For months now, we've been hearing of alleged Russian interference in the US election, but the story has been muddled by rumors, leaks, and competing narratives. This week, the New York Times published an in-depth investigation titled "The Perfect Weapon: How Russian Cyberpower Invaded the U.S," which brings together the many pieces of the saga in an attempt to present a clearer picture of what we know and what is left to find out. Scott Shane, who co-authored the investigation with David Sanger and Eric Lipton, talks with Brooke about how the great election hack of 2016 began much earlier than previously thought, with a poorly handled cyber break-in at the DNC in September 2015.
White Man Sleeps I by Kronos Quartet
BROOKE GLADSTONE: From WNYC in New York, this is On the Media. Bob Garfield is away this week. I’m Brooke Gladstone, with a new installment in what already feels like a very old story.
MALE CORRESPONDENT: A former CIA director calls it the political equivalent of 9/11.
MALE CORRESPONDENT: American intelligence officials say they are convinced that Russian hacking of our president’s election was approved by President Vladimir Putin. Sources confirmed to CBS News –
MALE CORRESPONDENT: The CIA believes Russia interfered in the election specifically to help Mr. Trump win the presidency by hacking and leaking Democratic documents.
MALE CORRESPONDENT: Donald Trump rejects the US intelligence conclusion that Russian cyber attacks were intended to interfere with the presidential election.
DONALD TRUMP: They have no idea if it’s Russia or China. It could be some-body sitting in a bed someplace.
BROOKE GLADSTONE: Since the story of the hack broke this summer, it's been hard to keep track of who knew what, when and who knows anything now. This week, The New York Times published an in-depth investigation titled, “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.” that collects all the threads and tries to entangle the narrative.
Scott Shane, who reported the piece with David Sanger and Eric Lipton, says that the saga of the great election hack of 2016 actually begins in September, 2015, when an FBI agent determined that computers at the Democratic National Committee had been hacked by a group linked to Russia and gave the office a call.
SCOTT SHANE: It went to the help desk, tech support –
- at the DNC and they passed it to an IT guy, by no means a cyber security expert. He was somewhat skeptical that the guy on the line was actually an FBI agent, but the FBI agent gave him some information about the supposed hack and he went to Google to try and check it out. This begins a long series of exchanges that went over quite a few months in which no one in the higher reaches of the DNC actually learned that the FBI believed their computer network was compromised.
BROOKE GLADSTONE: There were some fits and starts along the way. For instance, in March 2016, there was a pivotal event. Hillary Clinton's campaign chairman John Podesta got an email with the subject line, “Someone has your password.”
SCOTT SHANE: What appeared to be a message from Google was reviewed by a campaign computer guy and he sent an email that said, this is a legitimate email. When we talked to him, that computer guy said he had just typed the wrong word and he meant to say it was an illegitimate email.
BROOKE GLADSTONE: But what happened is that Podesta clicked the link that was provided in the original email and, thus, a decade's worth of his stored email became available to these hackers.
SCOTT SHANE: Exactly. He’s changing his password, right, and so he's essentially sending the Russian hackers his new password, thank you very much.
BROOKE GLADSTONE: So they hire a cyber security firm called CrowdStrike, and it concludes that two groups have actually infiltrated the DNC, Cozy Bear and Fancy Bear.
SCOTT SHANE: Exactly. Cozy Bear, by CrowdStrike's estimation, entered the DNC networks in the summer of 2015, poked around for months and took whatever they wanted to take but did not make any of it public. So it was a sort of traditional espionage operation. That same group has broken into the unclassified systems at the State Department, the White House, even at the Joint Chiefs of Staff. So this was far from unprecedented. Then what happens is the other Russian hacker group, which CrowdStrike calls Fancy Bear, breaks in first to the Democratic Congressional Campaign Committee, which is in the same building as the DNC, and then travels over what's called a VPN line into the DNC, stealing some of the same things. So I guess Russian intelligence is stove piped just like American intelligence.
BROOKE GLADSTONE: How did CrowdStrike figure out that it was the work of Cozy Bear and Fancy Bear because, as you wrote, identifying a cyber attacker is more art than science?
SCOTT SHANE: You know, I like to think of it as, you know, in traditional law enforcement a cop might get to know the work of a particular burglar. In the cyber world, there is a similar approach. CrowdStrike sees a certain pattern in the phishing emails that a group sends.
BROOKE GLADSTONE: Spear phishing, that’s when you direct an email to fool a particular target who will then click and let you in.
SCOTT SHANE: Exactly, and they also look at the malware that is installed on the system. That can also identify the attacker. And then they look at the targets in the history of the group. In this case, some of the past targets were the Georgian government at the time of the little war between Russia and Georgia in 2008, the Ukrainian election, NATO. CrowdStrike told us that there was really only one government that would have an interest in all the targets, and that was Russia.
Then there’s the fact that these hackers seemed to be active between 9 and 5, Moscow time. And finally, the American intelligence agencies claimed to have corroborating evidence from other sources, which they won't describe but you can imagine a human source working for the CIA somewhere in the Russian government or NSA might be intercepting messages that connect these hacking groups directly to a Russian intelligence agency.
BROOKE GLADSTONE: That is the problem though, isn't it, when you hear of possible human and technical evidence that the American people can't be allowed to know because it could compromise sources and methods, we have to take a lot of things on faith.
SCOTT SHANE: That's right. I guess what convinced me was what seems to be unanimity among the various, you know, sometimes feuding American intelligence agencies that this was, indeed, a Russian state attack and also a very broad consensus among cyber security researchers. And I think also you have to look at the big picture. One of the really interesting things that someone pointed out to me who studies these issues is that we see this attack on the election as, well, Russia has attacked us, what are we going to do to retaliate?
But the Russians see this, actually, as payback because they already blame the Americans for stirring up trouble in Ukraine, stirring up trouble in Georgia and, particularly, stirring up those demonstrations against Putin in 2011, which Putin publicly blamed on then-Secretary of State Hillary Clinton.
BROOKE GLADSTONE: Now, a lot of that is great context but it's still circumstantial. You talked about a lot of cyber experts who subscribe to the view of the American intelligence agencies but there are some that don't. Jeffrey Carr, for instance, is a cyber security analyst we've had on the show and he's critiqued private firms, like CrowdStrike, for building the evidence to support their assumptions. Is it possible that the evidence fits together a little too neatly?
SCOTT SHANE: It certainly is. Anyone who remembers Colin Powell's speech to the UN in which he presented, you know, what appeared to be an ironclad case against Saddam Hussein, has to approach every one of these situations with skepticism. I did interview Jeffrey Carr. He wasn’t actually denying the case. He was saying it just had not been proven yet. I didn't find, in talking to, you know, a bunch of other cyber security experts and firms, any others who had his degree of skepticism.
BROOKE GLADSTONE: So getting back to mid-June of this year, the DNC goes public with the fact that it's been hacked by the Russians. Then Guccifer 2.0 appears. Who is Guccifer 2.0?
SCOTT SHANE: [LAUGHS] I think a lot of people are wondering. The intelligence agencies ultimately concluded that Guccifer 2.0 is actually a composite created by Russian intelligence so that they could take the hacked documents and start to make them public. So in this very kind of irreverent, funny, first post, he puts up a DNC oppo research manual on Donald Trump and a bunch of other documents, and he also mentions, I've given most of the documents to WikiLeaks, so they'll be coming out there soon.
BROOKE GLADSTONE: Guccifer calls himself a lone hacker. What clues did researchers find linking him to Russia?
SCOTT SHANE: You know, among several other things, the copy of Word that Guccifer 2.0 had apparently used was actually a Russian copy of Microsoft Word. And a guy who works for Motherboard was clever enough to contact Guccifer 2.0 through the Twitter account he had created, or they had created. And when he said he was a Romanian hacker, the Motherboard reporter went to Google Translate and sent him some questions in Romanian. And there were questions that came back in what looked like Romanian, but later when he went to some actual Romanians and said, look at this –
- [LAUGHS] it appeared that both sides were using Google Translate.
BROOKE GLADSTONE: Your piece stressed how stealthy and sophisticated Russian cyber power is. It’s called “a perfect weapon” in the headline. But doesn't it seem kind of clumsy? For instance, the Podesta emails were revealed through a really simple spear phishing technique. And why would the group insert the name of the founder of the Soviet secret police, in Russian, in the metadata of the hacked documents? It was in Guccifer’s documents. Isn’t that kind of obvious?
SCOTT SHANE: It is kind of obvious. You know, the hackers that Russia uses are presumably young free spirits. NSA recruits its hackers at, you know, hacker conferences now.
And the other possibility is that it may be Putin is perfectly happy to have the US government know this is his work. I think the reference to cyber attacks being a perfect weapon, when you think about Russia as an ailing economy now with low oil prices and unable to use its nuclear arsenal, thank God, you know, to compete, cyber, for a relatively small cost, allows Russia to have very significant influence, as we see. To raise questions about the legitimacy of the election, that's quite an accomplishment.
And Vladimir Putin, who, of course, was a career KGB guy, is a martial arts aficionado –
- understands how you can use American institutions, like elections and like the aggressive, competitive media, against his enemy, the US.
BROOKE GLADSTONE: But don't our assumptions influence our perception of the story? I mean, your piece notes that Putin is a martial arts expert, metaphorically doing jujitsu on us. Is that merely a colorful narrative flourish or is it kind of rhetorically stacking the deck?
SCOTT SHANE: [LAUGHS] I mean, I guess I feel like the evidence for that is pretty compelling. When you look at the performance of the US media using these hacked materials, you know, we were much more excited about what various DNC folks said about each other or about Hillary Clinton, what perhaps sarcastic or negative thoughts John Podesta was expressing with his associates. Coverage, which came out day after day after day, because of the way WikiLeaks released the Podesta emails, in particular, overwhelmed the reporting that was also going on, on the fact that this appeared to be a Russian government hack and consideration of what the motive might be.
BROOKE GLADSTONE: But the press did report on both the emails and supposed Russian source, right, so how could it have gone differently?
SCOTT SHANE: I think that's a really interesting journalism school case study that probably will be looked at for years. We kind of need to examine our own conduct and think about, at least, whether there should be limits on what we do with confidential material that’s been hacked and released, you know, perhaps with a very particular motive, either in terms of geopolitics or espionage.
BROOKE GLADSTONE: Now, the Intercept noted that in 2014 the Justice Department produced a 56-page indictment that detailed its exact evidence against a team of Chinese hackers that were accused of stealing our trade secrets and that we are owed this same level of evidence in this case because these claims, if true, would have far greater consequences here and internationally. Do you agree with that?
SCOTT SHANE: If the US government actually has or gets the information - we, we heard that they have begun to identify some individuals in Russia who they believe are responsible for this stuff - so we may yet see a set of indictments like the indictments in the Chinese case. Certainly, it would help clarify matters and clear up a lot of these doubts and some of the skepticism, which, of course, is being fueled, first and foremost, by the President-elect Donald Trump, if the Justice Department and the FBI actually came out and said, here are the people, the literal individuals who we believe carried out these attacks.
BROOKE GLADSTONE: Scott, thank you very much,
SCOTT SHANE: Thank you, Brooke.
BROOKE GLADSTONE: Scott Shane is a national security reporter for The New York Times.
Coming up, why can’t the FBI and the CIA just get along? This is On the Media.