A joint analysis report released today by the Department of Homeland Security, NCCIC, and the FBI analyzes evidence that Russia played a role in election hacking this past year. The JAR report, titled “GRIZZLY STEPPE – Russian Malicious Cyber Activity,” talks about tools generally used by Russian civilian and military intelligence services to exploit networks. Interestingly, this report mentions a couple times that only one political party was infiltrated. Previous reports had indicated that both the DNC and RNC were hacked, but Russia only released information related to the DNC. What does this discrepancy mean? (Note: Mentions of “hacking of the election” often seen in media reports refer to the possibility that Russia hacked the DNC and private emails and released information. It does not in any way indicate any hacking of the election itself or the votes. There are no claims that Russia actually hacked the election.)
Here’s what you need to know.
The Joint Analysis Report Released Dec. 29 Only Mentions One Political Party Was Hacked
A 13-page JAR report (which you can read in full here) details an “ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens.” The report says the operations include spearphishing campaigns. But then the report goes on to only talk about one party that was infiltrated.
On page 2 of the report:
The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.”
APT29 created spearphishing campaigns leveraging web links that delivered a remote access tool that could evade detection. APT28, the report said, leveraged domains that mimicked targeted organizations to trick victims into entering legitimate credentials (likely usernames and passwords, for example.)
On Page 2 and 3 the report reads:
In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. … In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware.”
The person who activated a malware link was likely John Podesta. As CBS reported in late October, Podesta received an email in March informing him that someone had his password and they tried to sign into his account from the Ukraine. His help desk erroneously said the email was legitimate. They gave Podesta a Gmail link to change his password, but Podesta or someone else instead used the shortened weblink in the fake email.
On Page 3 the report continues:
In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure.”
The report goes on to indicate that the actors have continued their spearphishing campaigns, even after the election.
What’s interesting about this report is that it indicates only one political party was infiltrated. APT29 and APT28 infiltrated the same party, according to the joint report released on December 29. The report never indicates which party was hacked, but statements from President Obama and other officials have clearly indicated that to be the Democratic party.
Intelligence Sources Said Before that Russia Accessed RNC Too, But Didn’t Release Information In Order to Help Trump
The report seems to go against reports leaked earlier in December that got many American officials and voters up-in-arms. Back then, American intelligence sources said they had high confidence that Russia not only hacked emails and servers, but they acted specifically to harm Hillary Clinton’s campaign and help Donald Trump’s. One big linchpin in this conclusion was that Russia had hacked the RNC’s computers too. As The New York Times reported on December 9: “They (intelligence officials) based that conclusion, in part, on another finding — which they say was also reached with high confidence — that the Russians hacked the Republican National Committee’s computer systems in addition to their attacks on Democratic organizations, but did not release whatever information they gleaned from the Republican networks.”
Republicans, meanwhile, insisted that their networks had not been compromised, only those of a few individual Republicans.
Interestingly, the Joint Analysis Report released on Dec. 29 only talks about one political party being infiltrated, as detailed in the section above. This means that it’s possible that only DNC information were released because only those accounts fell for the phishing schemes, not because Russia was hiding RNC information to help Trump. However, this is just one theory that some people are positing, as intelligence officials have not made any statements yet about why the JAR only mentions one political party being infiltrated.
Meanwhile, WikiLeaks is still insisting that their leaked documents did not come from Russia. This has been said multiple times, including in an interview in mid-December between Julian Assange and Sean Hannity on his radio program. Assange said the Russian government was not their source for the Podesta emails or anything related to the DNC. Assange did say, however, that they received three pages of information about the RNC and Trump, but that was information that was already public.
WikiLeaks’ Twitter account also pointed out today that the JAR report itself did not mention WikiLeaks, which was the main source of hacked emails released during the presidential campaign: