Андрей Солдатов - The Red Web - The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries

If an attack could be attributed to a hacking group with a known history of attacking similar targets and this group’s attacks consistently worked to benefit one particular country, this constituted enough evidence to determine that the attacks were backed and directed by the state of that beneficiary country. [25] Already in 2015 more and more people with expertise in digital forensics and threat intelligence got behind the theory that the technical analysis is sufficient for a proper attribution. The major shift happened around the investigation of the Sony hacking in November 2014, when the attack was attributed to North Korea.

The attack on the DNC was the first offensive investigated with this new approach in mind. Both CrowdStrike’s Alperovitch and the US intelligence community concluded that all evidence pointed to a Russian government–backed attack. In fact, Alperovitch was certain he had caught identifiable Russian military intelligence operatives red-handed, right in the middle of executing the DNC operation. “Andrei, all of them are in uniform!” he exclaimed to Soldatov during a meeting in Washington. The US intelligence community shared Alperovitch’s convictions. [26] The US intelligence community reports named the military intelligence, the GRU, and FSB as entities responsible for the attack, and the Obama administration finally sanctioned the GRU and the FSB. See The White House, “FACT SHEET: Actions in Response to Russian Malicious Cyber Activity and Harassment,” December 29, 2016, https://obamawhitehouse.archives.gov/the-press-office/2016/12/29/fact-sheet-actions-response-russian-malicious-cyber-activity-and .

Although Alperovitch and his team expelled the hackers from the DNC computer system, that didn’t stop the hackers’ operation. They simply moved to the next stage: publishing kompromat .

On July 1 DCLeaks.com released a series of private emails written by the former NATO commander in Europe, four-star general Philip Breedlove. This leak was meant to show the Obama’s administration weakness toward Russia, using emails that allegedly show Breedlove trying to overcome Obama’s reluctance to escalate military tensions with Russia in response to the conflict in Ukraine. [27] Lee Fang and Zaid Jilani, “Hacked Emails Reveal NATO General Plotting Against Obama on Russia Policy,” Intercept , July 1, 2016, https://theintercept.com/2016/07/01/nato-general-emails .

On July 22 WikiLeaks published a massive collection of internal DNC emails. It was a large haul, with 19,252 emails and 8,034 attachments from the inboxes of seven key staffers of the DNC, including communications director Luis Miranda and national finance director Jordan Kaplan. The same day Guccifer 2.0 claimed on Twitter that he had leaked the DNC emails to WikiLeaks. [28] Andrea Peterson, “WikiLeaks Posts Nearly 20,000 Hacked DNC Emails Online,” Washington Post , July 22, 2016, www.washingtonpost.com/news/the-switch/wp/2016/07/22/wikileaks-posts-nearly-20000-hacked-dnc-emails-online/?utm_term=.ab5eada621e9 . See also Joseph Cox, “Guccifer 2.0 Claims Responsibility for WikiLeaks DNC Email Dump,” Motherboard , July 22, 2016, https://motherboard.vice.com/en_us/article/guccifer-2-claims-responsibility-for-dnc-email-dump .

In mid-August DCLleaks.com released personal information—including mobile phone numbers—belonging to more than two hundred Democratic Party lawmakers.

The data hemorrhage seemed unstoppable.

The US government had to respond and respond swiftly, and it had a playbook ready. This set of rules was called cyber CBMs, or “confidence building measures.” The author of the cyber CBMs concept was Michele Markoff, a seasoned American diplomat who had spent half her career in strategic nuclear arms control negotiations. In 1998 she went into cyber and became a key figure at the Office of Cyber Affairs in the State Department. The career of her Russian counterpart, Andrey Krutskikh, had followed a similar trajectory—from nuclear arms control to cyber. In the 2010s Markoff and Krutskikh represented their respective countries at most of the talks between Russia and the United States on cyber space.

Markoff believed that the Internet needed a set of measures similar to the ones established to prevent a nuclear war. These controls, she thought, could prevent a cyber conflict from escalating. She found a good listener in Krutskikh. In June 2013 she secured the US-Russia bilateral agreement on confidence building in cyber space.

As part of the agreement the White House and the Kremlin established the Direct Communications Line. Essentially a secure communication line, it ran between the US Cybersecurity coordinator and a deputy head of the Russian Security Council and could be used “should there be a need to directly manage a crisis situation arising from an ICT [information and communications technology] security incident.” [29] The White House, Office of the Press Secretary, “FACT SHEET: U.S.-Russia Cooperation on Information and Communications Technology Security,” June 17, 2013, https://obamawhitehouse.archives.gov/the-press-office/2013/06/17/fact-sheet-us-russian-cooperation-information-and-communications-technol . It was the digital era’s equivalent of the mythical Cold War red telephone, the hotline that connected the presidents of the Soviet Union and the United States in emergencies.

The new hotline was integrated into the existing infrastructure of the Nuclear Risk Reduction Center, located in the Harry S Truman Building, the headquarters of the US State Deparment. It was from there at the end of September that Michael Daniel, Obama’s cyber czar who had a background in national security, passed a message to Sergei Buravlyov, a deputy secretary of the Russian Security Council and colonel-general of the FSB. “It was used the first time since it was established,” said Daniel, whose mission was “to communicate the US government’s serious concerns about the Russian information operation to attempt to influence the election.” The line was built to pass a message, and only if there is further escalation does it provide an option to communicate by voice. “We didn’t get to that,” recalled Daniel. He declined to comment how his Russian counterpart received the message, but it obviously was not a diplomatic success. [30] Michael Daniel, interview with authors, March 2017.

There was, it turned out, a fundamental flaw in Michele Markoff’s logic. Modern cyber conflict is simply not comparable with conventional armed or nuclear conflict. When there is a missile launch or preparation for a missile launch, there is no way for the government to deny responsibility. However, all kinds of informal actors who are not easily detected can launch cyber attacks. This is called the problem of attribution, and it means a government can disown responsibility. The Kremlin saw this flaw and exploited it to the fullest. They had a different playbook. The message to Buravlyov was a dead end.

Vladimir Putin was clearly enjoying himself when, on September 1, a Bloomberg reporter asked him about the DNC hack. He laughed and said, “There are a lot of hackers today, you know, and they perform their work in such a filigreed and delicate manner that they can show their ‘tracks’ anywhere and anytime. It may not even be a track; they can cover their activity so that it looks like hackers are operating from other territories, from other countries. It is hard to check this activity, maybe not even possible.”

The president was apparently under the impression that hackers could not be identified and thus the attack could not be attributed. Putin clearly had not been briefed about the major shift in digital forensic and attribution policy that had taken place within the cybersecurity community in the spring and didn’t expect the US government to accuse Russia of running the hacking operation. But just in case, he carefully repeated the line of defense his spokesperson Peskov had previously used: “Anyway, we do not do that at the government level.”