Following weeks of accusations and insinuations — and counterclaims and skepticism — about the role of the Russian government in this summer’s hack of the Democratic National Committee’s email (an attack given the evocative name “GRIZZLY STEPPE” by the Department of Homeland Security) a new joint report was published today by the DHS and FBI. The question is, does the new report actually clear anything up?
Every once in awhile, we are shocked, and a little thrilled, to find ourselves in agreement with Donald Trump. Last night, for example, the president-elect spoke the unimpeachable truth when asked about the possibility of Russian hackers interfering in the election: “I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on.”
The fact is, he’s right. Computer is hard, and the general public is generally forced to trust self-proclaimed experts and intelligence agencies where questions of hacking and cybersecurity are concerned — a troubling dynamic when those questions are driving heightened tension between two nuclear superpowers. Today, President Obama announced new sanctions on Russia in response to what the administration says was Russian involvement in the hack of the Democratic National Committee. But the president-elect, and allied Republicans (not to mention some on the left), remain skeptical of those claims — or, at least, are unconvinced by the evidence. And while the Obama administration, congressional Democrats, some Republicans, and the intelligence establishment all agree that Russian hackers of some stripe were involved, there is some question of what they were trying to accomplish.
So what can we say for sure? What do we know and where does that knowledge come from? Does GRIZZLY STEPPE advance our knowledge? Let’s try to sort it out for you, and make the whole age of computer a little easier.
What do we definitely know, based on public information?
We know that the Democratic National Committee got hacked. We know this because, well, thousands of damaging emails from high-ranking officials in the DNC were sent to and then posted by WikiLeaks.
Note that when people use some version of the “Russia hacked the election” shorthand, this is what they’re talking about — not changing vote tallies, rigging the machines, or some other kind of intrusive infrastructural movement. It’s a more roundabout, but easier and more common, tactic for undermining an election: finding and releasing damaging information obtained by means of electronic intrusion.
What do we probably know, based on common sense, circumstantial evidence, and independent expert testimony?
The hackers who nabbed the DNC emails are probably from Russia. The main groups identified by cybersecurity firm CrowdStrike, which was contracted by the DNC in June to investigate the hack, are known as Fancy Bear, or APT 28, and Cozy Bear, a.k.a. APT 29 (APT stands for Advanced Persistent Threat).
Both “Cozy” and “Fancy” are well-known to security experts, but their size, scope, and organizational structure is unknown (or, at least, not publicly available). Fancy Bear is thought (again, by CrowdStrike) to be associated with Russian foreign-intelligence agency GRU, and Cozy with Russian surveillance agency FSB, but there is no definitive public proof of those connections. U.S. intelligence officials conveyed to BuzzFeed that they believe Fancy Bear to be taking orders from the Russian government, if not outright a part of it.
In early October, as fears of a Russian hack grew, the Department of Homeland Security and Director of National Intelligence issued a joint statement saying that the DNC thefts originated from Russian servers, but that they were not able to attribute them to the Kremlin.
Then there’s the Guccifer question. An online alias known as Guccifer 2.0 — “Guccifer” was the hacker who managed to nab emails from luminaries like George W. Bush and Colin Powell in 2013 — tried to take credit for the DNC hack in June, claiming to have pulled it off all on his own. In conversations with Motherboard, Guccifer claimed to be Romanian, but his use of his supposed native language was inconsistent (Motherboard demonstrated that Guccifer’s “Romanian” was consistent with Russian Google-translated into Romanian), and the quality of his English veered wildly at times, suggesting multiple users handling the Guccifer 2.0 alias.
What can’t we prove definitively based on publicly available information?
That the Russian government was behind the hack. This is the crux of Trump’s (convenient) skepticism.
The intelligence community strongly believes that the Russian government was involved, though. There is circumstantial evidence pointing to the Bears as being behind the attack, and the Russian government being behind them. Malware found on a DNC computer was programmed to communicate with a Fancy Bear–affiliated IP address. Metadata in a leaked file contained references, in Cyrillic, to a historical figure of the Soviet secret police. The person who registered DNC-email publisher DCLeaks.com used the same email service as whoever registered a domain used for phishing emails. It all points in the general direction of Moscow but at nothing specific.
There is supposedly other evidence, too, but we have no idea what it is. The FBI and the CIA are both reportedly highly confident that the Russian government sought not only to undermine our elections process, but also to get Donald Trump elected to office. Overwhelmingly, lawmakers in both the House and Senate are now urging intelligence briefings and reports on the matter. The information is not public because intelligence agencies don’t want to tip off any of the hackers.
What is being done in response?
An intelligence report is in the works for members of Congress, and is supposed to be made available before Trump is sworn in on January 20. In the meantime, the Obama administration today announced sweeping sanctions against Russia. Thirty-five Russian intelligence operatives are being ejected from the country, and the FBI has named two suspects believed to be behind the DNC hack. Six names were added to the Treasury Department’s list of Specially Designated Nationals and Blocked Persons.
What does today’s report tell us?
The Department of Homeland Security and the FBI published a joint report with more information about Fancy Bear and its ilk revealing that the malicious activity by purported Russian intelligence services is known in the intelligency community as GRIZZLY STEPPE.
The report describes what U.S. intelligence believes to be the tactics used by APT 28 and APT 29, and provides a helpful (and entertaining!) list of suspected Russian intelligence groups, including Fancy Bear and Cozy bear but also “CHOPSTICK,” “SEADADDY,” and “CakeDuke.”
Unfortunately, though, it offers little conclusive new public proof of the Russian government’s involvement. Rather, it reiterates that the U.S. government (well, its intelligence agencies, at any rate) believes that APT 28 and APT 29 are affiliated in some way with Russian government agencies. The question now, as it has been the whole time, is: How much do you trust American intelligence services to accurately and honestly describe threats to the public in the whole age of the computer?
Meanwhile, the Russian embassy in London is being extremely petty.