Unpacking Russian Hacking

In the summer and fall of this year, emails and documents belonging to the Democratic National Committee and Hillary Clinton Campaign Chairman John Podesta were published online by Wikileaks. Guccifer 2.0 – purportedly a Romanian hacker – published a smaller set of DNC documents prior to the first Wikileaks release (he also claimed to be Wikileaks’ 2100spjsource).

Crowdstrike – a private cybersecurity firm hired by the DNC – attributed  the hacks to Russian intelligence agencies after one month of investigation. Their findings were reviewed and generally repeated by a number of other private firms. In October, the Director of National Intelligence and Secretary of Homeland Security released a joint statement, saying they were “confident the Russian Government directed the recent compromises.”

No new information on the hacks surfaced until after Donald Trump unexpectedly won a majority of electoral votes on November 9. Suddenly, a flurry of new reporting emerged, much of it recycling the same attribution conclusions from Crowdstrike and the DNI/DHS statement. But there were a series of additional allegations or conclusions, entirely from unnamed intelligence officials, that sharpened the narrative around the hacking. Specifically, the unnamed officials asserted (in this order): (i) Russia’s goal was to disrupt the election, in order to undermine confidence in the outcome (this was reported prior to the election as well); (ii) Russia’s goal was to elect Donald Trump; and (iii) Pres. Vladimir Putin personally directed and oversaw the hacking.

On December 29, the Obama Administration gave new life to the story when it announced sanctions on several Russian officials, private citizens, and public and private entities. The White House added to the sanctions by declaring 35 Russian diplomats (“intelligence operatives”) persona non grata and rescinded access to two Russian government properties in Maryland and New York.

I have neither the time nor space to meticulously cover each element of this story. There have been some excellent pieces that collect all the various threads, with links to the sources, at The Intercept and Empty Wheel.

Instead, I would like to focus on just two issues that caught my attention: hacking vs. leaking; and the sanctions targets.

Hacking vs. Leaking

In the media accounts, the hacking of the DNC and Podesta are often conflated with the leaking of the documents. This is strange because it is well-known and even tacitly accepted that foreign governments routinely hack and spy on U.S. presidential campaigns (e.g., the Chinese and Russians spied on both the Obama and McCain campaigns in 2008). Also, the medium of the leaks – Wikileaks – has repeatedly stated that their source is not Russian (choose to believe that or not, but it raises the question).

Indeed, I cannot find any current U.S. government official stating on the record that the Russian government leaked the hacked documents, although you have to parse their words carefully. Given that the people drafting, editing, and, in the President’s case, delivering these messages are lawyers, you need to think about their wording from a lawyer’s perspective.

Start with the DNI/DHS statement. The five sentences in the first paragraph offer three conclusions and two pieces of analysis:

  1.  Conclusion: The U.S. Intelligence Community is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.
  2. Analysis: The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and Wikileaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.
  3. Conclusion: These thefts and disclosures are intended to interfere with the US election process.
  4. Analysis: Such activity is not new to Moscow – the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.
  5. Conclusion: We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.

Note that, except for number 1, the conclusions all have some analysis baked into them. If you boiled this down to a single sentence, it could be: “The Russians most likely hacked DNC/Podesta, and very well may have leaked them as part of an effort to interfere with our election, which could only be approved at the highest levels due to the scope and sensitivity of that effort.” As you can see, conclusions 3 and 5 are built on the weak foundation of analysis 2 – i.e., they are not confident the Russians leaked, and if they didn’t leak there is no attempt to influence the election.

Indeed, Pres. Obama incorporated the hacks vs. leaks distinction when answering questions at his final press conference on December 16. All of his answers refer to the Russian hacks, but generically to “the leaks” and “the leakers”. At one point, Obama used such tortured phrasing – “the leaks through Wikileaks had already occurred” – that you can’t ignore this distinction (why couldn’t he have said, “The Russians had already leaked the documents to Wikileaks”?). Also interesting was Obama’s exchange with Martha Raddatz, who asked about Putin’s personal involvement in the hacks (at 56:12 below):

Note that Obama refused to go beyond the DNI/DHS statement – only that the IC community is confident that the Russians were responsible for the hacking of the DNC and Podesta. He didn’t even touch the second part of her question – was this done to help Trump, which of course would first require a conclusion that the Russians also leaked the documents.

The FBI/DHS Joint Assessment Report (“JAR”) similarly seems to distinguish hacking from leaking. The JAR largely repeats the private sector (i.e., Crowdstrike, FireEye) analyses and conclusions with respect to the intrusions that occurred in 2015-16, and confidently assigns blame to APT 28/29. But, the report mentions the ‘leaking’ only once:

First, sorry guys but I think we all know that “information was leaked to the press and publicly disclosed.” Second, why the shift from strong active tense verbs on hacking to weak passive tense on leaking? If you look at this phrasing in the context of the ODNI/DHS and Obama’s statements, it suggests that the U.S. Government does not know who leaked the DNC/Podesta data to Wikileaks. Indeed, as emptywheel noted, the JAR does not even discuss the Podesta hack.

Again, the hack vs. leak distinction is crucial because the Russians, Chinese, and probably other state actors have hacked past presidential campaigns. We knew it happened but did not consider it scandalous, probably because we do the same thing. Indeed, it is the leak that is (i) unprecedented and (ii) the basis for claiming Russia ‘interfered’ in our election. Thus, even if hackers acting on behalf of the Russian government hacked the DNC and Podesta emails, if they were not responsible for the leak there is no basis for treating the hack differently than past hacks.

Reading the Sanctions Tea Leaves

The new sanctions target entities and individuals from both the public and private sectors in Russia:


  • GRU – for “tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election” (emphasis mine)
  • FSB – “assisted the GRU” in the aforementioned activities
  • Igor Korobov – Head of GRU
  • Sergey Gizunov – Deputy Head of GRU
  • Igor Kostyukov – First Deputy Head of GRU
  • Vladimir Alexseyev – First Deputy Head of GRU

What’s interesting here is that, again, the wording of the justification for sanctions against GRU leave open the possibility that the GRU did not leak the information that Wikileaks et al published. Second, the FSB assisted, but previous analyses concluded that the FSB and GRU efforts were uncoordinated and possibly unknown to the other.

The inclusion of Korobov may seem unremarkable at first, but there are some interesting background details. First, Korobov took over as Head of GRU in February 2016, after his predecessor – Igor Sergun – died of heart failure in early-January (i.e., GRU had not Head for one month). Keep in mind that GRU allegedly sent the phishing emails to the DCCC and Podesta in mid-March. Ironically, despite being dead for a year now, Sergun is still on the OFAC sanctions list (for Ukraine sanctions implemented in 2014). OFAC never got around to removing Sergun and adding Korobov – despite ongoing GRU involvement in East Ukraine. In other words, sanctioning Korobov doesn’t do anything new.

Second, Gizunov’s inclusion is interesting because he was one of the other candidates to replace Sergun (along with Korobov and two other Deputy Chiefs). Gizunov has a cyber background, and writes inscrutable math texts on things like ‘pseudo-matroids’. The other two guys are a bit puzzling. Kostyukov is a ghost – I can’t find anything online about him in Russian or English. The only information on Alexseyev was this Moskovskiy Komsomolets article from 2011, which says he was the head of intelligence for the Moscow military region, then the far east region, and most recently back in Moscow in charge of GRU special forces (спецназ). That latter detail is interesting, as GRU spetsnaz units have reportedly been the most active in the Ukraine conflict.


  • Special Technology Center – “assisted GRU in conducting signals intelligence”
  • Zorsecurity (Esage Lab) – “provided the GRU with technical research and development”
  • Professional Association of Designers of Data Processing Systems – “provided specialized training to the GRU”
  • Two random Russian hackers not linked to the DNC hack – Evgeniy Bogachev and Aleksey Belan

Regarding the Special Technology Center, we again see a Ukraine connection – they produce the Orlan-10 drone that the GRU has used in Ukraine. Is the White House implying that the GRU used a drone to facilitate its hacking of the DNC? Nobody has claimed this previously.

Perhaps the most entertaining case is that of Zorsecurity, an apparently now-defunct company that operated in the ‘white hat’ cybersecurity sector. Its founder, Alisa Shevchenko, even won an award from the DHS last year for uncovering an exploit in Schneider Electric’s systems used in critical infrastructure. Shevchenko was profiled in Forbes Russia in 2014, which hinted at government contracts. She previously worked at cyber giant Kaspersky, which makes the popular antivirus software. Shevchenko denied that she does work for the government and that Zorsecurity was responsible for the hack in a separate interview with Forbes. If you look through her Twitter timeline, it’s mostly cats and cyber stuff i don’t understand. The Zorsecurity website is down now, but the mobile version is still available and under ‘areas of activity’ includes, “research and development for state structures.” Shevchenko also helped found a ‘hackspace’ called Neuron, which hosts nerdy meet-ups about ‘exploits’, etc. But there is not much there, really. The only interesting item I have been able to find in my searches is that one of Shevchenko’s former colleagues – Boris Ryutin – uses “Duke Barman” as his Twitter handle (one of the original names for APT28 was ‘the Dukes’).

This has led some, like emptywheel, to speculate that OFAC just sanctioned Zorsecurity because it is a random – apparently defunct – company with no ties to the U.S. (i.e., more symbolic). Why did they not choose, for example, Kaspersky itself, which has a large U.S. presence and rumored ties to the Kremlin (the founder was allegedly in the KGB)? Or why not IB Group, which has even more concrete ties to the FSB and GRU as well as  New York office? Because there would be real consequences and would invite real retaliation against U.S. tech companies operating in Russia, such as Google and Facebook.

What does it mean?

Indeed, it almost seems like this new round of sanctions was calibrated to express general annoyance with Russian behavior – for hacking, Ukraine, Syria, and harassment of U.S. diplomats in Russia – but not truly meant to punish Russia for ‘hacking our democracy’. One can easily imagine the kinds of sanctions would come out of the fever dreams of Russophobes like Sens. McCain and Graham – a full or sectoral embargo against Russia similar to what we have for Iran, Syria, and North Korea. This would invite a serious response from Russia, possibly even be seen as an act of war (as I argued in my last post).

Mainstream media commentators concluded that Obama was trying to ‘paint Trump into a corner’ by reacting to Putin’s ‘aggression’ forcefully before Trump takes office. But Obama has never been on board with the Russophobe crowd in Washington – just look at his approach to Ukraine (no lethal aid), Iran (cooperate with Russians on nuke deal), and Syria (just say no to no fly zones). Rather, I think Obama has rather skillfully placated the demands from Democrats that WE MUST DO SOMETHING, which have been whipped into an irrational frenzy by anonymous source-fueled media reports. But he has also avoided responding in any serious way that would meaningfully alter the trajectory of U.S.-Russia relations. Putin knows this and that is why he did not retaliate at all, while still launching colorful verbal attacks on the ‘lame duck’ Obama administration (you see, they’re playing along).

The subtext of all this nicely complements my reading of official statements on hacking vs. leaking: that we either do not know that Russia leaked the documents or maybe even have intelligence suggesting they did not leak the documents. Although they almost certainly did hack the DNC, it would not make sense to react to something we tolerated in the past and that our own intelligence community does. Instead, the debate is not moored in reality, but political theater.

The politicization of the issue is not just Clinton vs. Trump, but rising Russophobia generally. The latter is driven by a diverse group of powerful interests: neocons bored with the Middle East and need a new toy; defense contractors looking at the defense budget bills set for consideration in April (as well as the ongoing debate on nuke modernization); and the members of Congress who receive campaign contributions from the defense contractors. So there are major incentives to exaggerate and hype the threat posed by that ‘thug’ Putin.

Hopefully we will learn more from subsequent investigations, and perhaps these investigations will generate evidence that the Russians did leak the information. But I would be very surprised if we ever see an official statement from the U.S. government confirming that the Russians provided the information to Wikileaks. If I’m proven wrong, I will be the first to admit it.

Where could we get further information without declassification? I don’t have the technical background to know for sure, but shouldn’t the DNC have server logs showing data moving out? Were there any similar, unusual ‘exfiltrations’ of data? Aside from the long NYT article, I have not seen many quotes attributed to employees of MIS Department, the DNC’s IT vendor that ran the server. Employees at MIS Department would have had administrator access over the server. Did a disgruntled employee or overzealous Sanders supporter provide the data to Wikileaks? It is strange that none of the possible alternative sources of the leak have been investigated in the mainstream media. It would be beneficial for journalists to explore the entire story rather than incessantly rehash the Russia angle.



This entry was posted in Cold War, Espionage, FSB, Government of Russia, GRU, hacking, secret agents, spying, Trump, u.s.-russia relations. Bookmark the permalink.