Cozy bears, unsourced hacks—and a Silicon Valley shakedown
The Russians hacked America.
After Donald Trump’s surprise victory in November, these four words reverberated across the nation. Democratic Party insiders, liberal pundits, economists, members of Congress, spies, Hollywood celebrities, and neocons of every stripe and classification level—all these worthy souls reeled in horror at the horribly compromised new American electoral order. In unison, the centers of responsible opinion concurred that Vladimir Putin carried off a brazen and successful plan to throw the most important election in the most powerful democracy in the world to a candidate of his choosing.
It seemed like a plotline from a vintage James Bond film. From his Moscow lair, Vladimir Putin struck up an alliance with Julian Assange to mount a massive cyber-offensive to discredit Hillary Clinton and her retinue of loyal Democratic Party operatives in the eyes of the American public.
The plot was full of twists and turns and hair-raising tangents, including tales of Russian-American retiree-agents sunning in Miami while collecting payoffs from Russia’s impoverished pension system. But the central ruse, it appears, was to enter the email server of the Democratic National Committee and then tap into the Gmail account belonging to John Podesta, founder of the Center for American Progress and premier D.C. Democratic insider.
As the long 2016 general election campaign unwound, WikiLeaks released a steady stream of embarrassing revelations from the DNC—though the disclosures were no more compromising than what you’d find in the correspondence of any mid-sized private-sector company: dumb boardroom gossip, petty press intrigues, and sleazy attempts to undermine a well-placed executive rival (namely Bernie Sanders). Truly, it would have been astonishing to learn that the DNC went about its business in any other way. But the sheer fact of the data breach was dispositive in the eyes of Democratic operatives and their many defenders in the liberal press. After all, WikiLeaks also reportedly collected data from the Republican National Committee, and did nothing with it. Clearly this was cyber-espionage of the most sophisticated variety.
On the Trump side of the ledger, things were murkier. Trump’s political advisers indeed had ties to Russia and Ukraine—but this was hardly surprising given the authoritarian-friendly lobbying climate within Washington. During the campaign the GOP nominee was disinclined to say anything critical about Putin. Indeed, breaking with decades of Republican tradition, Trump openly praised the Russian leader as a powerful, charismatic figure who got things done. But since the candidate also refused to disclose his tax returns, a commercial alliance with the Russian autocrat was necessarily a matter of conjecture. That didn’t stop theories from running wild, culminating in January with the titillating report from BuzzFeed that U.S. intelligence agencies believed that Putin had compromising footage of Trump cavorting with prostitutes at a Moscow hotel previously patronized by Barack and Michelle Obama. Not only was the Yank stooge defiling the very room where the first couple had stayed, but he allegedly had his rented amorous companions urinate in the bed. Behold, virtuous American republic, the degradation Vladimir Putin has in store for you!
Taking the Piss
The dossier published by BuzzFeed had been circulating for a while; on closer inspection, it appeared to be repurposed opposition research from the doomed Jeb Bush campaign. Its author was a former British intelligence operative apparently overeager to market salacious speculation. By the end of this latest lurid installment of the Russian hacking saga, no one knew anything more than they had when the heavy-breathing allegations first began to make their way through the political press. Nevertheless, the Obama White House had expelled Russian diplomats and expanded sanctions against Putin’s regime, while the FBI continued to investigate reported contacts between Trump campaign officials and Russian intelligence operatives during the campaign.
This latter development doesn’t exactly inspire confidence. As allegations of Russian responsibility for the DNC hack flew fast and furious, we learned that the FBI never actually carried out an independent investigation of the claims. Instead, agency officials carelessly signed off on the findings of CrowdStrike, a private cybersecurity firm retained by the Democratic National Committee. Far from establishing an airtight case for Russian espionage, CrowdStrike made a point of telling its DNC clients what it already knew they wanted to hear: after a cursory probe, it pronounced the Russians the culprits. Mainstream press outlets, primed for any faint whiff of great-power scandal and poorly versed in online threat detection, likewise treated the CrowdStrike report as all but incontrovertible.
Other intelligence players haven’t fared much better. The Director of National Intelligence produced a risible account of an alleged Russian disinformation campaign to disrupt the 2016 presidential process, which hinged on such revelations as the state-sponsored TV news outlet Russia Today airing uncomplimentary reports on the Clinton campaign and reporting critically on the controversial U.S. oil-industry practice of fracking as a diabolical plot to expand the market for Russian natural gas exports. In a frustratingly vague statement to Congress on the report, then-DNI director James Clapper hinted at deeper and more definitive findings that proved serious and rampant Russian interference in America’s presidential balloting—but insisted that all this underlying proof must remain classified. For observers of the D.C. intelligence scene, Clapper’s performance harkened back to his role in touting definitive proof of the imminent threat of Saddam Hussein’s WMD arsenal in the run-up to the U.S. invasion of Iraq.
It’s been easy, amid the accusations and counteraccusations, to lose sight of the underlying seriousness of the charges. If the hacking claims are true, we are looking at a truly dangerous crisis that puts America’s democratic system at risk.
The gravity of the allegation calls for a calm, measured, meticulously documented inquiry—pretty much the opposite of what we’ve seen so far. The level of wild assertion has gotten to the point that some of the most respected pro-Western voices in Russia’s opposition have expressed alarm. As much as they despise Putin, they don’t buy the bungled investigations. "In the real world outside of soap operas and spy novels . . . any conclusions concerning the hackers’ identity, motives and goals need to be based on solid, demonstrable evidence,” wrote Leonid Bershidsky. "At this point, it’s inadequate. This is particularly unfortunate given that the DNC hacks were among the defining events of the raging propaganda wars of 2016.”
The lack of credible evidence, the opaque nature of cyber attacks, the partisan squabbles and smears, and the national-security fearmongering have all made this particular scandal very difficult to navigate. It may be years before we find out what really happened. Meanwhile, I’d like to tell a cautionary tale. It’s a story about the last time American and European cyber experts accused Russia of launching an attack against another country—and nearly provoked a war with a nuclear power. The moral of the tale is that cyberwarfare is a fraught and high-stakes theater of conflict, in which the uncertain nature of cyber-attack attribution can be exploited to support any politicized version of events that one chooses.
All Georgians Now
On August 8, 2008, war broke out between Georgia and Russia. Backed up by heavy artillery, truck-mounted Grad rockets, and tanks, Georgia launched a surprise invasion of South Ossetia, a tiny mountainous breakaway republic on its northern flank that had been at the center of a long-simmering regional territorial dispute. A prolonged artillery barrage reduced parts of Tskhinvali, South Ossetia’s capital, to rubble. Civilians were given no warning—those not killed in the initial assault hid in basements or fled on foot. A Russian peacekeeping force, which had been stationed in South Ossetia under an Organization for Security and Cooperation in Europe agreement since 1992, was targeted in the attack. By the end of the first day, Georgian troops were on the verge of taking the whole city.
Mikheil Saakashvili, Georgia’s charismatic nationalist president, had campaigned on a nationalistic platform, promising to reabsorb the country’s breakaway regions. His initial success did not last long. Russian jets pounded Georgian military command posts and communications, while Russian troops streamed into South Ossetia. By the end of day two, the tide had turned: Georgian forces began retreating. By day five, Russian forces had control over South Ossetia and huge swaths of northern Georgia. Tanks and infantry entered several northern towns and moved around unimpeded just an hour away from Tbilisi, Georgia’s capital, where euphoria and jubilation turned to sickly fear. News footage showed Saakashvili cowering as Russian jets flew overhead. He appeared on television nervously chewing his tie, prompting the BBC to ask wryly: "The Georgian president chews over his next move. Is he weaker or stronger than before?”
Weaker, definitely. But in the war’s aftermath, Russia and Georgia were each determined to claim victim status. Russia pointed out that Georgia had started the war; Georgia blamed Russia for launching a full-scale invasion. President Saakashvili appealed to the United States, hoping it would intervene militarily on Georgia’s behalf.
The Bush White House was firmly aligned with Georgia. For years, Georgia had been an important neocon project in a grander scheme to peel away former Soviet Republics from Moscow’s influence. American NGOs and soft-power outfits like USAID backed Saakashvili’s rise to power during the country’s "Rose Revolution.” Since 2004, the Bush administration had lavished military aid on Saakashvili’s government, outfitted its army, and trained its soldiers. John McCain and Hillary Clinton jointly nominated Saakashvili for the Nobel Peace Prize in 2005. Support for Georgia was bipartisan and continued right up to Georgia’s attack on South Ossetia; more than a thousand American troops held a joint exercise with Georgia near the South Ossetian border in July.
As a complement to the Georgia PR offensive, the Bush White House continued to hammer away at its stable of anti-Putin talking points. For years, the United States had portrayed Vladimir Putin as a strongman leader bent on world domination. The invasion of Georgia seemed to confirm the official narrative: Russia would stop at nothing to crush the democratic aspirations of its neighbors.
It was a dangerous moment. Vice president Dick Cheney pushed for directly engaging the Russians in "limited military options”—including aerial bombardment to seal the Roki Tunnel linking North Ossetia and South Ossetia that was being used to transport reinforcements. Luckily, president George W. Bush, who had a street in Tbilisi named after him, wavered, sensibly fearing a real war with Russia.
The episode occurred during a U.S. presidential election. Senator John McCain used the conflict to showcase his hawkish foreign policy bona fides, arguing that America needed to intervene to protect Georgia’s budding democratic society from the authoritarian Putin. Claiming that "today, we are all Georgians,” McCain called for NATO forces to be deployed against Russia, which would have triggered a war with a nuclear power.
I was in Moscow at the time, reporting on the war. Those who had covered the region understood that Georgia was no innocent. The ethnic conflict between Ossetians and Georgians has old, festering roots—indeed, Georgia’s invasion of South Ossetia was centuries in the making. The Ossetians consider the territory of South Ossetia to be native lands they have occupied for centuries, while Georgians view Ossetians as relatively recent interlopers. When South Ossetia declared its independence after the breakup of the Soviet Union, Georgia’s ultra-nationalistic first president attempted to quash the independence movement by force. After a short war, South Ossetia stood its ground—and Georgia and South Ossetia squared off in an uneasy peace administered by Russian, Georgian, and South Ossetian peacekeepers. Two-thirds of the breakaway republic were ethnic Ossetians. They feared Georgia and favored Russia as a military bulwark. Russia handed out Russian passports to South Ossetians and provided military protection, making the territory a de facto member of the Russian Federation.
Seasoned observers of the region’s tangled geopolitics understood that Russia shared amply in the blame but that the fault lay primarily with President Saakashvili. When he came to power, he took on the mantle of a medieval Georgian king who had unified the country. "Today Georgia is split and humiliated. We should unite to restore Georgia’s territorial integrity. Georgia has existed and will exist. Georgia will become a united strong country,” he declared in 2004. With deteriorating political support at home, Saakashvili was itching for a popular war. Skirmishes increased along Georgia’s border with Abkhazia and South Ossetia; finally, Georgia fired the first shot.
Suddenly, America found itself at the edge of a precipice: a war over a complex sectarian conflict in a remote part of the world. American policymakers wanted a simple explanation, and conveniently, they were offered one: cyber-aggression.
The Sites Go Out in Georgia
When war broke out, a slew of Georgian websites came under attack. The Central Bank of Georgia was hacked, according to Russian reports. Its internal networks were not penetrated, but the hackers tinkered with the homepage to give the Georgian unit of currency, the lari, a less than favorable exchange rate, forcing the government to issue an order that suspended all electronic banking services. Georgia’s Ministry of Foreign Affairs was hacked, its homepage replaced with a slideshow depicting Mikhail Saakashvili as Hitler. "And he will suffer the same fate,” read an ominous message beside it.
A Russian-language forum called "Stop Georgia” suddenly came online, hosted in, of all places, the United States. Against a green camouflage-inspired background, its creators decried Georgia’s propaganda war against Russia. "We, as representatives of the Russian hacker-underground, will not tolerate provocations from Georgia.” The forum was crude and looked like it had been put together in a few hours. Its primary function was to distribute a simple, easily available program permitting anyone with a computer and an internet connection to become part of a denial-of-service attack swarm. The forum conveniently provided a list of Georgian target websites and helped organize and direct the cyber-mob action.
Georgian officials proclaimed these cyber attacks a strategic maneuver by the Russian military designed to take out the country’s communication system, facilitating the Russians’ armed invasion. The coordinated nature of the attacks, they insisted, showed that Russia had planned the invasion long in advance. "The opening shots of the Russian invasion of Georgia were fired over the Internet, proving Russian online aggression predated Georgian actions,” declared an official report by the Georgian government. The government called the people behind the attack "cyber terrorists.”
Cybersecurity experts came out of the woodwork to confirm and expand on Georgia’s allegations. Some implicated a shadowy cybercrime group from St. Petersburg that analysts had dubbed the "Russian Business Network” and linked it to the FSB, Russia’s secret police. Others claimed that Nashi, a Kremlin-backed young nationalist group, was involved. American military officials weighed in, agreeing that Russia had used cyber attacks to confuse and disorient the Georgian government. "The Russians just shot down the government command nets so they could cover their incursion,” Michael Wynne, former U.S. Air Force Secretary, told the AP on August 13.
One hack in particular became a sort of poster action for the sinister Russian cyber-offensive and conveniently doubled as a warning signal for greater Russian-authored threats ahead. In July, just after secretary of state Condoleezza Rice had visited Georgia and reaffirmed America’s support for the country’s desire to exit Russia’s sphere of influence, President Saakashvili’s site had been taken down by a stream of junk requests with a string of text that read: "win+love+in+Rusia.”
What did it all mean? The war had barely ended, but John Markoff, longtime technology reporter for the New York Times, offered an answer: "As it turns out, the July attack may have been a dress rehearsal for an all-out cyberwar once the shooting started between Georgia and Russia. According to Internet technical experts, it was the first time a known cyber attack had coincided with a shooting war.” Other journalists chimed in as well: the Wall Street Journal, CNN, the Washington Post. The consensus, according to cyber experts, was that Russia was indeed behind the attacks—and the rhetoric was getting more and more belligerent.
And so, within the space of a news cycle or two, internet analysts turned into warmongers and cyber-hawks, comparing rudimentary internet attacks to atomic weapons. "These attacks in effect had the same effect that a military attack would have. That suddenly means that in cyberspace anyone can build an A-bomb,” Rafal Rohozinski, a respected cyber analyst with Citizen Lab, told the Washington Post. The Financial Times concurred: "The crisis in Georgia has not only stoked fears of a belligerent Russia. It has also served as a reminder that a new style of warfare—potentially as devastating as those that terrified previous generations—is almost upon us: cyberwar.”
That’s right: defacing a government website with a repetitive string of crude slogans was now the twenty-first-century equivalent of a nuclear first strike. The hysteria sloshed around and spilled over into fears that America was defenseless against similar attacks from Russia. "It’s a grave concern be the same thing could happen here in America,” CNN host John Roberts exclaimed.
Point, Click, Panic
I began investigating the cyberwar as soon as it erupted. I knew something about the way computers, websites, and the internet worked, having spent two years studying computer science at UC Berkeley, and I had serious doubts about the cyber dimension of the Russia-Georgia War. The hacks and attacks all seemed rather crude and for the most part targeted non-critical cyber portals: ceremonial government websites, several news sites, the public-facing website of a central bank. This was hardly the ruinous infrastructure offensive that cybersecurity experts were warning people about. As I got deeper into the story—interrogating my contacts in Moscow, traveling to Georgia, interviewing hackers, politicians, and cyber experts in Europe, Russia, and the United States—the cyberwar battle cries sounded more and more like ideologically manufactured hysteria.
To be sure, the assaults were troubling. Hacks against Georgian websites took place, they were in some way connected to the war, and Russia’s cyber criminal world had ties to the country’s security establishment. But it was an enormous—and dangerous—leap to interpret these attacks as a pre-planned Russian intelligence operation, possibly justifying an American military response. What’s more, it seemed clear that most of the people doing the investigating were working backward. They started from the premise that Russia started the war and then proceeded to show that the cyber attacks were an element of this premeditated invasion.
Living in Moscow, I saw a striking split-screen effect taking hold around the Georgia crisis. America was freaking out about the danger of Russian cyber attacks, while people I talked to in Russia mocked the hysteria. Looking at my reporting notes from that time, I can’t find a single Russian source who took it seriously. Nikita Kislitsin, former editor of Russia’s Hacker magazine, laughed at Western cybersecurity experts who suggested that the Georgian attacks were the entering wedge of a sophisticated plan for complete Russian takeover, explaining that hackers can have all sorts of unconventional motives for taking part in a political web war. One regular contributor to his magazine’s how-to break-in section, for example, had hacked into a few Georgian sites just so he had something to write—and brag—about. Kris Kaspersky, a well-known Russian hacker and security expert, also ridiculed the notion that the Georgia hacks were hatched as part of a military intelligence campaign. "A prepubescent kid could have carried out the attacks,” Kaspersky told me. "A well-funded organization like the FSB can pull off much more effective Web site attacks.” Bringing down a few rinky-dink government and newspaper websites is a far cry from network warfare, Kaspersky argued. Indeed, it was at least as plausible that the hacks could have been self-inflicted: "In these kinds of conflicts, you have to look at who benefits,” he said. "If I was Georgia, I would attack myself.”
The Fog of the Data Log
There was a second, underreported side to the conflict: the cyber attacks went in both directions.
Even before the war broke out in August, South Ossetian websites came under attack. A few days before the shelling of South Ossetia began, someone skillfully broke into the website of the Republic’s television station, replacing news items on the number of Georgian troops killed in a shootout with South Ossetian troops with ones that claimed Russian mercenary fighters were among the casualties. As Georgian tanks rolled across the border, other South Ossetian news sites—some of which were hosted in Moscow—came under cyber attack. The website of South Ossetia’s Ministry of Information, a clearinghouse for South Ossetian news, buckled under a denial-of-service attack. At the same time, Russian news sites—including the Kremlin-funded Russia Today—were hit and suffered downtime during the war.
If you squinted at the conflict and looked at it from Russia’s and South Ossetia’s perspective, you could use the cyber attacks to prove the opposite of what Georgia and Western cyber experts were claiming: the cyber attacks proved that Georgia had planned its military invasion. And that was exactly what the South Ossetians were telling me. "They hoped that a media blackout of the atrocities they were committing against a civilian population would reduce resistance to the invasion, both locally and globally,” Yuri Beteyev, the founder and editor in chief of OsInform, South Ossetia’s only news agency, told me. He had been in Tskhinvali when Georgia’s heavy artillery rolled into town.
I traveled to Tbilisi, looking for evidence of the alleged Russian attack. I had scheduled interviews with newspapers, government agencies, and internet service providers. They all made grand claims about Russian cyber attacks, all of them short on specific evidence. Caucasus Online, one of Georgia’s largest ISPs, claimed the attacks started the day before the military action—which served in the company’s view as undeniable proof that the Russian government was coordinating them. But ISP officials could not provide any supporting data, and when I requested a sample of their logs from that day, company spokesmen claimed the data had been deleted.
I was shown a former Soviet government compound in the center of Tbilisi. The building was a modernist fortress: a slab of granite and concrete perched at the top of a steep hill. The seventh floor housed Georgia’s National Security Council, the coordinating body for the country’s military and intelligence agencies. In this ultrasecure location, Georgian officials spun a series of talking points about how the cyberwar proved Russian aggression. "For a small country like ours, information is the most powerful tool with which you can protect yourself. The Russians knew this,” Security Council director Alexander Lomaia told me. "One day, we find out that we are cut off from the world. All major websites—including government and media—were attacked. Their aim was to limit our ability to electronically communicate, and they succeeded.”
But Georgia is a poor, largely rural country with low internet connectivity outside the capital. Its level of cyber-activity ranked below that of countries like Nigeria, Bangladesh, Bolivia, and El Salvador. You could hardly launch a real cyber attack if you wanted too, since few Georgians outside Tbilisi used the internet at all, let alone for anything important. It was all hype and bluster—and very superficial.
Indeed, as in Moscow, critical journalists and techies in Georgia dismissed much of the hype. Yes, there were cyber attacks. Yes, they could have been directed by the Russian government. But they were so amateur and inconsequential that they had little effect. Their biggest contribution, in fact, was to bolster Georgian counter-propaganda claims, as each little hack was taken up by the Georgian government and broadcast as proof of Russian aggression. One journalist told me his colleagues had cheered news of Georgia-based cyber attacks against Russia. "A wave of jubilation spread through the forum when they managed to take down Russia Today for a few hours.” Patriotic hackers doing their part to fight Russia? This is exactly what cyber experts accused Russian security services of orchestrating against Georgia as part of the military invasion.
Following the Money
By the time I left Georgia in October, the cyberwar story was no longer obsessing political leaders and media producers in the West. Congress had voted to bail out Wall Street. The Georgia-Russia War dropped out of America’s collective memory almost as quickly as it had appeared, eclipsed by a scarier and much more direct threat to America: the meltdown of our financial system and the threat of a new Great Depression.
A year later, a European Union commission issued a detailed report that showed just how empty all the talk about cyber attacks and premeditated Russian war really was. The report put the blame for starting the war squarely on Georgia. But by then the Georgia-Russia War was ancient news. No one cared, and the report barely got a mention in the press. But Silicon Valley noticed.
While the financial industry was teetering on the brink of oblivion, another industry was being born: the cybersecurity complex. By now it is a multibillion-dollar boondoggle, employing shoddy forensic techniques and politicized investigations. But it is highly profitable. The boom has been driven by the grim leaky reality of our digital world. Not a month goes by without some huge corporation or government agency getting hacked, its data splattered across the internet or siphoned off for the exclusive use of scammers, corporate spies, and intelligence agencies.
Cybersecurity firms have stepped up to the challenge. They’ve attracted funding from the biggest and most powerful venture capital houses: Sequoia, Google Capital, and the like. Not surprisingly, the CIA’s in-house VC outfit, In-Q-Tel, has been a leading investor in this space. All these firms position themselves as objective forensic investigators, patiently sifting through the evidence to find the guilty party and then figuring out how to defend against it. They have been involved with diagnosing and attributing big hacks for shamefaced clients like Target, J.P. Morgan, and Sony Pictures. Investors and intelligence agencies sing the praises of the critical services these outfits offer in an online environment teeming with hostile threats.
But in private conversations, as well as little-noticed public discussions, security professionals take a dimmer view of the cybersecurity complex. And the more I’ve looked at the hysteria surrounding Russia’s supposed hacking of our elections, the more I’ve come to see it as a case study of everything wrong and dangerous about the cyber-attribution business.
Fancy Bears, Cozy Bears—Oh My!
Take CrowdStrike, the hottest cybersecurity firm operating today. Based in Irvine, California, CrowdStrike was launched in 2012 by two veterans of the cyber-attribution business: George Kurtz and Dmitri Alperovitch. Both previously worked for McAfee, an antivirus-turned-massive-cybersecurity firm now partially owned by Intel. But Kurtz and Alperovitch saw a market opportunity for a new boutique type of cyber-defense outfit and decided to strike out on their own. They also brought on board Shawn Henry, a top FBI official who had been in charge of running the agency’s worldwide cyber investigations.
CrowdStrike positioned itself as a next-generation full-service cybersecurity firm. Company officials argued that cybersecurity was no longer just about defense—there was too much data and too many ways of getting at it to protect everything all the time. You had to know your attacker. "Knowing their capabilities, objectives, and the way they go about executing on them is the missing piece of the puzzle in today’s defensive security technologies,” wrote CrowdStrike cofounder George Kurtz. "By identifying the adversary . . . we can hit them where it counts.”
CrowdStrike hit the big time in 2015 with a $100 million infusion from Google Capital (now Capital G), Google’s first-ever investment in a cybersecurity company. It was good timing, because CrowdStrike was about to be catapulted into the front ranks of cyber-threat assessors. Sometime in April or May, CrowdStrike got a call from the Democratic National Committee to investigate a possible intrusion into their servers. The company’s investigators worked with surprising efficiency. As one DNC insider explained to the New York Times, the company was able to make a definite attribution within a day. There was no doubt, CrowdStrike told its DNC clients—the Russian government did it.
The results of CrowdStrike’s investigation were first broken by the Washington Post and then followed up in greater detail by CrowdStrike itself. In a post entitled "Bears in the Midst,” Dmitri Alperovitch attributed the hack to two distinct and very nefarious "Russian espionage” groups: Cozy Bear and Fancy Bear, among the most sophisticated cyber-operators CrowdStrike had ever come across. "In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis,” he wrote. "Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.”
These cyberspooks were allegedly behind a string of recent attacks on American corporations and think tanks, as well as recent penetrations of the unclassified networks of the State Department, the White House, and the U.S. Joint Chiefs of Staff. According to CrowdStrike, Cozy Bear was most likely the FSB, while Fancy Bear was linked to the "GRU, Russia’s premier military intelligence service.”
Here, the cyber experts were telling us, was conclusive evidence that both the FSB and the GRU targeted the central apparatus of the Democratic Party. CrowdStrike’s findings didn’t just cause a sensation; they carpet-bombed the news cycle. Reports that Vladimir Putin had tried to hack America’s democratic process raced around the world, making newspaper front pages and setting off nonstop cable news chatter.
The story got even hotter after a hacker who called himself Guccifer 2.0 suddenly appeared. He took credit for the DNC hack, called CrowdStrike’s investigation a fraud, and began leaking select documents pilfered from the DNC—including a spreadsheet containing names and addresses of the DNC’s biggest donors. The story finally started going nuclear when WikiLeaks somehow got hold of the entire DNC email archive and began dribbling the data out to the public.
A Terrible System
CrowdStrike stuck to its guns, and other cybersecurity firms and experts likewise clamored to confirm its findings: Russia was behind the attack. Most journalists took these security savants at their word, not bothering to investigate or vet their forensic methods or look at the way CrowdStrike arrived at its conclusions. And how could they? They were the experts. If you couldn’t trust CrowdStrike and company, who could you trust?
Unfortunately, there were big problems with CrowdStrike’s account. For one thing, the names of the two Russian espionage groups that CrowdStrike supposedly caught, Cozy Bear and Fancy Bear, were a fiction. Cozy Bear and Fancy Bear are what cyber monitors call "Advanced Persistent Threats,” or APTs. When investigators analyze an intrusion, they look at the tools and methods that the hackers used to get inside: source code, language settings, compiler times, time zones, IP settings, and so on. They then compare all these things against a database of previously recorded hacks that is shared among cyber professionals. If the attack fits an old profile, they assign it to an existing APT. If they find something new, they create a group and give it an official name (say, APT911) and then a cooler moniker they can throw around in their reports (say, TrumpDump).
CrowdStrike followed the protocols for existing APTs. Its investigation of DNC servers turned up two known threat actor groups: APT28 and APT29. Depending on the cybersecurity firm doing the analysis, these two APTs have been called by all sorts of names: Pawn Storm, Sofacy, Sednit, CozyCar, The Dukes, CozyDuke, Office Monkeys. Neither of them has ever been linked by any cybersecurity firm to the Russian government with certainty. Some firms have tried—most notably FireEye, CrowdStrike’s bigger and wealthier competitor. But FireEye’s evidence was ridiculously thin and inferential—in nearly any other industry, it would have been an embarrassment. Consider, for example, FireEye’s report on APT29:
We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg.
Or consider FireEye’s report on APT28—which, among other things, attributes this attack group to a Russian intelligence unit active in Russia’s "invasion of Georgia,” an invasion that we know never took place.
They compile malware samples with Russian language settings during working hours consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg.While we don’t have pictures of a building, personas to reveal, or a government agency to name, what we do have is evidence of long-standing, focused operations that indicate a government sponsor—specifically, a government based in Moscow.
So, FireEye knows that these two APTs are run by the Russian government because a few language settings are in Russian and because of the telltale timestamps on the hackers’ activity? First off, what kind of hacker—especially a sophisticated Russian spy hacker—keeps to standard 9-to-5 working hours and observes official state holidays? Second, just what other locations are in Moscow’s time zone and full of Russians? Let’s see: Israel, Belarus, Estonia, Latvia, Moldova, Romania, Lithuania, Ukraine. If non-Russian-speaking countries are included (after all, language settings could easily be switched as a decoy tactic), that list grows longer still: Greece, Finland, Turkey, Jordan, Lebanon, Syria, Iraq, Saudi Arabia, Somalia, Yemen, Ethiopia, Kenya—the countries go on and on.
The flimsiness of this evidence didn’t stop CrowdStrike. Its analysts matched some of the tools and methods used in the DNC hack to APT28 and APT29, slapped a couple of Russian-sounding names with "bear” in them on their report, and claimed that the FSB and GRU did it. And most journalists covering this beat ate it all up without gagging.
"You don’t know there is anybody there. It’s not like it’s a club and everyone has a membership card that says Fancy Bear on it. It’s just a made-up name for a group of attacks and techniques and technical indicators associated with these attacks,” author and cybersecurity expert Jeffrey Carr told me. "There is rarely if ever any confirmation that these groups even exist or that the claim was proven as correct.”
Carr has been in the industry a long time. During the Russia-Georgia war, he led an open-source intelligence effort—backed by Palantir—in an attempt to attribute and understand the actors behind the cyberwar. I read his reports on the conflict back then and, even though I disagreed with some of his conclusions, I found his analysis nuanced and informative. His findings at the time tracked with those of the general cybersecurity industry and bent toward implicating the Russian government in the cyber attacks on Georgia. But these days Carr has broken with the cyberworld consensus:
Any time a cyber attack occurs nowadays you have cybersecurity companies looking back and seeing a historical record and seeing assignments on responsibility and attribution and they just keep plowing ahead. Whether they are right or wrong, nobody knows, and probably will never know. That’s how it works. It’s a terrible system.
This is forensic science in reverse: first you decide on the guilty party, then you find the evidence that confirms your belief.
Not for Attribution
Over time, bad evidence was piled on top of unsubstantiated claims and giant inductive leaps of logic to the point that, if you tried to figure out what was actually happening, you’d lose all sense of direction.
Matt Tait, a former GCHQ analyst and founder of Capital Alpha Security who blogs under the influential Twitter handle @pwnallthethings, found a Word document pilfered from the DNC and leaked by Guccifer 2.0. As he examined its data signatures, he discovered that it had been edited by Felix Edmundovich—a.k.a. Felix Dzerzhinsky, founder of the Cheka. To him, it was proof that Guccifer 2.0 was part of the same Russian intelligence operation. He really believed that the super sophisticated spy group trying to hide its Russian ties would register its Microsoft Word processor in the name of the leader of the infamously brutal Soviet security service.
Meanwhile, Thomas Rid, a cyber expert based in London, drew a straight line from the DNC hacks to the attempted hacking of the Germans and TV5 to attacks on Georgia and Baltic States—even though on closer inspection none of those efforts had been linked to the Russian government.
John Podesta’s Gmail account was hacked with a rudimentary spear-phishing attack that tricked him into entering his password with a fake Google login page. His emails ended up on WikiLeaks, too. All sorts of people linked this to Russian military intelligence, with no concrete evidence to speak of.
Sensing its moment had arrived, CrowdStrike went into frenetic PR mode. The company released a series of cyber-attribution reports illustrated with sexy communist robots wearing fur hats, using visual marketing techniques in lieu of solid evidence.
After Donald Trump won the presidency, all these outlandish claims were accepted as unassailable truth. The "hacking” of the 2016 presidential election was the ultimate damning conclusion that cybersecurity experts were now working backward from. Just as Georgia’s compromised net infrastructure provided conclusive proof of Russia’s concerted plan to invade Georgia, Trump’s improbably successful presidential run demonstrated that Russian subterfuge, rather than the collapse of American political institutions, had elected a dangerous outsider president.
Watching this new round of cyber-attribution hysteria, I got a queasy feeling. Even Dmitri Alperovitch’s name sounded familiar. I looked through my notes and remembered why: he was one of the minor online voices supporting the idea that the cyber attacks against Georgia were some kind of Russian plot. Back then, he was in charge of intelligence analysis at Secure Computing Corporation, a cybersecurity company that also made censorship tools used by countries like Saudi Arabia. He was now not only running his own big shop, but also playing a central role in a dangerous geopolitical game.
In other words, the election-hacking panic was a stateside extension of the battle first joined on the ISP frontiers of the Georgia-Russia war. Impressionable journalists and Democratic party hacks who ignore this background do so at their peril—and ours.