The Apprentice: Trump, Russia and the Subversion of American Democracy. Greg Miller

Чтение книги онлайн.

СКАЧАТЬ the massive U.S. spy organization responsible for all forms of electronic espionage. The AIVD turned over images of the hackers, IP addresses (numeric codes that correspond to specific computers on the network), and other information that the NSA was able to corroborate.

      From that moment in 2015, the scale of the Russian operation and its consequences for the United States would only expand. But at the time, U.S. officials saw the alert about the penetration of the DNC as falling into the category of conventional espionage, the sort of data gathering that Russia, China, and every other country with enough hacking capability—including the United States—pursues. Such probing of government, institutional, and corporate networks was so persistent and aggressive by state-level hacking enterprises that the adversaries involved acquired distinct reputations. The Russians were seen as the most sophisticated and—ironically, given how the year would play out—adept at hiding their tracks. China was “noisier,” less concerned with getting caught. While improving, Iran and North Korea were second-tier players. Attacks on think tanks and political organizations like the DNC were a problem, but defending against them was not necessarily the job of the U.S. government, which had enough on its hands fending off the equally frequent assaults on higher-stakes targets: classified networks, black budget programs, weapons designs.

      Protecting those assets required constant vigilance. In November 2014, less than a year before the DNC attack, the White House experienced a Russian offensive so brazen that American officials saw it as a turning point in Kremlin tactics. The hackers gained entry with a common “spearphishing” ruse—sending bogus emails with disguised links or attachments that, once clicked, led to a malware-infested site set up to gather passwords and other sensitive information. The most striking aspect of the intrusion wasn’t that Russian hackers got into a White House network—in this case an unclassified email system that allowed White House staff to correspond when the issue at hand wasn’t sensitive, such as writing your husband that you’d be home late, or a congressional staffer that you’d received her letter. What was exceptional was how they reacted when confronted in that digital space by American cyber defenders. Rather than retreat and move on as the Americans patched holes, the Russian operatives stayed and fought. Every time the Americans severed the Russians’ connection to the malware they had installed—key to their survival inside the White House network—the intruders managed to repair the link or create a new one.

      The NSA team had a remarkable penetration of its own: through secret “implants”—the software equivalent of a Trojan horse, bits of pre-positioned code—the Americans were able to monitor the Russians’ computers and see their adversaries’ every move in advance, as if watching them wheel new weapons into position before firing. The advantage proved decisive, but only after a protracted fight. At a 2017 security conference, Richard Ledgett, who was deputy director of the NSA at the time, described the battle as the online equivalent of “hand-to-hand” combat and a game changer unlike any the agency had ever waged.

      The DNC penetration detected by the Dutch did not prompt such a daring showdown. The information was noted on internal NSA report logs and shared with other agencies, including the FBI. On August 6, 2015, an agent from the FBI’s Washington, D.C., field office called the DNC’s front desk and asked to speak with the “person in charge of technology.” Inevitably, he was transferred to the computer help desk and put in touch with an IT contractor, Yared Tamene.

      FBI special agent Adrian Hawkins told Tamene that there were signs of compromise in the DNC system and provided some computer IP addresses that he said would help to locate the intrusion. But the address was the one the DNC used for its entire network—tied to more than a thousand laptops, servers, and phone lines. Tamene was a former college math instructor who had been an IT consultant at the DNC for four years but was no cybersecurity expert. He had heard plenty about how individuals were conned out of their passwords by hackers pretending to be from the government, a bank, or a credit card company, and was wary. He pressed Hawkins to provide proof of his position, but remained unswayed by the agent’s attempts to convince him.

      The call lasted several minutes, as Hawkins outlined in somewhat cryptic terms the bureau’s concerns about the breach. He wanted to know whether the committee had detected the intrusion on its own and done anything about it. Tamene hesitantly acknowledged that the committee had endured some phishing attacks, but dodged detailed questions about the organization’s staff and systems. Hawkins then offered the first hint—although an indirect one—that the bureau suspected Russia. Check for malware associated with “the Dukes,” he said, an industry nickname for the hacking group with ties to Moscow. Tamene seemed unfamiliar with the moniker but agreed to have a look. After hanging up, he and a colleague did a quick internet search, read up on the group’s methods, and performed a cursory search of DNC log files. They found nothing and Tamene couldn’t help wondering whether he had fallen for a prank. Tamene informed his supervisor, Andrew Brown, the DNC’s chief technology officer, of the incident.

      The disconnect persisted through subsequent interactions—that is, when both sides managed to connect at all. In October, two months after he first called the DNC, Hawkins left a series of voice mails for Tamene, who ignored them, later explaining he had nothing new to report. Behind the scenes, he appealed to Brown for help, telling him, “We need better tools or better people.” A month later, in November, the FBI agent finally got through, only to be told by Tamene that the DNC network appeared clean. Hawkins countered by again providing the DNC address, saying it was “calling home” to Russia. Tamene took this warning more seriously. He and his team began exploring whether there were gaps in the DNC’s defenses—bad search parameters, problems with the firewall—that were preventing the IT department from detecting the intrusion. But again, his follow-up checks yielded no evidence of compromise. It would later turn out that the FBI’s internal deliberations were so slow that by the time Hawkins had permission to pass along one IP address, the Russians had switched to another.

      All of this back-and-forth had given Russia’s hackers another three months inside the DNC servers. In all that time, the FBI’s Hawkins had not seen fit to raise the matter with top officials at the DNC. Nor did they learn at this stage from their own staff: because of the tech team’s failure to find evidence of the hack, Brown evidently felt no need to sound internal alarms.

      The bureau’s failure to contact a single official above Tamene would later be deemed by the DNC to be an unfathomable lapse. The FBI, for its part, felt it had tried repeatedly to warn the committee—in fact, Hawkins was so frustrated by the difficulty in getting through that in December 2015, he went to the low-slung DNC building on a quiet street two and a half blocks south of the Capitol. He asked the security guard in the lobby to be on the lookout for Tamene, and to stop him and have him call the bureau.

      After months of frustration, the FBI pushed for a face-to-face meeting. In February 2016, Hawkins, Tamene, and two of his IT colleagues arrived at Joe’s Cafe, in Sterling, Virginia, thirty miles west of the DNC’s Washington office, but a ten-minute drive from the DNC’s data center in Loudoun County.

      There in Joe’s Cafe, Tamene’s lingering uncertainty about Hawkins’s FBI credentials finally subsided when the agent produced his badge. More important, Hawkins also produced a set of computer logs from a day in December showing precise time stamps that enabled the DNC to narrow its search for suspicious activity. He listed penetrations of other targets by the Dukes and recommended a tool that could help detect intruders on DNC systems. In a February 18 email, Hawkins even provided IP addresses associated with the DNC intrusions—data that traced the attack back to its origin in Russia.

      AFTER FINALLY CONVINCING THE DNC TECH TEAM THAT THE breach was real, Hawkins urged them not to block those Russian incursions. Take modest steps to protect sensitive data, he said, but don’t disrupt the correspondence between the two systems or make any moves that would let Russia know its operation had been discovered. Though counterintuitive, this would allow further monitoring and avoid sending the hackers into hiding or, in a worst-case scenario, wiping the system of data to cover their tracks—leaving a barren, broken network. СКАЧАТЬ