News

Actions

How one typo helped let Russian hackers in

Posted at 8:13 PM, Jun 27, 2017
and last updated 2017-06-27 22:13:04-04

The email that would help Democrats lose the 2016 presidential election arrived on March 19, 2016, signed -- seemingly harmlessly -- "Best, the Gmail team."

The email was sent to John Podesta, the then-chairman of Hillary Clinton's presidential campaign. But it wasn't a benign message; it was actually a spear-phishing email authored by hackers with ties to Russia.

"There was a Google alert that there was some compromise in the system," Podesta told CNN of the email, which prompted Podesta to change his password "immediately" by clicking on a link.

"It actually got managed by my assistant, who checked with our cybersecurity guy," Podesta said. "And through a comedy of errors, I guess, he instructed her to go ahead and click on it and she did."

The fatal error? Podesta's IT person wrote back to his assistant calling the email "legitimate" when in fact he meant to say it was "illegitimate."

One typo, one click -- and Russian hackers had gained free reign into the email of the man running Clinton's 2016 campaign.

"The rest," Podesta said, "is history."

That fake Gmail alert was one of a series of cyber intrusions that US intelligence would later determine formed a coordinated and unprecedented Russian "influence operation" to interfere with the US election. Through a series of interviews with government officials and cybersecurity experts, CNN details exactly how that operation happened.

The first warning sign

The first quiet warning of the Russian operation came in September 2015, when an agent from the FBI's Washington Field Office notified the Democratic National Committee that Russian hackers had compromised at least one DNC computer. It was the FBI's first direct contact with the DNC: a message left for a low-level computer technician, who did not return the FBI's call.

"They left a phone message at the help desk of the DNC," Podesta said. "They didn't treat it with the kind of seriousness, I think, that it deserved."

The DNC technician, an outsourced employee, did scan the system networks but found nothing, and the IT department apparently did not share the FBI's concerns with the DNC's senior leadership. The breach would later prove to be enormous, with hackers gaining access to countless communications, emails and documents.

According to the DNC, the FBI kept calling the same computer help desk for weeks, never reaching out to DNC leaders and never making the short trip in person to DNC headquarters.

The FBI tells CNN it made repeated attempts to alert more senior DNC staff, including sharing information on how to identify breaches in their systems.

In November 2015, the FBI called again with even more alarming news: a DNC computer was now transmitting information back to Russia.

Still, DNC executives claim they were not made aware of the threat, leaving the Russians to roam free inside the Democrats' computers for months.

The Russian connection

By spring 2016, just months before the US election, Russia had successfully breached two Democratic party computer systems: That of the Clinton campaign and the Democratic National Committee.

James Clapper, the former director of national intelligence, told CNN that US intelligence had been aware of the intrusions since the beginning in the summer of 2015. But it wasn't immediately clear how serious the breaches would become.

One of the most frustrating aspects of this breach, Clapper continued, was that one of the initial cyberweapons -- the spear-phishing email -- was so simple.

"That is one of the frustrations I think for all cybersecurity experts," Clapper said. "And that continues to be a leading if not the leading technique that both nation states and non-nation state entities ... including criminals, will use."

When the DNC's computer technician discovered the breach in April 2016, much of the damage had already been done. The DNC notified the FBI and hired the cybersecurity firm CrowdStrike, which quickly identified two culprits with links to Russia. They were dubbed "Fancy Bear" and "Cozy Bear" -- and both were familiar foes for cybersecurity experts.

"We've known these actors long before any of this transpired around the election," said John Hultquist, director of intelligence analysis for the cybersecurity firm FireEye, which was also tracking the Russian hackers. "We've known these actors for many years. ... There's a lot of evidence that this actor is Russian or a Russian speaker."

Some of the evidence was surprisingly simple, such as timestamps showing when the hackers were working.

"The mistake they've made is leaving these timestamps," Hultquist said. "And if you look at enough of them over time, you get a picture of what actual hours this operator is working. And what they come down to is a work schedule that fits right in with western Russia's time zone."

"Besides that," Hultquist added, "there's a lot of Russian language artifacts," meaning computer code written in the Cyrillic, or Russian, alphabet.

"We have high confidence that this is a Russian intelligence organization," Hultquist said. "Because we've been tracking this actor for so long and we've seen so many artifacts, forensic and otherwise, that suggests that this actor is carrying out Russian intelligence missions."

The summer of leaks

In June 2016, five months ahead of Election Day, the world got the first glimpse at the massive trove of stolen emails and documents that had been procured from Democrats' computer systems.

A mysterious blogger or bloggers nicknamed Guccifer 2.0 -- in fact a cover for a sophisticated Russian hacking operation -- began posting the first set of stolen documents within days of news breaking that the DNC had been hacked. Guccifer 2.0 released batches of material not just from the Democratic National Committee, but also from the Clinton campaign and the Democratic Congressional Campaign Committee.

Other rogue publishers soon joined in. On July 22, three days before the start of the Democratic Party Convention, the Julian Assange-founded site WikiLeaks posted that it would release more than 19,000 emails from the DNC.

The stolen emails suggested that top leaders of the Democratic National Committee were biased in favor of Hillary Clinton and against Bernie Sanders for the party's nomination. The chairwoman of the DNC, Debbie Wasserman Schultz, was forced to resign, becoming the first scalp of Russia's influence operation. The press quickly shifted focus toward the controversy, and Russia's influence campaign appeared to be having an effect.

Donald Trump tweeted, "The new joke in town is that Russia leaked the disastrous D.N.C. e-mails, which should never have been written (stupid), because Putin likes me." Then, in a now infamous speech, he took the alarming step of egging the Russians on to hack Hillary Clinton's private server.

Questions emerge about Trump associates

Trump was not alone in his circle celebrating the Russian hacks. Roger Stone, a onetime campaign adviser and longtime confidante, hinted that he had advance knowledge of the releases, raising questions for the first time of possible cooperation between Trump associates and Russia.

"I actually have communicated with Assange," Stone said at an August 2016 event. "I believe the next tranche of his documents pertain to the Clinton foundation."

In October, Stone once again seemed to signal advance knowledge of WikiLeaks' plans, tweeting, "Wednesday @HillaryClinton is done. #Wikileaks."

Later, Stone denied speaking with Assange directly or colluding with the Russians. As for the Russian President himself, Vladimir Putin, he laughed at the idea of Russian involvement in an interview with Bloomberg News.

Clapper told CNN that he had "a very visceral feeling in the pit of my stomach that I thought this was a really serious thing, an assault on our ... you know, the very heart of our democracy. That's one of the reasons I felt so strongly about putting out the statement that we did in October."

On October 7, US intelligence agencies publicly named and shamed Russia in a statement, saying, "The US intelligence community is confident that the Russian government directed the recent compromises of emails from US persons and institutions."

US intelligence would later determine that Russia supplied the hacked emails to WikiLeaks via a "cut-out" or middle man. WikiLeaks continues to deny receiving the hacked documents from Russia.

Podesta also remembers that day very well, but for a different reason.

"The first of (my) emails was posted to WikiLeaks with a statement from Julian Assange that said ... 'We have the contents of his email system and we're going to release them all during the course of the campaign.'"

That Friday night email dump would turn out to be just the first of many -- and those releases quickly became a dominant storyline of the campaign.

"The Russians are pretty intense observers of what goes on in this country," Clapper told CNN. "(They) tried to both collect information on it and, as we saw, where they can, exploit it."

'They're coming after America'

Inside the Obama White House, a sometimes bitter debate was unfolding as some senior advisers -- including Secretary of State John Kerry -- pushed for a more robust response, including stiffer economic sanctions.

But the President feared escalation with Russia abroad and charges of influencing the election at home.

As Election Day approached, the Obama administration's greatest fear was that Russia would disrupt actual voting systems. The fear was so great that President Obama warned Putin twice: once face-to-face at a G20 meeting in China, and later via the rare use of a direct messaging system to the Kremlin -- one originally intended to avert nuclear war.

After Election Day, with a growing urgency, the Obama administration retaliated, closing Russian compounds in the United States believed to be used for spying as well as expelling some 35 Russian diplomats and imposing more sanctions on Russia.

In secret, Obama considered taking more aggressive steps, including initiating a National Security Agency plan to place cyberweapons inside critical Russian systems for potential activation if Russia were to attack again, as first reported by The Washington Post.

So what happens the next time Americans vote? Lawmakers of both parties and top intelligence officials are unanimous in their answer: Russia will strike democracy again.

"It's not about Republicans or Democrats. They're coming after America," James Comey, the former FBI director who was fired this year by Trump, said in a congressional hearing earlier this month. "They want to undermine our credibility in the face of the world. And they will be back, because we remain that shining city on the hill, and they don't like it."

Clapper told CNN there is no reason to believe Russia will stop infiltrating US political organizations and individuals.

"I'm quite sure they are," Clapper said. "I think it's in their DNA whether during the Soviet era or now."