The FBI suspects that Russian government hackers breached the networks of the Democratic National Committee and stole emails that were posted to the anti-secrecy site WikiLeaks on Friday. It’s an operation that several U.S. officials now suspect was a deliberate attempt to influence the presidential election in favor of Donald Trump, according to five individuals familiar with the investigation of the breach.
The theory that Moscow orchestrated the leaks to help Trump—who has repeatedly praised Russian President Vladimir Putin and practically called for the end of NATO—is fast gaining currency within the Obama administration because of the timing of the leaks and Trump’s own connections to the Russian government, the sources said on condition of anonymity because the investigation is ongoing and developing quickly.
About 20,000 internal DNC emails were disclosed just days before the beginning of the Democratic National Convention in Philadelphia and several showed an effort by staffers to undermine Bernie Sanders’s campaign against Hillary Clinton. One email even discussed challenging Sanders’s religious faith. In response to the embarrassing revelations, DNC Chairwoman Debbie Wasserman Schultz announced she would step down after the convention.
Current and former U.S. officials drew analogies to so-called active measures campaigns, or state-sponsored operations designed for political effects.
“The release of emails just as the Democratic National Convention is getting underway this week has the hallmarks of a Russian active measures campaign,” David Shedd, a former director of the Defense Intelligence Agency, told The Daily Beast. Shedd said that additional leaks were likely, echoing an opinion expressed by U.S. officials and experts who said that the release of emails on Friday may just be an opening salvo.
Officials also noted Trump’s own connections to the Russian government. Putin has publicly praised the nominee, who said he was “honored” by the compliment. Trump’s campaign manager, Paul Manafort, was a consultant for Viktor Yanukovych, the former president of Ukraine who was ousted for his pro-Moscow orientation (and now lives in Russia). One of Trump’s top national security advisers, retired Army Gen. Michael Flynn, sat with Putin at a dinner celebrating the 10th anniversary of Kremlin-backed media network RT and was paid to give a speech at the event; Flynn later retweeted an anti-Semitic message that called into question any Kremlin-Trump link. Another Trump adviser, Carter Page, recently denounced America’s “often-hypocritical focus on democratization” while in Moscow. And last week, Trump said that he might not come to the aid of U.S. NATO allies in the face of Russian aggression unless they paid what he thinks they owe for Europe’s common defense.
Officials also thought it was telling that the emails were given to WikiLeaks, which is perceived as being hostile to the U.S. government. “This wasn’t surprising to us,” said one U.S. official familiar with the investigation.
An FBI spokesperson said in a statement Monday that the bureau was investigating the breach but declined to comment on whether political motivation was part of the inquiry. “A compromise of this nature is something we take very seriously, and the FBI will continue to investigate and hold accountable those who pose a threat in cyberspace,” the spokesperson said.
“I’m sure they will consider potential motives,” White House Spokesperson Josh Earnest told reporters on Monday.
Two U.S. officials told The Daily Beast that while hacking is a crime, and therefore falls under the FBI’s jurisdiction, trying to manipulate an election is not. That may limit what the FBI can investigate, the officials said.
“Manipulation is not a crime. Some would argue that Voice of America or Fox News try to manipulate elections,” one retired FBI agent told The Daily Beast.
That doesn’t mean the FBI has to remain silent if it finds evidence of Russia’s meddling. Should the bureau release a statement after an investigation tying the Russians to the hack and subsequent release to WikiLeaks, that would essentially be a public indictment, the officials said.
It also may be possible for the FBI to investigate the question of intent, including whether the email leak is an instance of an unregistered foreign agent illegally trying to influence the U.S. political system, another U.S. official said. But it’s easier for the FBI to investigate the breach and theft of information itself, which are clearly prohibited under U.S. law, the official added.
The FBI first notified the DNC in April that it had been breached, said two individuals who are familiar with the matter. U.S. law enforcement and intelligence officials had been aware of two Russian hacker groups that have been linked to the intrusion and are also believed to have compromised networks in U.S. government agencies, including the Defense Department, the State Department, and the White House, as well as U.S. companies and universities.
The DNC hired a computer security firm, CrowdStrike, to investigate the breach. It has publicly attributed the operation to two known hacker groups connected to the Russian government that it dubs Cozy Bear and Fancy Bear.
The two groups, which compete with one another, got into the DNC networks last summer and this April, respectively, CrowdStrike told The Washington Post, which first reported the breaches last month.
Another cybersecurity firm, ThreatConnect, independently assessed the breach and concluded that the DNC operation was consistent with the hackers’ previous efforts to gather information on U.S. officials and operations.
The theft of information, which at the time reportedly consisted of opposition research and the DNC’s files on Trump, seemed to be part of a longer campaign of spying by the Russians in order to glean insights into the next president. Director of National Intelligence James Clapper also said in May that there were indications both presidential campaigns had been targeted by foreign hackers.
But the provision of the DNC emails to WikiLeaks added a new dimension to the intrusion. (The group has pushed back against the idea that Russia supplied the emails.)
“If there is a concerted effort to undermine the campaign of the Democratic Party nominee, we can and should expect additional embarrassing emails to be released by WikiLeaks, including from candidate Hillary Clinton’s personal server,” Shedd, the former Defense Intelligence Agency chief, said.
The top Democrat on the House Intelligence Committee said lawmakers had been briefed on the intrusion and “will continue to seek further information from the [intelligence community] as to the origin of any attack and a potential connection to Russia or another state sponsor.”
“If the hack is linked to Russian actors, it would not be the first time cyber intrusions linked to the Kremlin and its supporters have sought to influence the political process in other countries,” Rep. Adam Schiff said in a statement. “Given Donald Trump’s well known admiration for Putin and his belittling of NATO, the Russians have both the means and the motive to engage in a hack of the DNC and the dump of its emails prior to the Democratic Convention. That foreign actors may be trying to influence our election—let alone a powerful adversary like Russia—should concern all Americans of any party.”
Within the email dump itself, there were further indications of foreign meddling in the campaign.
On May 4, DNC opposition researcher Alexandra Chalupa told a colleague that ever since she began collecting information on Trump campaign director Paul Manafort, she had been receiving daily security warnings from Yahoo that her personal account may have “been the target of state-sponsored actors.” Such notifications are routine when an internet or email provider suspects that a user may have been hacked or is likely to be hacked.
Chalupa told DNC Communications Director Luis Miranda in an email that she continued to get the warnings from Yahoo “despite changing my password often.”
A few days prior to that message, a DNC staffer notified colleagues that the committee’s rapid-response blog, Factivists, had been “compromised.”
“We have been compromised! But it’s all ok,” Rachel Palermo said in a brief message to an unspecified number of recipients. Palermo said that to “prevent future issues,” the password to the blog would be changed “every few weeks. She also included a new password in the email, which the intruders may well have seen.
And in mid-May, two DNC staffers communicating about a donor said that her email account had been hacked and was no longer working. The donor was identified only as Agnes. Agnes Gund is a prominent philanthropist and Democratic donor. DNC officials told The Washington Post that their donor files weren’t accessed. It’s not clear if the donor’s email was hacked by the same Russian groups.
Attributing the source of a breach to a specific actor is difficult, but CrowdStrike, which has close ties to the FBI and U.S. intelligence community, provided some details on its findings in a recent blog post. The company based its attributions on characteristic tools and techniques that it has attributed to the hacker group in previous intrusions.
Cozy Bear prefers “a broadly targeted spearphish campaign,” or using emails that appear to come from a trusted sender but that actually include web links that will insert malicious software code onto a victim’s machine, CrowdStrike reported. The code uses sophisticated tools to remotely access the computer, as well as encryption to cover their tracks, both of which indicate “a well-resourced adversary.”
Fancy Bear likewise has developed a suite of hacking tools and techniques and has been linked to intrusions on U.S. government systems, CrowdStrike said. The group tends to favor establishing websites “that spoof the look and feel of the victim’s web-based email services in order to steal their credentials.”
It’s not clear precisely how the groups penetrated the DNC’s networks. But CrowdStrike said its analysts “immediately” recognized the hackers’ signatures. Separately, another computer security firm, ThreatConnect, has corroborated the findings and also found that a hacker group going by the moniker Guccifer2, which claims to have provided the emails to WikiLeaks, is likely a Russian-goverment operation.
Any FBI investigation likely would not be released until after the election, and any could be read as sending a political message. Should Trump win, for example, and the FBI announces it found a Russian connection to the hack, some might argue that the FBI is trying to taint Trump’s victory. That would also come on the heels of the FBI’s decision to not charge Clinton with having classified email on her private email server, a decision that outraged many Republicans.
A public finding that the Russians interfered would also exacerbate already tense negotiations between the U.S. and Russia over an agreement to share intelligence and better coordinate strikes in Syria. The increased cooperation has divided much of the U.S. government, some of whom do not see the Russians as trustworthy.