The Apprentice: Trump, Russia and the Subversion of American Democracy. Greg Miller

Чтение книги онлайн.

СКАЧАТЬ the White House Correspondents’ Dinner and a weekend of follow-up events got under way in Washington, Sussmann formally moved to enlist CrowdStrike to protect the DNC. The intrusion and the plan to counter it were to be kept secret from most DNC staff. “You can’t let the attackers know you know they’re there,” Sussmann instructed Dacey. “You only have one chance to raise the drawbridge.” If the hackers were tipped off, they could destroy logs and wipe their tracks or worse—steal piles of data while making a scorched-earth retreat. Most Democrats would party in blissful ignorance of the potential nightmare going on back at their national committee headquarters.

      For the DNC, the timing was terrible. Half a dozen primaries had just ended, with Clinton taking a commanding lead, but the coming weeks formed a brutal final sprint, with potentially decisive contests in ten states, including Oregon, Indiana, and California. The Democratic National Convention, the committee’s showcase event, was twelve weeks away. The party had picked Philadelphia for the 2016 event, and 50,000 people were expected to attend, including about 5,000 delegates, with millions more watching on television.² The DNC’s staff was working around the clock planning for the general election. It was also an intense period of political maneuvering. Supporters of Bernie Sanders, the senator from Vermont, were already suspicious that a party apparatus held tightly in the Clinton family grip had sought to deny them the nomination, and the internal debates about candidates, strategies, fundraising, and campaigning were detailed in thousands of internal DNC emails, spreadsheets, and other files—all residing on a computer system that might have been thoroughly compromised by Russia.

      “You had staff running full tilt, gathering research on the Republican front-runner, Donald Trump,” Dacey recalled. “You had an intruder inside the system who was interested in that opposition research, and a convention to plan for. It was the perfect storm.”

      By Friday, May 6, CrowdStrike had worked with Tamene’s team to install stronger threat detection system software. Immediately it turned up troubling evidence of two Russian hacking teams—the newly discovered, “noisier” intruder as well as the quieter one that the FBI had long warned the DNC was already inside.

      U.S. intelligence agencies had for years been reluctant to publicly identify hacking groups by country out of concern that doing so would jeopardize sources as well as run the risk of complicating diplomatic relations. When they wanted to signal publicly that a nation-state was behind a cyber campaign, they adopted the euphemism “advanced persistent threat,” or APT. The term had been coined in 2006 by an Air Force intelligence officer looking for a way to pass information to defense contractors getting hammered by a specific set of foreign hackers, without revealing the classified detail that the country behind the assault was China. It had then spread to cyber firms in the private sector and now was used throughout the industry. A Chinese cell known as People’s Liberation Army Unit 61398 had carried off a string of thefts of intellectual property and commercial secrets from American and European defense contractors, and engaged in espionage against countries including the United States, Canada, India, and Israel as well as against the United Nations. They were so prolific and brazen that like graffiti artists, they sometimes left telltale signs of who they were, lines of computer code that sometimes included nicknames such as “Ugly Gorilla.” Unit 61398 became known as APT1.

      The teams rummaging through the DNC machines were known from previous intrusions on other targets and already had their designated monikers: APT 28 and APT 29. CrowdStrike had its own branding conventions using animals to represent various countries. Chinese groups were pandas, while the label for the Russian teams was based on a symbol associated with that country for centuries: the DNC hackers were dubbed Fancy Bear and Cozy Bear.

      CrowdStrike was confident that Fancy Bear—the later arrival at the DNC—was an extension of the GRU. Cozy Bear’s affiliation was less clear. CrowdStrike suspected that it was tied to Russia’s domestic intelligence service, the FSB. But U.S. intelligence agencies had for years been certain that whatever the name—Cozy Bear, APT 29, or the Dukes—the team was an extension of Russia’s foreign intelligence service, the SVR.

      The original Cozy Bear DNC hack had taken place so long ago that log files were difficult to come by, but with what they could find, CrowdStrike investigators began to reconstruct the intruders’ actions. The Cozy Bear crew had been disciplined and patient. They had compromised the DNC’s email, chat, and internet phone systems. They had set up an automated mechanism so that every time a DNC employee got an email, a copy was forwarded to Cozy Bear. The unit stole passwords and log-ins for system administrators, but behaved cautiously with these keys, never gorging themselves on data they could access, always minimizing the chances of getting caught. The April newcomer, however, had no such manners—it foraged without restraint.

      Investigators saw no indication the two teams were working together or were even aware of one another’s presence, though they did seem to target separate areas of the network: Fancy Bear went after research files, at one point making off with a trove of opposition material on Trump, while Cozy Bear focused on emails and chats. The bottom line was clear: the committee and many of its internal secrets had been utterly exposed. Yet in calculating the damage, DNC leaders and investigators relied on an assumption that seemed reasonable: that while whatever information the Russians had taken might be mined by Kremlin analysts, it wouldn’t be exposed publicly. Cozy Bear, after all, had attacked other nongovernmental organizations and defense contractors as well as foreign governments and political organizations. “This is a sophisticated foreign intelligence service with a lot of time, a lot of resources,” Henry concluded. “There’s no doubt this is a nation-state targeting a United States political system. What are candidates thinking about? What are they developing? What are their strategies? It’s classic espionage.” And classic espionage meant not revealing to the world what had been stolen, if for no other reason than it would jeopardize subsequent efforts.

      Having taken measure of the breach, the experts began drafting a plan to kick the hackers out. Doing so would require rebuilding entire systems, resetting passwords, and picking a time to shut the network down. On an aggressive timeline, the operation could be carried out starting around May 20. But DNC leaders were reluctant to disrupt the network at a time when the party’s nomination had not yet been secured, so a date was set for the three-day Memorial Day weekend, when it would be easier to take the system offline without cutting into work time or raising suspicions. Yet while Clinton’s lead was commanding, Bernie Sanders was still in the race and drawing energetic crowds. The DNC leadership decided it was better to wait even longer and ensure that the contest was clinched. CrowdStrike held off, scheduling the work for mid-June.

      During that stretch, the Russians amassed more emails that appeared to show DNC bias in favor of Clinton—not only old correspondence, but new messages written during the stretch when the DNC could have been in cleanup mode. And because the hacking was still being kept secret, nobody outside the inner circle had any sense that they should be more cautious than usual when sending emails and documents. On May 21, Mark Paustenbach, a committee communications official, wrote to a colleague, “Wondering if there’s a good Bernie narrative for a story, which is that Bernie never ever had his act together, that his campaign was a mess.” Other damaging emails had been written before CrowdStrike had even had enough time to conclude the attack was being carried out by Russians. For example, on May 5, a committee staffer emailed Paustenbach and Dacey suggesting a way to call voters’ attention to Sanders’s faith. “It might make no difference, but for KY and WVA can we get someone to ask his belief. Does he believe in a God,” wrote Brad Marshall, the DNC’s chief financial officer, who had lived and worked for years in Kentucky. “He had skated on saying he has a Jewish heritage. I think I read he is an atheist … My Southern Baptist peeps would draw a big difference between a Jew and an atheist.” This was way beyond the official DNC position, which was that the organization was there to help all Democratic candidates without favor toward any in particular. Marshall added in a second email that it came down to the “Jesus thing.” Dacey replied: “AMEN.” Dacey later insisted that she had meant her remark not as affirmation of the plan but to express understanding СКАЧАТЬ