Michael Isikoff reports that there are clues to the hackers’ identity.
Just weeks after she started preparing opposition research files on Donald Trumpâ€™s campaign chairman Paul Manafort last spring, Democratic National Committee consultant Alexandra Chalupa got an alarming message when she logged into her personal Yahoo email account.
â€œImportant action required,â€ read a pop-up box from a Yahoo security team that is informally known as â€œthe Paranoids.â€ â€œWe strongly suspect that your account has been the target of state-sponsored actors.â€
Chalupa â€” who had been drafting memos and writing emails about Manafortâ€™s connection to pro-Russian political leaders in Ukraine â€” quickly alerted top DNC officials. â€œSince I started digging into Manafort, these messages have been a daily ocÂÂÂÂcurrence on my Yahoo account despite changing my pÂÂaÂssword often,â€ she wrote in a May 3 email to Luis Miranda, the DNCâ€™s communications director, which included an attached screengrab of the image of the Yahoo security warning.
â€œI was freaked out,â€ Chalupa, who serves as director of â€œethnic engagementâ€ for the DNC, told Yahoo News in an interview, noting that she had been in close touch with sources in Kiev, Ukraine, including a number of investigative journalists, who had been providing her with information about Manafortâ€™s political and business dealings in that country and Russia.
â€œThis is really scary,â€ she said.
Chalupaâ€™s message is among nearly 20,000 hacked internal DNC emails that were posted over the weekend by WikiLeaks as the Democratic Party gathered for its national convention in Philadelphia. Those emails have already provoked a convulsion in Democratic Party ranks, leading to the resignation of DNC Chair Debbie Wasserman Schultz in the wake of posted messages in which she and other top DNC officials privately derided Bernie Sanders and plotted to undercut his insurgent campaign against Hillary Clinton.
But Chalupaâ€™s message, which had not been previously reported, stands out: It is the first indication that the reach of the hackers who penetrated the DNC has extended beyond the official email accounts of committee officials to include their private email and potentially the content on their smartphones. After Chalupa sent the email to Miranda (which mentions that she had invited this reporter to a meeting with Ukrainian journalists in Washington), it triggered high-level concerns within the DNC, given the sensitive nature of her work. â€œThatâ€™s when we knew it was the Russians,â€ said a Democratic Party source who has knowledge of the internal probe into the hacked emails. In order to stem the damage, the source said, â€œwe told her to stop her research.â€ …
In mid-June, Democratic Party suspicions about the hackers seemed to be confirmed when CrowdStrike, an outside security firm retained by the DNC, reported that it traced the hackers to two separate units linked to Russiaâ€™s security services: the FSB, Russiaâ€™s equivalent of the FBI, and GRU, the countryâ€™s military intelligence agency. The company noted strong similarities between the attack on the DNC by the suspected GRU hackers and previous cyberintrusions of unclassified systems at the White House, the State Department and the offices of the Joint Chiefs of Staff. (After discovering the data breach, a DNC security source said its cyberexperts noted that the hackersâ€™ exfiltration of files took place â€œ9 to 5, Moscow time.â€)
Patrick Tucker, at the Atlantic, has more details.
Considerable evidence shows that the Wikileaks dump was an orchestrated act by the Russian government, working through proxies, to undermine Hillary Clintonâ€™s presidential campaign.
â€œThis has all the hallmarks of tradecraft. The only rationale to release such data from the Russian bulletproof host was to empower one candidate against another. The Cold War is alive and well,â€ Tom Kellermann, the CEO of Strategic Cyber Ventures said.
Hereâ€™s the timeline: On June 14, the cybersecurity company CrowdStrike, under contract with the DNC, announced in a blog post that two separate Russian intelligence groups had gained access to the DNC network. One group, FANCY BEAR or APT 28, gained access in April. The other, COZY BEAR, (also called Cozy Duke and APT 29) first breached the network in the summer of 2015.
The cybersecurity company FireEye first discovered APT 29 in 2014 and was quick to point out a clear Kremlin connection. â€œWe suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg,â€ they wrote in their report on the group. Other U.S. officials have said that the group looks like it has sponsorship from the Russian government due in large part to the level of sophistication behind the groupâ€™s attacks.