Читать книгу The Apprentice - Greg Miller - Страница 9
CHAPTER 1 THE HACK
ОглавлениеTHE GEOGRAPHY AND HISTORY OF THE NETHERLANDS—ALWAYS in the shadow of great powers—forced it to become quietly effective at espionage. And while the Dutch intelligence service, known as AIVD (which translates to General Intelligence and Security Service), cannot match the global reach of the CIA or MI6 (Britain’s Secret Intelligence Service), and its officers may never compete for screen time with Jason Bourne or James Bond, it kept its focus on Russia even as the United States was diverting intelligence resources to terrorism after the September 11 attacks.
With one of the largest and fastest internet hubs in the world, the Netherlands had become a pass-through point for cyber criminals, particularly from Eastern Europe. Dutch spies, as a result, became particularly adept at operating in cyberspace, relying on that capability to monitor online crime as well as the resurgent threat posed by Moscow. In 2014, AIVD accomplished a digital feat of David-and-Goliath proportions, the agency’s cyber unit penetrating a hacking syndicate linked to Russia’s foreign intelligence service, the SVR. The Dutch gained access not only to the group’s computer systems but to the surveillance cameras mounted above the entrance to its lair, capturing clear images of the Russian hackers as they filed into what they’d always thought was a secure space in the heart of Moscow. Analysts used the images in some cases to identify individual hackers, gradually compiling a roster with their names, the handles they used online, and grainy photos.
The AIVD had achieved what cyber spies call “exquisite access.” It was in the process of carefully exploiting this penetration a year later that the Dutch began to see a suspicious new stream of data flowing into the SVR system. AIVD spies traced its origin to a Democratic National Committee server in Northern Virginia.
The DNC functions as the war chest and back office of the Democratic Party, raising money and helping to field and fund candidates across the country. In presidential races, it oversees the party’s primaries, its debates, its convention, and the process of selecting its nominee for president. The breach of its systems was at that stage almost imperceptible, intermittent signals between a pair of computers on opposite sides of the Atlantic. In reality each ping was a silent betrayal, an expression of obedience by a DNC server to a distant machine secretly working for the Kremlin.
The Russian hackers’ forays into the DNC network had easily eluded the organization’s security, but U.S. intelligence agencies also failed to see the breach, even though the hackers behind it were already well known, having pulled off a spree of attacks in previous months on high-profile targets including the Pentagon, the State Department, and the White House—operations the Dutch had also detected and warned the Americans about. Certainly the DNC wasn’t as alarming a target as those repositories of U.S. government secrets, but the failure to detect the intrusion would mean that by the time it was first noticed by the DNC, Moscow was already tunneling toward troves of material, including internal DNC emails and research files, that it would use to sow chaos in the U.S. election.
The Dutch relayed what they had learned to the National Security Agency, the massive U.S. spy organization responsible for all forms of electronic espionage. The AIVD turned over images of the hackers, IP addresses (numeric codes that correspond to specific computers on the network), and other information that the NSA was able to corroborate.
From that moment in 2015, the scale of the Russian operation and its consequences for the United States would only expand. But at the time, U.S. officials saw the alert about the penetration of the DNC as falling into the category of conventional espionage, the sort of data gathering that Russia, China, and every other country with enough hacking capability—including the United States—pursues. Such probing of government, institutional, and corporate networks was so persistent and aggressive by state-level hacking enterprises that the adversaries involved acquired distinct reputations. The Russians were seen as the most sophisticated and—ironically, given how the year would play out—adept at hiding their tracks. China was “noisier,” less concerned with getting caught. While improving, Iran and North Korea were second-tier players. Attacks on think tanks and political organizations like the DNC were a problem, but defending against them was not necessarily the job of the U.S. government, which had enough on its hands fending off the equally frequent assaults on higher-stakes targets: classified networks, black budget programs, weapons designs.
Protecting those assets required constant vigilance. In November 2014, less than a year before the DNC attack, the White House experienced a Russian offensive so brazen that American officials saw it as a turning point in Kremlin tactics. The hackers gained entry with a common “spearphishing” ruse—sending bogus emails with disguised links or attachments that, once clicked, led to a malware-infested site set up to gather passwords and other sensitive information. The most striking aspect of the intrusion wasn’t that Russian hackers got into a White House network—in this case an unclassified email system that allowed White House staff to correspond when the issue at hand wasn’t sensitive, such as writing your husband that you’d be home late, or a congressional staffer that you’d received her letter. What was exceptional was how they reacted when confronted in that digital space by American cyber defenders. Rather than retreat and move on as the Americans patched holes, the Russian operatives stayed and fought. Every time the Americans severed the Russians’ connection to the malware they had installed—key to their survival inside the White House network—the intruders managed to repair the link or create a new one.
The NSA team had a remarkable penetration of its own: through secret “implants”—the software equivalent of a Trojan horse, bits of pre-positioned code—the Americans were able to monitor the Russians’ computers and see their adversaries’ every move in advance, as if watching them wheel new weapons into position before firing. The advantage proved decisive, but only after a protracted fight. At a 2017 security conference, Richard Ledgett, who was deputy director of the NSA at the time, described the battle as the online equivalent of “hand-to-hand” combat and a game changer unlike any the agency had ever waged.
The DNC penetration detected by the Dutch did not prompt such a daring showdown. The information was noted on internal NSA report logs and shared with other agencies, including the FBI. On August 6, 2015, an agent from the FBI’s Washington, D.C., field office called the DNC’s front desk and asked to speak with the “person in charge of technology.” Inevitably, he was transferred to the computer help desk and put in touch with an IT contractor, Yared Tamene.
FBI special agent Adrian Hawkins told Tamene that there were signs of compromise in the DNC system and provided some computer IP addresses that he said would help to locate the intrusion. But the address was the one the DNC used for its entire network—tied to more than a thousand laptops, servers, and phone lines. Tamene was a former college math instructor who had been an IT consultant at the DNC for four years but was no cybersecurity expert. He had heard plenty about how individuals were conned out of their passwords by hackers pretending to be from the government, a bank, or a credit card company, and was wary. He pressed Hawkins to provide proof of his position, but remained unswayed by the agent’s attempts to convince him.
The call lasted several minutes, as Hawkins outlined in somewhat cryptic terms the bureau’s concerns about the breach. He wanted to know whether the committee had detected the intrusion on its own and done anything about it. Tamene hesitantly acknowledged that the committee had endured some phishing attacks, but dodged detailed questions about the organization’s staff and systems. Hawkins then offered the first hint—although an indirect one—that the bureau suspected Russia. Check for malware associated with “the Dukes,” he said, an industry nickname for the hacking group with ties to Moscow. Tamene seemed unfamiliar with the moniker but agreed to have a look. After hanging up, he and a colleague did a quick internet search, read up on the group’s methods, and performed a cursory search of DNC log files. They found nothing and Tamene couldn’t help wondering whether he had fallen for a prank. Tamene informed his supervisor, Andrew Brown, the DNC’s chief technology officer, of the incident.
The disconnect persisted through subsequent interactions—that is, when both sides managed to connect at all. In October, two months after he first called the DNC, Hawkins left a series of voice mails for Tamene, who ignored them, later explaining he had nothing new to report. Behind the scenes, he appealed to Brown for help, telling him, “We need better tools or better people.” A month later, in November, the FBI agent finally got through, only to be told by Tamene that the DNC network appeared clean. Hawkins countered by again providing the DNC address, saying it was “calling home” to Russia. Tamene took this warning more seriously. He and his team began exploring whether there were gaps in the DNC’s defenses—bad search parameters, problems with the firewall—that were preventing the IT department from detecting the intrusion. But again, his follow-up checks yielded no evidence of compromise. It would later turn out that the FBI’s internal deliberations were so slow that by the time Hawkins had permission to pass along one IP address, the Russians had switched to another.
All of this back-and-forth had given Russia’s hackers another three months inside the DNC servers. In all that time, the FBI’s Hawkins had not seen fit to raise the matter with top officials at the DNC. Nor did they learn at this stage from their own staff: because of the tech team’s failure to find evidence of the hack, Brown evidently felt no need to sound internal alarms.
The bureau’s failure to contact a single official above Tamene would later be deemed by the DNC to be an unfathomable lapse. The FBI, for its part, felt it had tried repeatedly to warn the committee—in fact, Hawkins was so frustrated by the difficulty in getting through that in December 2015, he went to the low-slung DNC building on a quiet street two and a half blocks south of the Capitol. He asked the security guard in the lobby to be on the lookout for Tamene, and to stop him and have him call the bureau.
After months of frustration, the FBI pushed for a face-to-face meeting. In February 2016, Hawkins, Tamene, and two of his IT colleagues arrived at Joe’s Cafe, in Sterling, Virginia, thirty miles west of the DNC’s Washington office, but a ten-minute drive from the DNC’s data center in Loudoun County.
There in Joe’s Cafe, Tamene’s lingering uncertainty about Hawkins’s FBI credentials finally subsided when the agent produced his badge. More important, Hawkins also produced a set of computer logs from a day in December showing precise time stamps that enabled the DNC to narrow its search for suspicious activity. He listed penetrations of other targets by the Dukes and recommended a tool that could help detect intruders on DNC systems. In a February 18 email, Hawkins even provided IP addresses associated with the DNC intrusions—data that traced the attack back to its origin in Russia.
AFTER FINALLY CONVINCING THE DNC TECH TEAM THAT THE breach was real, Hawkins urged them not to block those Russian incursions. Take modest steps to protect sensitive data, he said, but don’t disrupt the correspondence between the two systems or make any moves that would let Russia know its operation had been discovered. Though counterintuitive, this would allow further monitoring and avoid sending the hackers into hiding or, in a worst-case scenario, wiping the system of data to cover their tracks—leaving a barren, broken network. But it also left more time for Russia to make off with more data.
Tamene and his team went back to search their firewall logs. Again, nothing. They continued to wonder whether it was all a hoax, mischievous hackers merely “spoofing” DNC addresses online and making the FBI think the committee’s defenses had been pierced. Nevertheless, for the next couple of months, the FBI continued to alert the DNC about possible intrusions. In March, one of Hawkins’s colleagues, FBI special agent Lafayette Garrett, emailed the DNC tech team twice, alerting them to phishing attempts aimed at committee staffers; thus prompted, the committee’s tech team was able to repel the forays. A month later, Hawkins asked Tamene for copies of computer logs that might help the FBI see which IP addresses were connecting to the DNC network. Tamene said he needed to ask the DNC’s lawyers.
On April 26, Hawkins was put in touch with Michael Sussmann, a former prosecutor who handles cyber cases at the DNC’s law firm in Washington, Perkins Coie. Sussmann urged DNC executives to approve the FBI’s request, saying that the logs would be part of a classified investigation and kept from the public. “They really are helping you,” he explained in an internal email. But by then it was already too late. Critical opportunities to contain the damage had been squandered—by FBI agents who took too long to get past the DNC help desk and by committee staff who failed to grasp the growing danger or get the attention of committee executives.
AS ALL OF THIS WAS GOING ON, HILLARY CLINTON WAS BEING PUMMELED by additional digital trauma.
Clinton’s use of a private email account while serving as the nation’s top diplomat between 2009 and 2013 had been a self-inflicted political wound that hobbled her candidacy from the outset. The practice had been unearthed by Republicans as part of an intensely partisan congressional inquiry into one of the most tragic events of Clinton’s State Department tenure—a 2012 attack on two American compounds in Benghazi, Libya, in which the U.S. ambassador, J. Christopher Stevens, and three other Americans were killed.
Congress is equipped with an array of oversight committees to investigate such events, and a whopping seven of them did. They found security breakdowns and unheeded warnings but no evidence to substantiate incendiary claims that the Obama administration had blocked a viable rescue mission or engaged in a cover-up. The Republican leadership, however, created an additional panel—the House Select Committee on Benghazi—with a deep budget, broad authority, and cynical mission that was inadvertently revealed long afterward by one of its architects.
“Everybody thought Hillary Clinton was unbeatable, right?” House majority leader Kevin McCarthy, a California Republican, said in a Fox News interview in September 2015 as the presidential campaign was heating up.[1] “But we put together a Benghazi special committee, a select committee. What are her numbers today? Her numbers are dropping. Why? Because she’s untrustable. But no one would have known any of that had happened, had we not fought.”
The Benghazi committee was by no means the first to politicize a catastrophic event overseas, but the effectiveness with which it did so altered the dynamic in Washington. The name of the coastal Libyan city became a political shorthand—like Watergate or Whitewater—for a scandal that Clinton couldn’t shake. But it wasn’t any particular decision she had made about State Department personnel or facilities in Benghazi that proved most politically damaging. Instead it was the committee’s discovery as it assembled documents that Clinton had used a private email server while serving as secretary, and that the department had only a portion of her official correspondence.
Russia undoubtedly took note of this dynamic as it mounted its election interference campaign. And many of the partisan impulses that were sharpened by the Benghazi experience would resurface in 2016, impeding the United States’ ability to deliver a united response.
Clinton’s use of a nongovernment email server—@clintonemail.com—had first been revealed in 2013 by a Romanian hacker who went by the name Guccifer. But the committee zealously dug further into the matter. Led by South Carolina Republican and former federal prosecutor Trey Gowdy, the panel noticed that messages to and from the secretary were being routed not through classified State Department systems but rather a server in the basement of the Clintons’ home in Chappaqua, New York.
Under congressional pressure, the State Department sent letters to Clinton and her predecessors asking them to produce any work emails still in their possession. (Former secretary of state Colin Powell had also used a private email account.) In December 2014, Clinton’s lawyers arrived at the department with twelve boxes filled with hard copies of more than thirty thousand messages. But she withheld another thirty-one thousand, insisting that while they were stored on her system they pertained to personal matters, including her daughter’s upcoming wedding and mother’s funeral, and were “not related in any way to my job as Secretary of State.” Having concluded this, she had then erased the emails she deemed personal.[2]
It was a decision that played straight into decades-long depictions of Clinton as secretive and duplicitous when it came to concealing the family’s alleged misdeeds. The committee was, reasonably, outraged that she had deleted a massive stockpile of messages without allowing any outsider to review what was being destroyed.
The controversy remained under wraps until The New York Times broke the story several months later, on March 2, saying Clinton’s use of private email “may have violated federal requirements that officials’ correspondence be retained,” and reignited lingering concerns about the Clintons’ “lack of transparency and inclination toward secrecy.” Immediately, the Clinton campaign was on its heels.
A week later, in a tense press conference, Clinton said that in using her private email address she had “opted for convenience,” and acknowledged that “it would have been better if I’d simply used a second email account.” Republicans rushed forward with sinister interpretations, implying that she was hiding incriminating messages about Benghazi or other scandals. The panel issued a subpoena for all of her communications, hoping to stave off any further email destruction. At the same time, the State Department came under court order to start publicly releasing batches of Clinton emails after they had been internally reviewed. The result was a disaster for Clinton—monthly dumps for the media to sift through, generating a seemingly endless stream of stories on the very issue that Trump and Putin would come to see as one of her most acute vulnerabilities.
State Department investigators subsequently determined that “classified information may exist on at least one private server and thumb drive that are not in the government’s possession.” Because some of the sensitive information in the emails belonged not to State but to spy agencies, the inspector general for the entire intelligence community examined a sample of forty Clinton emails and found that at least four contained classified material. He then relayed that finding to the Justice Department. The fallout from that referral would be devastating to her chances of becoming president.
IN THE SPRING OF 2016, NEARLY A YEAR AFTER THE DUTCH HAD ALERTED Washington to the penetration of the DNC, a second wave of Russian hackers converged on Clinton-related targets. These new intruders were working not for Russia’s foreign intelligence service, but its military spy agency: the Main Intelligence Directorate of the General Staff, otherwise known as the “GRU.” Long seen as inferior to other Russian services, the GRU had invested heavily in cyber capabilities and had raised its standing in the Kremlin through one successful hacking operation in particular.
The head of the Russian military, General Valery Gerasimov, had delivered an address in 2013 that American spies studied closely.[3] Reprinted in a Russian publication called the Military-Industrial Courier, the speech spoke of a new era of hybrid warfare, one in which “the role of nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons.” The GRU had tested this theory in Ukraine in 2014, where it used a series of cyberattacks to shut down telecommunications systems, disable websites, and jam the cell phones of Ukrainian officials before Russian forces entered the Crimean peninsula.
After the Russian military had seized control of key Crimean facilities, GRU turned its information warfare troops loose to rally public support among Crimea’s largely ethnic Russian population to break with Ukraine and support annexation by Moscow. To do so, GRU psyops teams blitzed social media platforms, including Facebook and the Russian-language social network VKontakte, with fake personas and pro-Russian propaganda. In one week alone GRU cyber teams targeted dozens of Ukrainian activist groups, hubs of protesters on social media, and English-language publications, sowing confusion and creating the impression of a groundswell of support for Russian intervention.
Three years later, the GRU joined the Putin-ordered operation to damage or defeat Clinton. Working out of a building on Komsomolsky Prospekt in Moscow, a GRU cyber-operative named Aleksey Lukashev sent a spearphishing email to Clinton campaign chairman John Podesta on March 19, 2016. Lukashev had used a popular online service for shortening website addresses to help mask his baited missive and make it look like a legitimate security notification from Google. The breach was enabled when one of Podesta’s aides saw a supposed security warning from Google and had asked a computer technician to evaluate it. “This is a legitimate email,” the technician wrote. “John needs to change his password immediately.” With the ensuing mouse click, Russia gained access to a trove of messages stored on Podesta’s account. Within two days, Lukashev and his GRU unit had made off with more than 50,000 emails.
Lukashev was part of a GRU hacking group designated by its unit number, 26165. That same month, the hackers began probing the DNC network for gaps in defenses, seemingly oblivious to the fact that another Russian intelligence service was already rummaging through the files. U.S. spies said it was not uncommon for Putin to unleash separate agencies on the same target. In April, the Russian unit found an indirect route into the DNC system, stealing the computer credentials of an employee at a sister organization, the Democratic Congressional Campaign Committee, which occupied the same office and worked to help elect congressional candidates. Another spearphishing operation did the trick, luring the DCCC employee into clicking a link that effectively gave the GRU the keys into the network.
Once inside, Lukashev’s group installed a program known as X-Agent malware on at least ten DCCC machines, enabling them to steal passwords and data from other employees, and even monitor their keystrokes and take photos of their computer screens as they typed away unsuspectingly. The hackers tried to hide their tracks by transmitting the pilfered information to a server the GRU had leased in Arizona (paid for not with rubles or dollars but with bitcoin cryptocurrency). By April 18, the GRU used its access to the passwords and files of the DCCC—some of whom also had access to the DNC network—to sneak across a digital bridge into the main party organization’s network.
In April, GRU operatives registered a new internet domain—dcleaks.com—after discovering that the first address they wanted, “electionleaks.com” was already taken.
For all its advances, the GRU made a number of costly blunders that would help U.S. investigators reconstruct the incursion. The Russian hackers often used the same computers, email addresses, and phony online accounts for multiple transactions related to the operation—registering the dcleaks.com domain, accessing URL-shortening services, and facilitating bitcoin payments.
Those clues would be collected and revealed nearly two years later. But even at the time, the GRU arrived inside the DNC system with all the stealth of a cymbal crash. At long last, the committee’s overmatched security team finally encountered an intruder that its systems could detect.
The GRU’s hackers were “like a thunderstorm moving through the network,” recalled one investigator involved in the case. “They were actively compromising systems. They were remote accessing into systems in the middle of the night. They were deleting logs. They were opening up files on administrators’ desktops. They were archiving massive amounts of files.” At one point, the GRU crew began stashing pilfered material in a massive single file, presumably to make it easier to drag out when the raid was done. But they stuffed so much into the single container that it crashed the system they had set up to export their stolen data in the first place. Left behind, the copy of the busted file provided investigators a comprehensive inventory of the loot—but no firm sense of how much other material the GRU might have captured in other smash-and-grabs.
On April 29, little more than two months after the February Joe’s Cafe meeting between special agent Hawkins and three members of the DNC’s IT group, Tamene’s team of contractors saw strange activity on the network. He promptly notified his supervisors at the DNC and—after so many months deflecting calls from the FBI—dialed Hawkins to inform him of what he had found.
It had now been eight months since the FBI had first reached out to the DNC.