Meuller's Bears: Russian Hacking and the 2016 US Presidential Election

On December 23rd, 2015, nearly a quarter-million Ukrainians unexpectedly lost power.²²⁶  In the aftermath of what is thought to be the first wide-spread attack on power infrastructure, US investigators determined that the same BlackEnergy malware that was involved in the Ukrainian disruption was present in “numerous industrial control systems (ICSs) environments”in the US.²²⁷  It appeared to US cyber officials that the“sophisticated malware campaign” responsible for the software’s presence had been running since 2011.²²⁸  David J. Weinstein, who worked at the US Cyber Command from 2010 to 2013 and was quoted in a recent NY Times article on developments in offensive US cyber activities, likened the 2015 Ukrainian event to crossing the Rubicon.^{229, 230}  In invoking the solidification of Caesar’s power and accompanying death of the republic, Weinstein manages to at once suggest the seminal nature of an attack on power-infrastructure, and the difficulty inherent in identifying any single event as a beginning. The prosecution of a large-scale cyber campaign with potentially lethal capability, fatalistically supports the former suggestion.

Yet while the Rubicon crossing has been immortalized, Marius’ military reforms, Sulla’s demonstrably effective use of force for political advantage and the concentration of power in the first triumvirate are also often seen as important components in the Roman transition toward empire. As such, though the 2015 Russian attack on the Ukrainian power grid was certainly an escalation in cyber conflict and in its own right represented a disturbing revision of cyber norms, it was to a large extent driven by the inertia of tradition, one long established in the kinetic world, but also fairly well established in the cyber world. The 2007 Russian attack on Estonia, and the 2008 Russian attack on Georgia, for instance, both targeted infrastructure: governance and communications respectively.²³¹  In the Georgian case, cyber operations were supported by ground troops, as was Russia’s annexation of the Crimea in 2014 and its subsequent eastern Ukrainian operations.²³² 

That 2014 Crimean action also saw Russia deploy malware in an attempt to generally discredit election results.²³³  This vector for foreign interference in internal matters of state was subsequently brought to the forefront of public awareness during the 2016 Russian meddling in the US presidential election. Just as the Russian actions against Estonia and Georgia reflect this dialectic of the inertia of tradition interacting with the new, so too did the 2016 Russian election meddling reflect both a Rubicon crossing and a slow, inertial march. That march, according to the recently released Report on the Investigation into Russian Interference in the 2016 Presidential Election, referred to hereafter as the Mueller report, began in 2014, which corresponds with other, early cyber election meddling like that seen in the Ukraine.²³⁴ 

The Mueller report, commissioned by the US Deputy Attorney General (AG) Rod Rosenstein on the 17th of May, 2017, was made public (with redactions) on April 18th of this year. Rosenstein appointed Robert Mueller as special counsel, and tasked him with investigating Russian meddling in the 2016 presidential election, and “any links and/or coordination between the Russian government and people associated with Republican Trump’s campaign.”²³⁵  Mueller, a former FBI director, spent the next two years running a leakless office and delivered his report to AG William Barr on March 22nd, 2019.²³⁶  The only two criminal cases against Russian entities related to the meddling, US v. Internet Research Agency et al. and US v. Netysho, et al., stem directly from the two-pronged Russian interference strategy laid out in the report.  One prong, related to the Internet Research Agency (IRA), had been performing operations in the US since 2014, while the other, which the Mueller report identified as a“hacking and dumping operation”, began in 2016.²³⁷

On June 14th, 2014, four IRA employees applied for US visas,“claiming to be four friends who met at a party.”²³⁸  Two got in, and reportedly spent some amount of time gathering intelligence; the redacted Mueller report doesn’t indicate when they left the US.  Despite getting a couple of agents over the border, the IRA - commonly referred to as a “troll farm”- performed mostly cyber activities that could be accomplished remotely.  These included the “purchase of political advertisements on social media in the names of US persons”, and the“staging of political rallies inside the US.”²³⁹  The operations were funded primarily by Yevgeniy Prigozhin, a Russian oligarch with ties to Putin. Prigozhin, who is known as “the chef”, and who once served George W. Bush caviar, runs both Concord Management and Consulting LLC, and Concord Catering which the Mueller report identifies as main sources of IRA funding.²⁴⁰  The Mueller-produced indictment of the IRA claims that its monthly operating budget at times exceeded $1.25 million.²⁴¹

Over the next two years, the IRA’s operation changed from one that Mueller characterized as “designed .. to undermine the US electoral system” into a “targeted operation that by early 2016 favored candidate Trump and disparaged candidate Clinton.”²⁴²  Utilizing multiple social media platforms, IRA “specialists” had developed a social media network capable of reaching “millions of US persons” by the time the 2016 presidential election took place.²⁴³  When Facebook took down a number of suspected IRA pages in 2017, a representative testified before congress that Facebook estimated the number of people who were served some form of IRA-associated content to be 126 million.²⁴⁴  The most popular IRA pages included “Secured Borders”, “Being Patriotic” and “Stop All Invaders”.²⁴⁵ 

Despite the novelty of hacking public opinion to sway an election, the Mueller report contains evidence of the hacker tradition alive and well within the new mode: a tendency for playful mischief. Morris (who we've written about here) made a name for himself with pranks like causing the misspelling of the ‘mail’ to launch a game.  Similarly, the Russian trolls seemed unable to resist a little joke of their own. In one of the more heavily redacted sections of the report, the special counsel describes how at the end of May 2016, IRA specialists managed to get a US citizen to hold a sign in front of the White House which read “Happy 55th Birthday Dear Boss”.²⁴⁶  The report, and the indictment of the IRA it cites, indicate that the boss in question was none other than Prigozhin, whose 55th birthday was a few days later on the 1st of June.  According to the indictment, the specialists told the sign-bearer that the individual in question “[was] a leader here and our boss . . . our funder.”²⁴⁷  Save the hacker tradition, it is difficult to imagine what purpose such an act could have served.  By contrast, the so-called hacking and dumping operations appear devoid of such playfulness.

In the wake of the announcement by the Democratic National Committee (DNC) and cyber security firm CrowdStrike that the DNC had been compromised on June 14th, 2016, it was reported that two disparate actors had been active inside the DNC’s networks.  CrowdStrike identified them as ‘Fancy Bear’ and ‘Cozy Bear’, two Russian advanced, persistent, threat actors associated with Russian intelligence services.²⁴⁸  Cozy Bear has since been publicly identified by Dutch intelligence as being associated with the Russian Foreign Intelligence Service (SVR),²⁴⁹ while the Mueller report identifies Fancy Bear as being under the auspices of the Russian Main Intelligence Directorate (GRU).  Yet despite the widespread reporting of there having been two Bears inside the DNC and DCCC networks, there is no mention of Cozy Bear in the Mueller report.²⁵⁰  The report instead identified two individual GRU units as the perpetrators of the hacking and dumping operations directly related to the election meddling Mueller was tasked with investigating.  Though the report contains many redactions due to “Harm to Ongoing Matter[s]” (HOM), it seems most likely that it doesn’t mention Cozy Bear due to their activities having been outside the scope of Mueller’s assignment.²⁵¹  Evidence for this position can be found in a recent European Council on Foreign Relations report on the Russian intelligence ecosystem:

Moscow has developed an array of overlapping and competitive security and spy services. The aim is to encourage risk-taking and multiple sources, but it also leads to turf wars and a tendency to play to Kremlin prejudices.²⁵²

In such an environment, it is wholly plausible that the two Bears may not have been aware of each other. As early as September of 2016, there was speculation among news outlets and security researchers that Cozy Bear, which according to CrowdStrike had been active inside the DNC’s networks since mid 2015²⁵³, was “engaged in traditional espionage”²⁵⁴ without knowledge of Fancy Bear’s activities. Regardless, Mueller’s office appears to have determined that their mandate did not cover the operations of Cozy Bear.

Fancy Bear’s operations, however, fell squarely within their purview. The report identified two ‘Military Units’ of the GRU, Military Unit 26165 and Military Unit 74455, collectively as Fancy Bear. We hereafter refer to these units as MU2 and MU7 respectively.  MU2 primarily targeted the Democratic Congressional Campaign Committee (DCCC),the Democratic National Committee (DNC) and individuals associated with Hillary Clinton’s 2016 presidential bid. MU7 released and promoted stolen information, and engaged in offensive operations against US local and state electoral entities, as well as vendors of election-related software.²⁵⁵

According to the Mueller report, GRU operations aimed to disrupt the US election began early in March of 2016 when MU2 began a spear phishing campaign against hillaryclinton.com email accounts. Over the course of the month, their campaign expanded to include other domains until they successfully broke into the DCCC network in the first weeks of April using phished credentials.²⁵⁶  MU2 officers then moved laterally within the DCCC, ultimately compromising 29 hosts. On April 18th, they managed to gain access to the DNC network via a VPN connection between the two networks, and by June 8th had compromised both the DNC’s mail and file-sharing servers in addition to several dozen other hosts.²⁵⁷  During this time, MU2 entrenched themselves, installing surveillance and exfiltration software.  By the time their presence was identified, MU2 had managed to steal over 70 gigabytes worth of data from the file-sharing server alone, as well as thousands of emails.²⁵⁸  The stolen materials included documents and correspondence from the highest ranks of the Clinton organization, including from John Podesta, her campaign manager.  Having successfully hacked Democratic party networks, it remained to disseminate the stolen documents.

The GRU’s dumping campaign utilized three main vectors: the blog personalities of ‘Guccifer 2.0’ and ‘DCLeaks’, and Julian Assange’s WikiLeaks.  While the DCLeaks persona, including its web presence at dcleaks.com and an assortment of supporting social media profiles, seems to have been used exclusively for disseminating documents, Guccifer 2.0 was also intended to misdirect attention away from the Russian state.  Created the day after the DNC and CrowdStrike publicly announced the hack and attributed it to Fancy Bear, Guccifer 2.0’s first post tried to take the ‘credit’ for the DNC hack.²⁵⁹  According to the Mueller report, Guccifer was intended to be a“lone Romanian hacker”.²⁶⁰  It seems likely that the GRU’s choice of name and nationality was either inspired by, or intended to be conflated with, the real Romanian hacker Marcel Lazăr Lehel.  Lehel, who used the pseudonym ‘Guccifer’, is perhaps best known for revealing the presence of then Secretary of State Clinton’s private email server and for distributing a collection of self portraits painted by George W. Bush.^261,262  Lehel is currently serving a 52-month prison sentence in the US for hacking.²⁶³  His GRU-run namesake eventually posted thousands of DCCC and DNC documents on their blog.²⁶⁴

Both the Guccifer 2.0 and DCLeaks personalities were also used to communicate with WikiLeaks.  According to the report, DCLeaks attempted to make contact with WikiLeaks on June 24th, 2016, and a week later WikiLeaks initiated contact with Guccifer 2.0. Communications between Guccifer 2.0 and WikiLeaks revealed in the Mueller report and associated indictments indicate that the first WikiLeaks dump of GRU-stolen emails and documents on July 22nd, 2016, was intentionally timed.  In a July 6th Twitter direct message (DM) from WikiLeaks to Guccifer 2.0, WikiLeaks wrote “if you have anything hillary related we want it in the next tweo [sic] days preferable [sic] because the DNC is approaching and she will solidify bernie supporters behind her after."  In a follow up DM, after estimating Trump’s likelihood of winning the presidency at 25%, WikiLeaks continued “..so conflict between bernie and hillary is interesting.”  The Democratic National Convention began three days after the July 22nd dump.²⁶⁵

The next phase of the GRU’s election-related hacking activities began five hours after Trump made his now infamous request for foreign assistance: “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing.”  Subsequent GRU cyber operations “stole approximately 300 gigabytes of data from [a] DNC cloud-based account.”  Similarly, within an hour of the infamous Access Hollywood recording of Trump making vulgar comments about women, published by the Washington Post on October 7th, WikiLeaks released the first of a collection of emails stolen from the account of Podesta.²⁶⁶ 

In the direct language typical of the Meuller report, the special counsel summarized their findings: “the Russian government interfered in the 2016 presidential election in sweeping and systematic fashion.”²⁶⁷  Given the well substantiated story of information manipulation and direct hacking told by the Meuller report, considering the 2016 election meddling as a Rubicon crossing seems apt.  First, the inertia of tradition is apparent at multiple levels. Within the evolution of the event itself, we see a generally anti-US, election undermining operation develop into a highly specialized and focused hit on Clinton.  Considering the hacker tradition demonstrated by the birthday sign and the basis for the event apparent in Russia’s 2014 Ukrainian operations, it is clear that the ideas and forms used didn’t spring fully-formed from nowhere.  Secondly, the boldness with which the Russian operatives like Fancy Bear pursued their objectives is indeed suggestive of a point of no return.  The meddling inched the Pandora’s box of cyber-conflict ever so slightly farther open, and indeed Weinstein’s Rubicon invocation was in the context of what appears to be an increasingly offensive cyber posture on the part of the US.²⁶⁸

References:

226. David E. Sanger, “Utilities Cautioned About Potential for a Cyberattack,”New York Times, February 29, 2016, https://www.nytimes.com/2016/03/01/us/politics/utilities-cautioned-about-potential-for-a-cyberattack-after-ukraines.html.
227. Cybersecurity and Infrastructure Security Agency, “Ongoing Sophisticated Malware Campaign Com-promising ICS (Update E),” 2014, https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B.
228. Ibid.
229. David E. Sanger and Nicole Perlroth, “U.S. Escalates Online Attacks on Russia’s Power Grid, ”NewYork Times, May 15, 2019, https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html.
230. News Staff, “Dave Weinstein, Former New Jersey CTO, Heads to Private Cybersecurity Firm,” Gov-ernment Technology, 2018,https://www.govtech.com/workforce/Dave- Weinstein- Former- New-Jersey-CTO-Heads-to-Private-Cybersecurity-Firm.html.
231. Landau, Listening In: Cybersecurity in an Insecure Age, 55
232. Michael Kofman et al., Lessons from Russia’s Operations in Crimea and Eastern Ukraine (Rand Corporation, 2017).
233. Scott J Shackelford et al., “Making Democracy Harder to Hack,” U. Mich. JL Reform 50 (2016): 629.
234. Robert S Mueller III, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election. Volumes I & II.(Redacted version of 4/18/2019),” 2019.
235. Grant McCool and Jonathan Oatis, “Timeline: Big moments in Mueller investigation of Russian meddling in 2016 U.S. election.,” Reuters, March 8, 2019.
236. Ibid.
237. Mueller III, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election.Volumes I & II.(Redacted version of 4/18/2019),” 44.
238. Ibid., 43.
239. Ibid., 12.
240. Emily Tamkin, “This Is What $1.25 Million Dollars a Month Bought the Russians, ”Foreign Policy,February 16, 2018, https://foreignpolicy.com/2018/02/16/this-is-what-1-25-million-dollars-a-month-bought-the-russians/.
241. United States Department of Justice,United States v. Internet Research Agency LLC, 2018.
242. Mueller III, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election.Volumes I & II.(Redacted version of 4/18/2019),” 4.
243. Ibid.
244. United States.,Social Media Influence in the 2016 US. Election, Hearing Before the Senate Select Committee On Intelligence(Washington: U.S. Govt. Print. Off., November 1, 2017).
245. Mueller III, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election.Volumes I & II.(Redacted version of 4/18/2019),” 33.
246. Ibid., 19.
247. Justice,United States v. Internet Research Agency LLC, 12(b).
248. Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,”Crowd-Strike, May 15, 2016,https://www.crowdstrike.com/blog/bears- midst- intrusion- democratic-national-committee/.
249. Huib Modderkolk, “Dutch agencies provide crucial intel about Russia’s interference in US-elections,”de Volkskrant, January 25, 2018, https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~b4f8111b/?referer=https%3A%2F%2Fwww.google.com%2F.
250. Jeff Stone, “Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack.,”ChristianScience Monitor, May 15, 2016, https://www.csmonitor.com/World/Passcode/2016/0615/Meet-Fancy-Bear-and-Cozy-Bear-Russian-groups-blamed-for-DNC-hack.
251. Mueller III, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election.Volumes I & II.(Redacted version of 4/18/2019).”
252. Mark Galeotti,Putin’s hydra: inside Russia’s intelligence services (European Council on ForeignRelations, 2016).
253. Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee.”
254. The Economist, “Bear on bear,” September 22, 2016, https://www.economist.com/united-states/2016/09/22/bear-on-bear.
255. Mueller III, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election.Volumes I & II.(Redacted version of 4/18/2019),” 36-37.
256. Mueller III, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election.Volumes I & II.(Redacted version of 4/18/2019),” 37-38.
257. Ibid., 38.
258. Ibid., 48.
259. Guccifer2, “GUCCIFER 2.0 DNC’S SERVERS HACKED BY A LONE HACKER,” May 15, 2016, https://guccifer2.wordpress.com/2016/06/15/dnc/.
260. Mueller III, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election.Volumes I & II.(Redacted version of 4/18/2019),” 42.
261. Rachel Weiner and Spencer S. Hsu, “Hacker known as Guccifer sentenced to 52 months in prison,”Washington Post, September 1, 2016,https : / / www . washingtonpost . com / local / public - safety /guccifer-hacker-who-revealed-clintons-use-of-a-private-email-address-sentenced-to-52-months/2016/09/01/4f42dc62-6f91-11e6-8365-b19e428a975e_story.html?utm_term=.fe28ecdcb503.
262. Sam Byford, “George W. Bush’s bizarre bathroom self-portraits laid bare by audacious hack,” TheVerge, February 8, 2013,https://www.theverge.com/2013/2/8/3966678/hacker-reveals-george-w-bush-self-portraits.
263. Mathew J. Schwartz, “Romanian Hacker ’Guccifer’ Extradited to US,” Bank Info Security,https://www.bankinfosecurity.com/romanian-hacker-guccifer-extradited-to-us-a-11705.
264. Mueller III, “Report On The Investigation Into Russian Interference In The 2016 Presidential Election.Volumes I & II.(Redacted version of 4/18/2019),” 43.
265. Ibid., 45.
266. Ibid., 50-58.
267. Ibid., 1.
268. Sanger, “Utilities Cautioned About Potential for a Cyberattack.”