How Experts Traced the DNC Hack to Russian Spies

incredibly rare thing. I was surprised when I saw the statement come out, even though it's something that the private cybersecurity experts have been talking about for a while. Uh, the government formally blaming a foreign entities only happened a handful of times, and specifically here, the US was accusing Russia of hacking the Democratic Party right as voters prepared to go to the polls on November eight. It's a scary prospect. Could hackers tamper with or even obliterate our votes.

So here's my question. We are so close now to election day, and you can tell because that's really all you see on TV right now. So how do we know for sure what we think we know about these hacks. This is a perpetual problem in cybersecurity, and it reminds me of the famous New Yorker cartoon that goes on

the internet. Nobody knows you're a dog, But when you're investigating a cybersecurity breach, uh, nobody knows whether you're a Russian hacker or a Chinese hacker pretending to be a Russian hacker, or even a US hacker pretending to be a Chinese hacker pretending to be a Russian hacker, or, as Donald Trump put it so delicately, I don't think anybody knows it was Russia that broke into the d n C. She's saying Russia, Russia, Russia, but I don't

Maybe it was. I mean, it could be Russia, but it could also be China, could also be lots of other people. It also could be somebody sitting on the bed that weighs four hundred pounds. Okay, And how is the US or anyone else, for that matter, so certain that the Russians are trying to hijack our elections? What should an ordinary voter do? And should we even care? Hi, am Akito, and I'm George Robertson and this week on Decrypted, we're going to take you inside the hunt for the

people who have the Democratic National Committee. It's a sort of tale of how two of the world's great superpowers have found themselves locked in an escalating information war just weeks before millions of Americans go to the polls, and the stakes they really couldn't be any higher. Not only is this the most divisive election we've seen in recent memory, with Hillary Clinton and Donald Trump advocating for completely different visions of America, but also hanging in the balance is

the democratic process itself. What happens to a country's sovereignty in the age of the Internet. Our story today starts in April when the i T staff at the Democratic National Committee noticed something a little weird going on in their network. For our non American listeners, this is the official organization behind the Democratic Party, the d n SEE,

and the i T staff there. They escalated their concerns, their executives and a cyber security firm called CrowdStrike what's called in to investigate so CrowdStrike is one of a small group of digital forensics firms that really all they do is investigate data breaches, and they went in they installed software in the DNC servers, essentially allowing them to spy on the spies, and it didn't take them long to pin the attacks on true groups of hackers associated

with the Russian government. They called these groups Cozy Bear and Fancy Bear. Cozy Bear and Fancy Bear. Is this some kind of industry inside joke. Yeah, The cybersecurity industry has a lot of kind of goofy, funny names for groups. Their thematic often associated with a region. Uh. Some others are called deep Panda and things like that. I love that. Then CrowdStrike closed all the security holes that had allowed the attackers to breach the DNC servers, and so the

hackers wouldn't be able to read the stay ask emails anymore. Now, normally you don't really disclose this kind of thing unless you absolutely have to. It's certainly embarrassing for the d n C, especially when, as we learned later, they were warned about their networks vulnerabilities and ended up ignoring those early warnings. But the d n C may have had a hint that some of this information was about to be leaked on the internet, so they dropped this bomb show.

But first, the Democratic National Committee said today, Russian government hackers have penetrated its computer network. Breaches by two separate groups allowed hackers to access emails, internal chats, and opposition research. Democrats have compiled unpresumptive Republican nominee Donald Trump. That's PPS News Hour reporting the hack. On June fourteenth, the day this all became public, and it hit the US political

system like a bolt of lightning. People were furious, how dare Russia try to mess with America that type of thing? And then one day after the DNC announcement, someone or a group of people who go by the name goose offer Too Datto came out in a blog post and basically laughed in the DNC's face. This person was like, no, you idiots, I am the lone hacker that infiltrated the DNC and this had nothing to do with the Russians.

And goosefer Too Datto released a bunch of documents that he claimed he had stolen from the d n C as evidence that he was behind it, and from there it was chaos. Was it the Russians with some lunar kid who had too much time on his hands? And that's when crowd Strait called in this guy for help. My name is Mike Bartowski. I'm the senior vice president

of cybersecurity services at Fidela Cybersecurity here in Maryland. I lead a incident response team of about thirty individuals and we've handled some of the largest breaches that have have occurred over the past decade or so. So I've known Mike for several years now, and he's a really interesting guy. Used to be a cop with the Montgomery County Police Department in Maryland, and he looks like at X cop. He's got the short cropped haircut, solidly built guy at

very friendly and uh, you know, very genial. Even before his time in the private sector, he had this long experience of tracking down criminals. Mike's now an incident responder in cybersecurity speak, that means he flies out at the drop of a hat to companies that believe they've been breached and he helps investigate and fix their networks. So, like the computer nerd version of c s I or Law and Order right and Mike and Fidelis, his job was to independently verify the group of people who attack

the DNC, and this cybersecurity version of the who done it? Investigation. It's called attribution in the industry, and CrowdStrike had asked Fidelis and to other firms to check their work. So so we had, um, you know, we got five pieces of now where we had a team of four reverse engineers. That's all they do is reverse engineering, so we had them bang on it. Jordan, I think we should have

slain the store listeners. Sure, So crowd Strike sent Mike's team five files of the computer code that was on the DNC servers and was responsible for stealing information from the emails. And the job of Fidelis and these two other firms was to look at this code in what's called a virtual environment, like a parallel universe. Right, it's a simulated computer system where the code can't do any

damage on the real servers. Hackers used all kinds of tricks to prevent their malware from even opening in that kind of hall of mirrors. So a key job of an investigator is decoding all of those techniques to see how the attack code actually behaves. Okay, and then Mike's

team they compared that behavior. Two documented code in the past that was linked to the two hacker groups associated with the Russian government and crowd Strait called these two groups Cozy Bear and Fancy Bear, and the clues surface immediately. You know, really there were a couple of things that that we looked at, So you look at the complexity of of what the malware was able to do. The fact that it had the ability to m basically terminate

itself and wipe its its tracks, hide its tracks. You know, that's not stuff you see in commoditized malware. Really, it kills itself. It kills itself. Yeah, and actually one of the functions within the one of the pieces of malware UM had had a terminology for essentially Harry Carey UM to kill itself. So this automatic suicide switch, this is something that's incredibly sophisticated, right, I mean, this is one of the reasons that Fidelist and CrowdStrike and the other

forensics researchers were so taken aback by this malware. You know, there's a there's a black market for pre built malware on the Internet that even somebody like me can piece together, so like malware can be like legos. But this feature of killing yourself to avoid getting detected, that's really complicated stuff. And that's when Mike's team knew they were dealing with real pros here. You know, there aren't ton of people

around the world who have this level of sophistication. And there were a bunch of other things that packed up this conclusion to the level of access that the malware gave the malicious user, UM was pretty astonishing. Uh. It was also written very very um well, I think I guess elegant is probably a good way to to say it. It was not sloppy by any stretch of the imagination. UM. And again, so you start looking at, Okay, who would

have had the capability to do that? And you know, we we talked earlier how you know, Yeah, you can have somebody on the inside do something, but they may not be the best at it. So you have, uh, you've got to have people who are a lot of experience doing it or a lot of training to do it. And um, it was. It was a very complex piece

of malware that the average person probably couldn't use. Uh. It's also not something that we've seen out in the wild necessarily, it's very targeted pieces of malware, very limited and can't buy it on the black market. You can't buy these components not that. No, not that we've come across. Okay, okay, so so far we know that this attack was orchestrated by someone really really good, someone really really experienced, and that immediately limited the pool of people who could be

responsible for this. It really limited the pool of people to someone with the kind of resources with backing from an entire government. And on top of that, there were a bunch of things that pointed to the code being written in Russia. Yeah, some of these details are really interesting.

So one of the most fascinating for me is, you know, from the way the code was written, it was clear that it was written on a Russian language keyboard, and the dates and times that the code was compiled was during normal business hours in Russia, and that's consistent with the code that's already been traced back to the Russian government backed hackers in the past. And that's not something that you can easily fake, right, like change the time

stamps or something. Yeah, that was my question too, but Mike said, there's so many different things that you'd have to consistently change to successfully pull off that spoof. You're dealing with a situation that if it was a one off, easier to change, you know, same same thing with you know,

you can change the day in time on your computer. Absolutely, you could do that, and it would potentially throw an investigator off consistently across five pieces of hour, okay, you know, probably a little more difficult across x number of pieces of malware across how many incidents and to all have

them point to the same place. And that's why Mike doesn't buy Trump's theory of this four pound man sitting on the bed orchestrating this incredibly sophisticated attack, and why he doesn't buy Gooseifer two Dato's claim that he was a lone hacker. Okay, is it a script, kiddiers, it's somebody who bought a piece of malware? Or is it you know, somebody drinking mountain doing, eating twinkies and mom's basement. No, it really needs a level of operational discipline that you

don't see really in the wild. And you're right, the number of people who could pull it off it becomes dramatically narrower. So Icky, are you convinced? I mean I think so. I don't know. I keep on expecting a twist, like you're you're tricking me, Like in law and order when the guy who seems really suspicious turns out to be innocent in the end. Yeah, I like that. Well,

here's maybe the most important part. Then you need to look at the target, the victim of this hack, which was the d n C, and it later turned out a broad cross section of the U. S political system, everyone from lobbyists to lawyers to Hillary Clinton's campaign. And going back to Mike's background of working in law enforcement, you have to ask who would have had the motive to pour this kind of effort into spying on key

members of American politics. Sure, an opportunistic hacker, you know, putting a feather in their caps, saying, hey, we you know, we broke into the d n C. Okay, yeah, I mean that that could potentially happen. Um. But then releasing the emails the evening before the convention started, Well then again, now you now you're looking at it, Okay, Well, you

know that really smacks like an information operation. And here I think we should remind our listeners of the chronology of the events that took place just a few weeks after the d n C announced the hack in mid June. I mean, this was a time when the Republican Party was still in complete disarray, but things were looking pretty good for the Democrats. This was a time when Hillary Clinton UM was trying to solidify her support and you have this forest fire raging on the internet about this issue.

You have Wiki leaks and Goosea for Toutato publishing a stream of emails that turned out to be really embarrassing for the d n C. At you know what couldn't have been a worse time for them, Yeah, like that one from when Bernie Sanders was still in the primary race with Hillary Clinton and a senior staff were at the DNC talked about how they should try to paint Sanders as an atheists, try to question his Jewish faith

and the party itself is supposed to be neutral. And that led to a lot of turmoil within the party. I mean the Democratic Convention that took place at the end of July that was kind of a mess, at least at the beginning. All these Bernie supporters were protesting and booing down speakers on stage, and ultimately d n C Chairwoman Debbie Wasserman Schultz, who was a rising young star in the party, she resigned. And bringing this back to our story, today. Like you said, Jordan's this really

does point to motive. I mean, who would really want to introduce this kind of turmoil to the democratic process itself in America, which is, you know, really the sacristanic thing. Who would want to do this thing that would make you question the fairness of the system that we've developed over the years. Yeah, this project has been interesting to me because I consider myself, you know, a pretty serious

skeptic on a lot of these claims. It's it's just way too easy for a hacked entity to throw out, oh, the Russians did this, and the Chinese did that or whatever. Yeah, kind of like is get at a jail free card when your company has been hacked? Right, these really sophisticated, organized hackers backed by a whole government. If if someone like that tries to target you, what could you have

possibly done. It's like when we reported about Yahoo's breach, which was this massive, you know, more than five million customer accounts getting hacked, we reported that the company's claim of the attack being state sponsored, you know, isn't so iron clad. But this one with the d n C. After talking to Mike, after talking to all these other experts,

Jordan Are you convinced. Yeah, I'm pretty convinced. I mean, it takes a lot to clear that hurdle of you've got this piece of malware and this is evidence that the Russians did it. Uh, you know, but Mike will be the first to tell you this. Well, it's it's

always risky. I mean, you know, when you're when you're you're doing attribution, you're really never saying a hundred percent that it's this person, because, you know, barring seeing somebody at the keyboard and actually doing it or a confession, you're you're relying on that circumstantial evidence. This all comes down to Mike's days as a cop. Can you prove to a jury beyond a reasonable doubt that the Russians

did this? And his answer was yes. And now the US government has come out and officially blame the Russian government. And there are lots of reasons potentially for that happening. There are ways that the government can really know what's going on intercepted phone calls, intercepted emails, human and signals intelligence sources in a way that no private cybersecurity could ever match. Sounds a little sinister, Well, we don't know for sure. But here's what Rob Owens, who was an

industry analyst at Pacific Press Securities, told me. Nation States do hack. I think the US government hacks as well. A well known fact within the industry that, uh, everybody's hacking everybody to some degree. So maybe the US government was buying on Russia while Russia was buying on the d n C. Well, we know that both countries fired each other all the time, but in this case, we don't know exactly what the evidence is. But it's fair

to assume that that's the case. And that's why at the top of the show today you called it an information war like the Cold War of our generation exactly. So if we've managed to keep our listeners till now through this complicated journey inside the d n C hack, first of all, thanks for sticking with us. And second of all, I think the burning question everyone has now is what's next. So far, it's been about introducing turmoil

into the democratic process. And you know, I'm not a US citizen, but my girlfriend is, and I don't think I know anyone who's more excited about voting in November as she is. Could these Russian hackers, could they tamper with her vote. That's one really really important point here. In reality, it's very hard to hack actual votes. That that's why information warfare like we are potentially seeing here

is so much easier to do. To do any real damage to the votes, you'd have to actually hack the vote tabulators, and these are computers that sit inside county and state offices counting votes, and those are never supposed to be connected to the Internet. Does that mean you can't hack them ever? Of course not. It would just be a huge undertaking. So I wouldn't worry too much about the hacker stealing your vote. It could happen, it's

just not the most likely attack. So what should we be worried about, Well, the biggest threat is actually that the hackers could try to mess with your voter registration records, not your actual vote. If you wanted to actually tamper with the election results, you drop people from the voter rolls and make it harder for them to vote, you know, you change their polling locations to someplace far away, those kinds of things. But I wonder, you know, are the

Russians what they want to do? Is it really tampering with these results or is it more about traditional espionage. Is it more about influencing the public perception of these really important people in our democracy. My sense is that if the goal here was to inject kind of chaos into the into the system and to undermine confidence in the democratic system. Uh, you know, then that's a really

powerful weapon. And it's been wielded pretty effectively here. And in the meantime, Wiki leaks is saying that it still has more emails at paint Hillary Clinton in a pretty bad light. And I think we're all on edge here waiting for that bombshell to drop. Yeah, we hear all kinds of things about you know, it won't be an October surprise. It will be a November surprise. There will be more emails, and you know, with with hacked communications,

you almost never know what you're gonna get. All right, Well, Mike, anything else you wanted to say about the the industry or specifically, you know, what we what what voters should expect going into November. Um, I would expect it will be a wild rug. Yeah, that's what I was going to say. Put your seat belt on, because you never know what's gonna what's gonna turn up. You know, hopefully it'll beyond eventful, but uh, it wouldn't surprise me if

it wasn't. Well, that's it for this week's episode of Decrypted. Thanks for listening, and if you have an iPhone, be sure to subscribe to the show on iTunes or any of your favorite podcast apps out there. And while you're there, please take a moment to rate and review our show. These ratings and reviews really help get our show in front of more listeners and let us know what you

thought of today's show. I'm on Twitter at Aki seven and I met at Jordan's Are one thousand and Our technology team here at Bloomberg is on Twitter at Technology. This episode was produced by Pierre Getkari Magnus Hendrickson, and Liz Smith, with help from Emily A view So. Alec McCabe is head of Bloomberg Podcasts. We'll see you next week.