judgment about how to deal with an increasingly aggressive adversary. When that went nowhere I tried another route, testing whether he would defend the newest members of NATO.
“I was just in the Baltic States,” I told him. “They are seeing submarines off their coasts, they are seeing airplanes they haven’t seen since the Cold War coming, bombers doing test runs. If Russia came over the border into Estonia or Latvia, Lithuania, places that Americans don’t think about all that often, would you come to their immediate military aid?”
This was, I thought, the bottom-line issue: if Putin wanted Trump to win, it had to be because he thought a Trump victory would undercut the Western allies’ confidence that America would defend the alliance. Trump tried to duck:
TRUMP: I don’t want to tell you what I’d do because I don’t want Putin to know what I’d do. I have a serious chance of becoming president and I’m not like Obama, that every time they send some troops into Iraq or anyplace else, he has a news conference to announce it.
As soon as Maggie and I pressed the point, Trump took refuge in one of his favorite arguments: NATO members are taking us for granted and “aren’t paying their bills.” So I decided to get a little more specific: