Home Resume Back to Blogs
Description of image

GRU vs. DNC

Intelligence Gathering & Information Operations in 2016

Published on: 22 September 2024 | Reading Time: 4 min
#Cybersecurity #AcademicWriting #APTs

Analysis

Between 2015 and 2016, the Russian Foreign Intelligence Service (SVR) and Military Intelligence Agency (GRU) breached the Democratic National Committee (DNC) and subsequently conducted a disinformation campaign directly before the U.S. presidential election. The DNC publicly announced the breach on June 14, 2016. Only one day later, alias Guccifer 2.0 leaked the first batch of data through a WordPress blog. The second batch of breached data was released 37 days later through WikiLeaks, just 3 days before the Democratic National Convention. This operation had a significant impact on the information landscape surrounding the election and undermined the Democratic Party and its candidate Hilary Clinton running against Republican candidate Donald Trump.

All roads lead to Russia.

The operation targeted not just the DNC and Democratic Congressional Campaign Committee (DCCC), but also related organizations and individuals from Clinton's campaign staff, demonstrating a comprehensive approach and targeting. As result, approximately 300 gigabytes of data from cloud-based accounts, 2000 confidential files, and nearly 20,000 emails were publicly leaked and published. In comparison, despite the attempts, no evidence was found that the Republican National Committee or the Trump campaign would be successfully hacked or targeted to the same extent as the DNC during the same timeframe. (Abrams 2019)

After the DNC acknowledged the hack, Guccifer 2.0 claimed responsibility (Nakashima 2016). In an interview with Guccifer 2.0 on June 21, 2016, he declared his Romanian nationality, the same nationality of the Marcel Lazar Lehel, hacker who originally used the "Guccifer" pseudonym (Franceschi-Bicchierai 2016). This original Guccifer was arrested in Romania already in January 2014 and extradited to the U.S. in March 2016, therefore, he wouldn’t have been able to conduct the hack due to imprisonment. In addition, the DNC operation showed high-level tactics, techniques, and procedures (TTPs) that the original Guccifer was apparently not capable of. True actors behind the operation used this fabricated persona as homage to the original Guccifer, and most importantly to disseminate the stolen information. Using this persona as front-end offered the real actors a degree of deniability. Therefore, it is important to differentiate between Guccifer and Guccifer 2.0.

Nevertheless, this fictitious persona did not shield the real actors from attribution. After multiple independent investigations, private and public sector experts attributed the operation, with a high level of confidence, to Russian actors. This attribution was supplemented by Special Counsel Robert S. Mueller, Office of the Director of National Intelligence, and the U.S. Senate Select Committee on Intelligence that rejected Guccifer 2.0 claims. Furthermore, they were able to attribute the operation to Fancy Bear (APT28), connected to the GRU, and Cozy Bear (APT29) connected to the SVR (MITRE 2017a, b). The high degree of confidence for this attribution was possible thanks to, but not only, multiple findings:

  1. In an interview, Guccifer 2.0 pretended he didn't know Russian but didn't seem to know Romanian either. When forced to answer questions in Romanian, he used poor grammar and terminology that led experts to believe he was using an online translator (Franceschi-Bicchierai 2016).
  2. IP addresses extracted from messages sent by Guccifer 2.0 to journalists showed a link to the Russian cyber underground, even though many of the conversations were routed through a French VPN firm. Furthermore, Guccifer 2.0, on at least one occasion, failed to use a VPN, and, as a result, he left a real Moscow-based IP address in the logs of an American social media company (ThreatConnect 2016).
  3. IP addresses extracted from messages sent by Guccifer 2.0 to journalists showed a link to the Russian cyber underground, even though many of the conversations were routed through a French VPN firm. Furthermore, Guccifer 2.0, on at least one occasion, failed to use a VPN, and, as a result, he left a real Moscow-based IP address in the logs of an American social media company (ThreatConnect 2016).
  4. The operation demonstrated thorough strategic timing. Leaked information was cherry picked and released largely in the final weeks of the election campaign. Demonstrating, at least to some extent, intent to cause damage to DNC image.
Description of image

The primary intent behind the leak appears to be influencing public opinion and the outcome of the 2016 US presidential election. Russian Internet Research Agency played a significant role in this through disseminating the leaks on social media, adding more fuel to already heated public discord (Bump 2018). However, the operation also served to gather intelligence and sow distrust in the American political system. (Biddle 2016)

While it is difficult to doubt Russian actors’ involvement in this operation, the Russian Ministry of Foreign Affairs, as expected, denied any participation of Russian government. No other official or unofficial claims of responsibility aside from Guccifer 2.0, which are unsubstantial, could be found. In April 2017, CIA Director Mike Pompeo tried to establish link between GRU and the Wikileaks, which was used to publish the breached documents from the DNC (Watson 2017). Julliange Assange, founder of Wikileaks, denied any political affiliation to Russia and did not reveal the source of the leak (Ye Hee Lee 2017). In addition, in August 2020, the spokeswoman of the Russian Foreign Ministry - Maria Zakharova denied all allegations made in the Senate Select Committee on Intelligence Report regarding the alleged interference in the election (Zakharova 2022). Zakharova claimed that the investigation simply repeated factless insinuations and that the narrative of Russian interference was invented only as part of political fight in the US. This leads to a question whether Fancy Bear and Cozy Bear were directed to do the operation or acted on their own (The New York Times 2016). Either way, Russia would seem to benefit from Trump as winning candidate compared to Clinton that was generally harsher in her rhetoric and stance towards Russia. (Kiley 2017)

Conclusion

In conclusion, the GRU's operation ultimately highlighted significant vulnerabilities in our democratic practice that is increasingly relying on technology. GRU demonstrated how sophisticated hacking and strategic information leaks can influence public opinion. Despite compelling evidence, the complexities of attributing state-sponsored cyber activities remain a challenge for intelligence officers. Ultimately, the operation serves as a reminder of the ongoing risks posed by cyber operations to electoral integrity, and it underscores the need for enhanced cybersecurity measures within political organizations, especially before election.

References

Abrams, Abigail. 2019. “Here’s What We Know so Far about Russia’s 2016 Meddling.” Time. April 18, 2019. https://time.com/5565991/russia-influence-2016-election/.

Bump, Philip. 2018. “Analysis | Timeline: How Russian Trolls Allegedly Tried to Throw the 2016 Election to Trump.” Washington Post. February 16, 2018. https://www.washingtonpost.com/news/politics/wp/2018/02/16/timeline-how-russian-trolls-allegedly-tried-to-throw-the-2016-election-to-trump/.

Biddle, Sam. 2016. “Here’s the Public Evidence Russia Hacked the DNC — It’s Not Enough.” The Intercept. December 14, 2016. https://theintercept.com/2016/12/14/heres-the-public-evidence-russia-hacked-the-dnc-its-not-enough/.

Office of the Director of National Intelligence. "Assessing Russian Activities and Intentions in Recent US Elections." Intelligence Community Assessment. Washington, D.C.: Office of the Director of National Intelligence, January 6, 2017. https://www.dni.gov/files/documents/ICA_2017_01.pdf.

Mueller, Robert S., III. "Report On the Investigation Into Russian Interference In The 2016 Presidential Election, Volume II of II." Washington, D.C.: U.S. Department of Justice, 2019. https://www.justice.gov/storage/report_volume2.pdf.

Franceschi-Bicchierai, Lorenzo. 2016. “Here’s the Full Transcript of Our Interview with DNC Hacker ‘Guccifer 2.0.’” VICE. June 21, 2016. https://www.vice.com/en/article/dnc-hacker-guccifer-20-full-interview-transcript/.

Meyers, Adam. 2016. “Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units.” Crowdstrike.com. December 22, 2016. https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/.

Kiley, Jocelyn. 2017. “U.S. Public Sees Russian Role in Campaign Hacking, but Is Divided over New Sanctions.” Pew Research Center. January 10, 2017. https://www.pewresearch.org/short-reads/2017/01/10/u-s-public-says-russia-hacked-campaign/.

MITRE ATT&CK. 2017a. “APT28 | MITRE ATT&CK®.” Attack.mitre.org. May 31, 2017. https://attack.mitre.org/groups/G0007/.

MITRE ATT&CK. 2017b. “Group: APT29 | MITRE ATT&CKTM.” Mitre.org. May 31, 2017. https://attack.mitre.org/groups/G0016/.

Nakashima, Ellen. 2016a. “Russian Government Hackers Penetrated DNC, Stole Opposition Research on Trump.” Washington Post, June 14, 2016, sec. National Security. https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html.

Nakashima, Ellen. 2016b. “‘Guccifer 2.0’ Claims Credit for DNC Hack.” Washingtonpost. June 15, 2016. https://www.washingtonpost.com/world/national-security/guccifer-20-claims-credit-for-dnc-hack/2016/06/15/abdcdf48-3366-11e6-8ff7-7b6c1998b7a0_story.html.

The New York Times. 2016. “Following the Links from Russian Hackers to the U.S. Election,” July 27, 2016, sec. U.S. https://www.nytimes.com/interactive/2016/07/27/us/politics/trail-of-dnc-emails-russia-hacking.html.

ThreatConnect. 2016. “[WEBINAR] Guccifer 2.0, the DNC Hack, and Fancy Bears, Oh My!” YouTube. August 4, 2016. https://www.youtube.com/watch?v=FwpeDvDZEi8.

Watson, Kathryn. 2017. “CIA Director Calls WikiLeaks Russia-Aided ‘Non-State Hostile Intelligence Service.’” Www.cbsnews.com. April 13, 2017. https://www.cbsnews.com/news/cia-director-calls-wikileaks-a-non-state-hostile-intelligence-service/.

Ye Hee Lee, Michelle. 2017. “Julian Assange’s Claim That There Was No Russian Involvement in WikiLeaks Emails.” Washington Post, January 5, 2017. https://www.washingtonpost.com/news/fact-checker/wp/2017/01/05/julian-assanges-claim-that-there-was-no-russian-involvement-in-wikileaks-emails/.

Zakharova, Maria. 2017. “Briefing by Foreign Ministry Spokesperson Maria Zakharova, Moscow, April 19, 2017.” Https://Www.mid.ru/En/Foreign_policy/News/1545636/#12. April 19, 2017. https://www.mid.ru/en/foreign_policy/news/1545636/#12.

Zakharova, Maria. 2022. “Comment by Foreign Ministry Spokeswoman Maria Zakharova on the Latest US Senate’s Allegations Regarding the Russian Federation.” Https://Www.mid.ru/En/Foreign_policy/News/1440193/. August 22, 2022. https://www.mid.ru/en/foreign_policy/news/1440193/.

U.S. Department of Justice. "United States of America v. Viktor Borisovich Netyksho, et al." Indictment, Criminal No. 18-cr-215 (ABJ). Filed July 13, 2018. https://int.nyt.com/data/documenthelper/80-netyksho-et-al-indictment/ba0521c1eef869deecbe/optimized/full.pdf.