The FBI suspects that Russian government hackers breached the networks of the Democratic National Committee and stole emails that were posted to the anti-secrecy site WikiLeaks on Friday. Itâs an operation that several U.S. officials now suspect was a deliberate attempt to influence the presidential election in favor of Donald Trump, according to five individuals familiar with the investigation of the breach.
The theory that Moscow orchestrated the leaks to help Trumpâwho has repeatedly praised Russian President Vladimir Putin and practically called for the end of NATOâis fast gaining currency within the Obama administration because of the timing of the leaks and Trumpâs own connections to the Russian government, the sources said on condition of anonymity because the investigation is ongoing and developing quickly.
About 20,000 internal DNC emails were disclosed just days before the beginning of the Democratic National Convention in Philadelphia and several showed an effort by staffers to undermine Bernie Sandersâs campaign against Hillary Clinton. One email even discussed challenging Sandersâs religious faith. In response to the embarrassing revelations, DNC Chairwoman Debbie Wasserman Schultz announced she would step down after the convention.
Current and former U.S. officials drew analogies to so-called active measures campaigns, or state-sponsored operations designed for political effects.
âThe release of emails just as the Democratic National Convention is getting underway this week has the hallmarks of a Russian active measures campaign,â David Shedd, a former director of the Defense Intelligence Agency, told The Daily Beast. Shedd said that additional leaks were likely, echoing an opinion expressed by U.S. officials and experts who said that the release of emails on Friday may just be an opening salvo.
Officials also noted Trumpâs own connections to the Russian government. Putin has publicly praised the nominee, who said he was âhonoredâ by the compliment. Trumpâs campaign manager, Paul Manafort, was a consultant for Viktor Yanukovych, the former president of Ukraine who was ousted for his pro-Moscow orientation (and now lives in Russia). One of Trumpâs top national security advisers, retired Army Gen. Michael Flynn, sat with Putin at a dinner celebrating the 10th anniversary of Kremlin-backed media network RT and was paid to give a speech at the event; Flynn later retweeted an anti-Semitic message that called into question any Kremlin-Trump link. Another Trump adviser, Carter Page, recently denounced Americaâs âoften-hypocritical focus on democratizationâ while in Moscow. And last week, Trump said that he might not come to the aid of U.S. NATO allies in the face of Russian aggression unless they paid what he thinks they owe for Europeâs common defense.
Officials also thought it was telling that the emails were given to WikiLeaks, which is perceived as being hostile to the U.S. government. âThis wasnât surprising to us,â said one U.S. official familiar with the investigation.
An FBI spokesperson said in a statement Monday that the bureau was investigating the breach but declined to comment on whether political motivation was part of the inquiry. âA compromise of this nature is something we take very seriously, and the FBI will continue to investigate and hold accountable those who pose a threat in cyberspace,â the spokesperson said.
âIâm sure they will consider potential motives,â White House Spokesperson Josh Earnest told reporters on Monday.
Two U.S. officials told The Daily Beast that while hacking is a crime, and therefore falls under the FBIâs jurisdiction, trying to manipulate an election is not. That may limit what the FBI can investigate, the officials said.
âManipulation is not a crime. Some would argue that Voice of America or Fox News try to manipulate elections,â one retired FBI agent told The Daily Beast.
That doesnât mean the FBI has to remain silent if it finds evidence of Russiaâs meddling. Should the bureau release a statement after an investigation tying the Russians to the hack and subsequent release to WikiLeaks, that would essentially be a public indictment, the officials said.
It also may be possible for the FBI to investigate the question of intent, including whether the email leak is an instance of an unregistered foreign agent illegally trying to influence the U.S. political system, another U.S. official said. But itâs easier for the FBI to investigate the breach and theft of information itself, which are clearly prohibited under U.S. law, the official added.
The FBI first notified the DNC in April that it had been breached, said two individuals who are familiar with the matter. U.S. law enforcement and intelligence officials had been aware of two Russian hacker groups that have been linked to the intrusion and are also believed to have compromised networks in U.S. government agencies, including the Defense Department, the State Department, and the White House, as well as U.S. companies and universities.
The DNC hired a computer security firm, CrowdStrike, to investigate the breach. It has publicly attributed the operation to two known hacker groups connected to the Russian government that it dubs Cozy Bear and Fancy Bear.
The two groups, which compete with one another, got into the DNC networks last summer and this April, respectively, CrowdStrike told The Washington Post, which first reported the breaches last month.
Another cybersecurity firm, ThreatConnect, independently assessed the breach and concluded that the DNC operation was consistent with the hackersâ previous efforts to gather information on U.S. officials and operations.
The theft of information, which at the time reportedly consisted of opposition research and the DNCâs files on Trump, seemed to be part of a longer campaign of spying by the Russians in order to glean insights into the next president. Director of National Intelligence James Clapper also said in May that there were indications both presidential campaigns had been targeted by foreign hackers.
But the provision of the DNC emails to WikiLeaks added a new dimension to the intrusion. (The group has pushed back against the idea that Russia supplied the emails.)
âIf there is a concerted effort to undermine the campaign of the Democratic Party nominee, we can and should expect additional embarrassing emails to be released by WikiLeaks, including from candidate Hillary Clintonâs personal server,â Shedd, the former Defense Intelligence Agency chief, said.
The top Democrat on the House Intelligence Committee said lawmakers had been briefed on the intrusion and âwill continue to seek further information from the [intelligence community] as to the origin of any attack and a potential connection to Russia or another state sponsor.â
âIf the hack is linked to Russian actors, it would not be the first time cyber intrusions linked to the Kremlin and its supporters have sought to influence the political process in other countries,â Rep. Adam Schiff said in a statement. âGiven Donald Trumpâs well known admiration for Putin and his belittling of NATO, the Russians have both the means and the motive to engage in a hack of the DNC and the dump of its emails prior to the Democratic Convention. That foreign actors may be trying to influence our electionâlet alone a powerful adversary like Russiaâshould concern all Americans of any party.â
Within the email dump itself, there were further indications of foreign meddling in the campaign.
On May 4, DNC opposition researcher Alexandra Chalupa told a colleague that ever since she began collecting information on Trump campaign director Paul Manafort, she had been receiving daily security warnings from Yahoo that her personal account may have âbeen the target of state-sponsored actors.â Such notifications are routine when an internet or email provider suspects that a user may have been hacked or is likely to be hacked.
Chalupa told DNC Communications Director Luis Miranda in an email that she continued to get the warnings from Yahoo âdespite changing my password often.â
A few days prior to that message, a DNC staffer notified colleagues that the committeeâs rapid-response blog, Factivists, had been âcompromised.â
âWe have been compromised! But itâs all ok,â Rachel Palermo said in a brief message to an unspecified number of recipients. Palermo said that to âprevent future issues,â the password to the blog would be changed âevery few weeks. She also included a new password in the email, which the intruders may well have seen.
And in mid-May, two DNC staffers communicating about a donor said that her email account had been hacked and was no longer working. The donor was identified only as Agnes. Agnes Gund is a prominent philanthropist and Democratic donor. DNC officials told The Washington Post that their donor files werenât accessed. Itâs not clear if the donorâs email was hacked by the same Russian groups.
Attributing the source of a breach to a specific actor is difficult, but CrowdStrike, which has close ties to the FBI and U.S. intelligence community, provided some details on its findings in a recent blog post. The company based its attributions on characteristic tools and techniques that it has attributed to the hacker group in previous intrusions.
Cozy Bear prefers âa broadly targeted spearphish campaign,â or using emails that appear to come from a trusted sender but that actually include web links that will insert malicious software code onto a victimâs machine, CrowdStrike reported. The code uses sophisticated tools to remotely access the computer, as well as encryption to cover their tracks, both of which indicate âa well-resourced adversary.â
Fancy Bear likewise has developed a suite of hacking tools and techniques and has been linked to intrusions on U.S. government systems, CrowdStrike said. The group tends to favor establishing websites âthat spoof the look and feel of the victimâs web-based email services in order to steal their credentials.â
Itâs not clear precisely how the groups penetrated the DNCâs networks. But CrowdStrike said its analysts âimmediatelyâ recognized the hackersâ signatures. Separately, another computer security firm, ThreatConnect, has corroborated the findings and also found that a hacker group going by the moniker Guccifer2, which claims to have provided the emails to WikiLeaks, is likely a Russian-goverment operation.
Any FBI investigation likely would not be released until after the election, and any could be read as sending a political message. Should Trump win, for example, and the FBI announces it found a Russian connection to the hack, some might argue that the FBI is trying to taint Trumpâs victory. That would also come on the heels of the FBIâs decision to not charge Clinton with having classified email on her private email server, a decision that outraged many Republicans.
A public finding that the Russians interfered would also exacerbate already tense negotiations between the U.S. and Russia over an agreement to share intelligence and better coordinate strikes in Syria. The increased cooperation has divided much of the U.S. government, some of whom do not see the Russians as trustworthy.
