2016 Elections

Democrats Left the Door Open to Russian Hacks

The party's headquarters could have done better to protect itself from cyberattacks.

What's there to know?

Photographer: Jabin Botsford/The Washington Post via Getty Images

Writing about the latest Russian government-sponsored cyberattack his firm had to deal with, Dmitri Alperovich of cybersecurity company CrowdStrike noted it was rare for clients to want to publicize these breaches. The Democratic National Committee, however, had a good reason to go public: It claimed that the Russians had been looking for opposition research on Donald Trump. 

Given how the U.S. media love to hate Trump, sinister theories could be expected to emerge, and they did. The New York Times, for example, mentioned “a subplot to the race: Paul Manafort, Mr. Trump’s campaign chairman, previously advised pro-Russian politicians in Ukraine and other parts of Eastern Europe, including former President Viktor F. Yanukovych of Ukraine.” The image that springs to mind is of Russian spies handing over the DNC files to Manafort, or to Trump himself, to aid the Republican candidate. Didn’t Hillary Clinton say they would be “celebrating in the Kremlin” if Trump won?

The Washington Post, which first reported the breach, quoted unnamed U.S. officials as saying the Clinton and Trump campaigns, as well as some Republican political action committees, had also been targeted -- yet they didn’t see fit to spread the news. The DNC’s revelations -- less titillating than they are embarrassing -- are nonetheless worrying. The story of two independent breaches that allowed the hackers months of unhindered access shows a cavalier attitude toward cybersecurity in an organization that should have known better. It shows Clinton’s e-mail scandal has taught U.S. Democrats little or nothing at all.

The DNC was first infiltrated a year ago by a group CrowdStrike calls Cozy Bear and the rest of the cybersecurity industry knows as Advanced Persistent Threat (APT) 29. Security researchers have tied it to the Russian government because the hacker team keeps regular working hours on Moscow time and observes Russian national holidays, and also because it targets were Western government organizations, media and think tanks. It has supposedly breached the unclassified networks of the White House, the State Department and the Joint Chiefs of Staff, and it’s known to use ingenious techniques, such as passing malicious commands to infected systems through pictures posted on fake Twitter accounts. The cybersecurity community by now has studied numerous examples of its malware, whose quality and variety suggest technical brilliance and a wealth of resources.

In April 2016, while APT 29 still had the run of the DNC’s computer network, another group came to play -- one dubbed Fancy Bear by CrowdStrike and known as APT 28 to the rest of the community. Alperovich wrote that the attacks were not coordinated and Fancy Bear got in on its own, probably with no knowledge that other Russians were already there. Alperovich’s take is that rivalry among Russian intelligence agencies caused the duplication; he linked APT28 to the GRU, Russia’s military intelligence service. It’s hard to say how the connection can be made with any degree of certainty; all that other cybersecurity researchers have noted about the group is its use of the Russian language and its interest in east European militaries.

So far, neither group has been known to penetrate classified networks. Either these breaches are kept secret, or these particular Russian government departments -- or contract teams working for various intelligence services -- specialize in gathering less sensitive information, not to hurt the Western adversaries but to know them better. The Democrats’ opposition research on Trump is not exactly dynamite -- it’s stuff a good journalist could dig up in open sources. It’s easy, however, to imagine top Russian intelligence officials, or President Vladimir Putin himself, listening to a report on the juiciest tidbits of that research and chuckling to themselves. The Kremlin must have stocked up on popcorn as soon as the first “Bear” penetrated the DNC: Entertainment was coming. The current U.S. election campaign is a fairground wrestling match in which Moscow is rooting for Trump just for the instability he can bring. No wonder more than one intelligence service wants a ringside seat.

What doesn’t make sense is that an organization such as the DNC is giving away free tickets. Both APT 28 and APT 29 use so-called spear-fishing to infiltrate networks. They send out e-mails disguised as work-related or coming from trusted colleagues, and they wait for a careless staffer to click a link or open an attachment in these messages. At the DNC, that happened at least twice, meaning its staffers have not been adequately trained in the basics of cyberdefense. They should have been: It’s a no-brainer that foreign intelligence services -- Russian, Chinese, North Korean, perhaps even European because of the sheer entertainment value of the current election -- would come snooping. 

After the breaches took place, the hackers stuck around for months without the network administrators noticing anything. As a civilian organization, the DNC may not have the defenses of a military or government department to rely on, but it has resources at its disposal; between January 2015 and the end of April 2016, its operating expenditures reached $74.6 million. If it could afford to call in CrowdStrike when its information technology team finally realized something was amiss, then it could have afforded to arm itself better to begin with. 

Clinton’s defensive responses to accusations of e-mail improprieties indicate she doesn’t quite realize why using a private server run from her home was not particularly safe for a secretary of state. Apparently, the lack of understanding runs deep in Clinton’s party. Cybersecurity shouldn’t be an afterthought in politics or in government. The theft of some Trump-related files is not the worst possible result of negligence. It may well be that APT 28 and APT 29 are just decoys, teasing Western nations with hints of Russian cyberpower. After years of their successful operation, it’s time to get serious about protecting sensitive data.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

    To contact the author of this story:
    Leonid Bershidsky at lbershidsky@bloomberg.net

    Before it's here, it's on the Bloomberg Terminal.