CHAPTER 16 The Red Web Comes to the United States
The Red Web Comes to the United States
Despite the gloomy and depressing mood that swept the country after the Russian government defeated the Moscow protests and the patriotic hysteria generated by its annexation of Crimea, uncensored debates and unrestricted exchange of opinions still remain possible on the Russian Internet. The Kremlin certainly didn’t emerge a winner from its first serious collision with the global network.
Since then we have seen two major developments. Inside Russia the Kremlin, worried about the disastrous consequences of its efforts to control the Internet, turned to China for guidance and technical support. The ramifications of this turn could be very serious. Outside Russia most Kremlin offensives now include an aggressive cyber component, such as the hacking operation in the United States in 2016, which produced surprisingly successful results. Whether it affected the outcome of the presidential election result is questionable, but it certainly propelled Russia right into the heart of the election process and made Putin look like the third player—perhaps even the kingmaker—in the most powerful country of the world.
So how did the Kremlin, once so fearful of the power of the Internet and understanding so little about the nature of the global network, find a way to use it in the United States, the birthplace of the Internet and still its innovative powerhouse? The first stage of the story required Russia to align its interests with a onetime online antagonist. So began the uncomfortable liaison between the Kremlin and WikiLeaks.
In January 2016 thirty-five-year-old Mika Velikovsky, a shrewd, jovial reporter with a habit of wearing an Indiana Jones hat everywhere he went, was invited to join an international team of investigative journalists.
Velikovsky was thrilled. He had been in and out of work for several years, ever since the Kremlin began its purge of the media following the Moscow protests in 2011–2012. In media circles this purge was referred to as a “f—ing chain of events,” an expression coined by its first victim, the editor of the liberal journal Bolshoi Gorod (The Big City), who was fired because his publication had been supportive of the protests. Four years later the Moscow media landscape was distinctly depressing, rife with stories about bad editors and which team of journalists had just been fired.
Velikovsky accepted the job right away. After all, he had plenty of experience working on investigations involving international partners. In the late 2000s he worked for the Russky Reporter (Russian Reporter), WikiLeaks’ media partner in Moscow. In 2010 Velikovsky traveled to Sweden and spent a few days conferring with WikiLeaks founder Julian Assange. After that, he became Russian Reporter’s contact for interacting with Assange’s team, working on US State Department diplomatic cables and the leaked emails from the private security company Stratfor. Velikovsky valued his connection with WikiLeaks and took pains to maintain it after the joint project ended, speaking occasionally on Skype with Assange and Sarah Harrison, head of the WikiLeaks’ investigative team. (It was not easy: Assange had a habit of cutting partners off completely once a project was done.) The effort was fruitful: when Velikovsky visited Assange in London the Russian journalist agreed to work on a film based on the WikiLeaks’ cables. He spent four months traveling across Central Asia for a documentary that was to show how the region’s authoritarian regimes reacted to the WikiLeaks expos?s. When Edward Snowden flew to Moscow, Velikovsky tried to use his contacts at WikiLeaks to get in touch with the American. He even met with the WikiLeaks people in Moscow, but the only result of this effort was surveillance by the Russian security services. The surveillance was so easy to spot—the same men followed Velikovsky on foot and in a car—that it was clearly intended to be a warning. The state seemed to be telling him to mind his own business.
In 2016 Velikovsky was invited to join a large-scale investigation being conducted by the Organized Crime and Corruption Reporting Project (OCCRP), which consists of reporters based all over Europe and the former Soviet Union, from Azerbaijan to Romania to Ukraine to Russia. The project had gotten their hands on an extensive trove of documents detailing offshore Panamanian companies that government officials and oligarchs all over the world—Russians included—used for illegal purposes, including fraud, tax evasion, and evading international sanctions. When the journalists’ findings were eventually published, the “Panama Papers” made headlines all over the world.
Before that, though, the internationl team spent months digging into the documents and connecting the dots. Each national team was given data on their compatriots. Using this data, each group tried to zero in on the financial activities of their country’s high-placed government officials and their personal friends. The Russian team consisted of reporters from Novaya Gazeta, one of the most respected independent outlets still operating in Russia. The publication exists under constant government pressure, and its journalists risk their lives for their work: contract killers assassinated Anna Politkovskaya, critical of the war in Chechnya, in October 2006. Now Velikovsky joined the team.
The OCCRP broke its first story on April 3, 2016. Velikovsky was proud to be part of it, especially as it turned out that his team unearthed the biggest news contained in the Panama Papers. The Russian journalists identified multi-million-dollar accounts owned by Sergei Roldugin, a personal friend of President Putin. Roldugin was a cellist, and although he had some business dealings, including oil and the media, he was no oligarch. And yet it appeared he had been put in charge of Putin’s private money.
These findings quickly developed into a major news story when Putin’s spokesperson, Dmitry Peskov, commented on them. This was highly unusual: Russian officials generally do not comment on sensitive stories in order to prevent them from gaining traction. To the team of Russian journalists, this looked like an endorsement of their findings.
But then Velikovsky was confronted with something totally unexpected. WikiLeaks launched a vicious attack on the OCCRP report on Twitter. On April 5 WikiLeaks posted:
#PanamaPapers Putin attack was produced by OCCRP which targets Russia & former USSR and was funded by USAID & Soros.
In another tweet they developed the accusation:
US govt funded #PanamaPapers attack story on Putin via USAID. Some good journalists but no model for integrity.
The tweet implied that the journalists had been used, either as paid agents or as dupes of the US government. USAID and George Soros are conspiracy theorists’ totems. For years the Kremlin has seen the United States Agency for International Development, USAID, as a CIA front that is plotting to undermine the Russian political regime. Meanwhile George Soros, along with his foundation, Open Society, have been accused of sponsoring “color revolutions” in Russia’s neighboring countries. Russia expelled USAID in September 2012 and listed Soros’s Open Society Foundation as an “undesirable organization” in November 2015 after the General Prosecutor’s Office said it threatened Russia’s constitutional order and security.
Mika Velikovsky was outraged. His friends at WikiLeaks—people he worked alongside for years—had turned against him. It was personal, and it was unfair. In Velikovsky’s eyes Assange betrayed the very principles he had explained to him during their conversations: “Assange told me many times that it’s not important what the leaker’s motivations are or who he works for. The only important thing is the authenticity of the documents. If you have doubts, you can start thinking about why and where and how. But if you don’t have any doubts [about the documents’ authenticity], then it doesn’t matter who leaked…. That’s why it was so disgusting to see this coming from WikiLeaks!”
Days went by, and the Roldugin story didn’t die. Instead, with each passing day it gained more media coverage all over the world. On April 7 Vladimir Putin attended a media forum in St. Petersburg where he personally commented on the Panama Papers. He immediately attacked journalists: “What did they do? They manufactured an information product. They found some of my friends and acquaintances—I will talk about that shortly—and they fiddled around and knocked something together. I saw these pictures. There are many, many people in the background—it is impossible to understand who they are, and there is a close-up photo of your humble servant in the foreground. Now, this is being spread!”
He was clearly personally affronted. Putin could barely hold himself together: “There is a certain friend of the Russian president, and they say he has done something, so probably something corruption-related. What exactly? There is no corruption involved at all!”
And then Putin did something unexpected: he tried to debunk the findings by citing WikiLeaks’ claim that the whole thing was an American conspiracy: “Besides, we now know from WikiLeaks that officials and state agencies in the United States are behind all this!”
The next day we were both at the Journalism Festival in Perugia. Sarah Harrison, the head of WikiLeaks’ investigative team who had spent forty days alongside Snowden in Moscow’s airport in 2013, was there too. She was giving a talk about WikiLeaks and Snowden.
During the question-and-answer session Andrei asked Harrison about WikiLeaks’ response to the Panama Papers. Andrei also pointed out that, to Russian journalists, WikiLeaks’ conspiracy claim sounded strange: after all, the journalists who took part in the Panama Papers investigation worked for Novaya Gazeta, a newspaper whose commitment to exposing corruption has led to the high-profile murders of several of its journalists. Yet just the day before, Andrei continued, Putin had quoted the WikiLeaks’ tweet about US funding to publicly call into question the Panama Papers’ investigation findings.
Referring to “bias” and “spin,” Harrison immediately deflected responsibility: “Please, do not make me responsible for what Putin says! What Putin says and does has nothing to do with me!”
Then she went on the offensive. The fact that a Russian story was the first to make headlines was, in her eyes, enough to justify WikiLeaks’ attack. “It is very clear, from the reporting that came out, that it’s being used as basically an attack on Putin,” she said. Then, echoing the longstanding Kremlin line, she added, “And the funding of this organization as a whole does come from the USAID!”
Her response shocked us: we have known both the OCCRP project and its leader, the Sarajevo-based veteran journalist Drew Sullivan, since 2008. Sullivan was well respected in investigative journalism circles; for years he and his reporters have been exposing corruption in regions not particularly safe for journalists. Sullivan is also known for his integrity—just a year earlier, in the summer 2015, he stated that his organization would stay away from a $500,000 US government grant to combat Russian propaganda: “The problem starts with the grant title, ‘Investigative Journalism Training to Counter Russian Messaging in the Baltics.’” He continued, “The title implies the grant seeks journalists to actively counter a Russian message which, at best, is not a mission for journalism and, at worst, is propaganda itself.”
We were dismayed to hear WikiLeaks using the same line of argument as the Kremlin. We felt that this kind of logic was not compatible with the ideals of the free flow of information we believe in and that WikiLeaks itself had, in the past, professed. WikiLeaks appeared to take the Kremlin’s side, and we didn’t understand why.
The very same day, April 8, Putin summoned an urgent meeting of his Security Council in the Kremlin. These meetings are held in high secrecy—even official photographers are rarely admitted. This time the long, marble-covered hall on the second floor of the domed Kremlin Senate building was almost empty—at the grand table only eight of the twenty-one seats were occupied. Of these eight people, six were former KGB officers: Putin himself; his chief of staff Sergei Ivanov; Sergei Naryshkin, the speaker of the Duma; Nikolai Patrushev, the secretary of the Security Council; Alexander Bortnikov, the FSB director; and Mikhail Fradkov, chief of the Foreign Intelligence Service, the SVR. Neither the minister of defense nor the chief of military intelligence were present. The transcript of the meeting was never made public. The relatively small number of participants and their known backgrounds leads us to think it was about a very sensitive matter, such as the need for a retaliatory response to the Panama Papers expos?s.
In the United States the presidential campaign was in full swing, and the Kremlin was watching as Hillary Clinton seemed headed toward an almost-certain victory. Putin had strong feelings about her: he believed she had been a driving force behind the Moscow protests. He also believed that she and her people at the US State Department were behind most of the Western anti-Russian moves—from the US sanctions, to the activities of the Russian opposition, to journalistic investigations exposing corruption in Russia. Putin’s circle was certain that the Obama administration was working to get Clinton elected. In their conspiratorial eyes this meant that the result of the US elections had already been decided.
A week passed, and on April 14 Putin held his annual television phone-in show. The Direct Line is broadcast live by Russian television channels and major radio stations. At this show Putin again brought up the Panama Papers and felt the need to further defend his friend Roldugin. He also renewed his accusations against the United States: “Who is engaged in these provocations? We know that there are employees of official US agencies.”
Next he said something very strange: “An article was written—I asked [my] press secretary Peskov where it first appeared—in the S?ddeutsche Zeitung. The S?ddeutsche Zeitung is part of a media holding that belongs to the US financial corporation Goldman Sachs. In other words, the ears of masterminds are sticking out everywhere [a Russian expression, meaning their fingerprints are all over it]!”
It was a baffling connection, and it was wrong. Why on earth had the Russian president mentioned Goldman Sachs? Goldman Sachs does not own the German S?ddeutsche Zeitung—and the respected newspaper immediately issued a statement to that effect. The next day the Kremlin responded with a rare apology: “It is more the error of those who prepared the briefing documents [than Putin’s], it’s my error,” Kremlin spokesperson Dmitry Peskov told reporters.
So why bring up Goldman Sachs at all?
By mid-April, including when Putin made his strange remark, a hacking group—later identified as APT29, or Cozy Bear—had for months been inside the Democratic National Committee’s (DNC) computer system. In March a second team, known as APT28, or Fancy Bear, had joined in and launched its own attack on the DNC. On March 19 Fancy Bear hackers had made a breakthrough: a Clinton campaign chairman, John Podesta, was lured into re-entering his Gmail password on a specially designed phishing web page, and hackers began pumping his emails off it.
In the fall of the election year of 2016 one of the biggest news stories that came out of the hacking operation was the publication of Hillary Clinton’s transcripts of three paid speeches at Goldman Sachs. In these speeches she was embarassingly uncritical of Wall Street as she discussed the causes of and responses to the 2008 financial crisis. The hackers stole these transcripts from John Podesta’s email account in the spring—right around the time of Putin’s comments about the cellist Roldugin and his false statement about S?ddeutsche Zeitung’s connection to Goldman Sachs. WikiLeaks published the documents in October 2016. But in mid-April, when Putin gave his press conference, nobody except the hackers and those who had directed them knew that the hackers possessed Hillary Clinton’s Goldman Sachs transcripts.
If someone had briefed Vladimir Putin about the hackers’ Podesta findings, he may have been encouraged to believe in a conspiracy theory whereby Clinton had prompted a Goldman Sachs connection to publish the Panama Papers. It’s difficult to see how the bank got into his head otherwise.
Four days later, on April 19, the domain DCleaks.com was registered.
In the summer DCleaks.com would become one of the two websites used for publishing emails from hacked accounts of American officials. Another would be WikiLeaks.
On June 14 Ellen Nakashima, the national security reporter at the Washington Post, broke a story: Russian government hackers had penetrated the network of the US Democratic National Committee. Ellen had been briefed by DNC officials and Shawn Henry, a former head of the FBI’s cyber division, now president of CrowdStrike, the private information security company hired to handle the DNC breach. Nakashima’s story was met with furious denials from the Kremlin: “I completely rule out a possibility that the [Russian] government or the government bodies were involved in this,” said Putin’s spokesperson, Dmitry Peskov.
The next day CrowdStrike published the report along with technical details of the hacking attack. The author of the report was Dmitri Alperovitch, cofounder and chief technology officer of CrowdStrike. Alperovitch, a blonde, solidly built thirty-six-year-old cyber expert, left Russia in 1994 and had never since set foot back in his native land. (“My Moscow is long gone,” he told Andrei.) In the 2000s Alperovitch became a prominent American cyber expert, having made his reputation investigating Chinese hackers’ operations in the United States. In his report on the DNC hacking Alperovitch made a bold claim about the hackers’ identity and their sponsors: the activity of Fancy Bear “may indicate affiliation with Glavnoye Razvedivatelnoye Upravlenie (Main Intelligence Department) or GRU, Russia’s premier military intelligence service.” He was not so certain about the second team, Cozy Bear, but most experts, including Alperovitch, were inclined to think Cozy Bear was the work of the FSB.
This posed a serious problem for the US government. The Kremlin had been outsourcing its hacking activities, making attribution difficult—which was no accident. The Kremlin had used outsourced groups elsewhere to create plausible deniability and lower the costs and risks of controversial overseas operations. For example, for years Moscow denied its military presence in the east of Ukraine, insisting it was some local guerrillas.
The Kremlin’s tactics were opposite of China’s, where the regime directly oversees cyber attacks and it is possible to identify the chain of command. In Russia all kinds of informal actors—from patriotic hackers, to Kremlin-funded youth movement activists, to employees of cybersecurity companies forced into cooperation by government officials—have been involved in operations targeting the Kremlin’s enemies both within the country and in former Soviet states.
This heterogeneous group had developed an impressively efficient set of tactics. In general there were three common features. The first was the use of rank-and-file hacktivists not directly connected to the state in order to help the Kremlin maintain plausible deniability. The second was guidance and protection from criminal prosecution, provided by the president’s administration alongside the secret services. Finally, hacked information was published as kompromat (i.e., compromising materials) online as a way of smearing an opponent.
The Russian government used this approach regularly against their opposition and activists. For instance, in the summer of 2012 hackers penetrated a Gmail account belonging to Alexei Navalny, one of the leaders of the Moscow protests, and then a blogger who went by the nickname Hacker Hell published Navalny’s emails. Hacker Hell was not part of any government organization, and the Kremlin insisted it had nothing to do with hacking. (When the Kremlin disowned Hacker Hell, however, it did not help him. In 2015 a German court identified Sergei Maksimov, a Russian national who had been a German resident since 1997, as Hacker Hell and found him guilty of hacking Navalny’s account. The German court gave him seventeen months’ probation.)
In March 2014 Ukraine found itself in the crosshairs. The hacktivist group CyberBerkut—which consisted of supporters of the country’s former president Viktor Yanukovych, who had fled to Russia the previous month—claimed to have hacked the email accounts of Ukrainian NGOs. A trove of emails was published on the website of CyberBerkut. These emails purported to prove that the targeted NGOs were not only in touch with the US Embassy but also received funding from American foundations. CyberBerkut’s goal was obvious: portray the Ukrainian NGO activists as thoroughly corrupt, American puppets engaged in betraying their country. In January 2015 the same group of hackers attacked German government websites, including Chancellor Angela Merkel’s page, demanding that Berlin end support for the Ukrainian government.
In April 2015 hackers also worked their way into the French television network TV5Monde. Pretending to be ISIS, the hackers breached the system and overrode the broadcast programming of the company’s eleven channels for over three hours. The French government’s cyber agency ANSSI (Agence nationale de la s?curit? des syst?mes d’information) attributed the attack to Russian hackers, a group known later as Fancy Bear.
In 2016 it was the United States’ turn to come under attack. Putin’s spokesperson’s first reaction to the DNC hacking—in which Peskov emphasized the fact that no Russian government, and no Russian government bodies were involved—seemed to suggest that the Kremlin was recycling tactics that had worked against Russian dissidents, Ukrainian activists, and French television. There was even an obscure hacker to blame: the day Alperovitch published his report, a hacker who styled himself as Guccifer 2.0 announced on his blog that he had hacked the DNC. As proof, Guccifer provided eleven documents from the DNC.
The Kremlin’s denial tactics had worked relatively well in the past mostly because the governments of countries that had been attacked were hesitant or unable to pursue the accusation as far as the Kremlin. But in the spring of 2016 this changed. In May our contacts in Western cyber circles told us that the cyber expert community had just reached a new consensus: currently available technical evidence was advanced enough both to trace and attribute cyber attacks.
If an attack could be attributed to a hacking group with a known history of attacking similar targets and this group’s attacks consistently worked to benefit one particular country, this constituted enough evidence to determine that the attacks were backed and directed by the state of that beneficiary country.
The attack on the DNC was the first offensive investigated with this new approach in mind. Both CrowdStrike’s Alperovitch and the US intelligence community concluded that all evidence pointed to a Russian government–backed attack. In fact, Alperovitch was certain he had caught identifiable Russian military intelligence operatives red-handed, right in the middle of executing the DNC operation. “Andrei, all of them are in uniform!” he exclaimed to Soldatov during a meeting in Washington. The US intelligence community shared Alperovitch’s convictions.
Although Alperovitch and his team expelled the hackers from the DNC computer system, that didn’t stop the hackers’ operation. They simply moved to the next stage: publishing kompromat.
On July 1 DCLeaks.com released a series of private emails written by the former NATO commander in Europe, four-star general Philip Breedlove. This leak was meant to show the Obama’s administration weakness toward Russia, using emails that allegedly show Breedlove trying to overcome Obama’s reluctance to escalate military tensions with Russia in response to the conflict in Ukraine.
On July 22 WikiLeaks published a massive collection of internal DNC emails. It was a large haul, with 19,252 emails and 8,034 attachments from the inboxes of seven key staffers of the DNC, including communications director Luis Miranda and national finance director Jordan Kaplan. The same day Guccifer 2.0 claimed on Twitter that he had leaked the DNC emails to WikiLeaks.
In mid-August DCLleaks.com released personal information—including mobile phone numbers—belonging to more than two hundred Democratic Party lawmakers.
The data hemorrhage seemed unstoppable.
The US government had to respond and respond swiftly, and it had a playbook ready. This set of rules was called cyber CBMs, or “confidence building measures.” The author of the cyber CBMs concept was Michele Markoff, a seasoned American diplomat who had spent half her career in strategic nuclear arms control negotiations. In 1998 she went into cyber and became a key figure at the Office of Cyber Affairs in the State Department. The career of her Russian counterpart, Andrey Krutskikh, had followed a similar trajectory—from nuclear arms control to cyber. In the 2010s Markoff and Krutskikh represented their respective countries at most of the talks between Russia and the United States on cyber space.
Markoff believed that the Internet needed a set of measures similar to the ones established to prevent a nuclear war. These controls, she thought, could prevent a cyber conflict from escalating. She found a good listener in Krutskikh. In June 2013 she secured the US-Russia bilateral agreement on confidence building in cyber space.
As part of the agreement the White House and the Kremlin established the Direct Communications Line. Essentially a secure communication line, it ran between the US Cybersecurity coordinator and a deputy head of the Russian Security Council and could be used “should there be a need to directly manage a crisis situation arising from an ICT [information and communications technology] security incident.” It was the digital era’s equivalent of the mythical Cold War red telephone, the hotline that connected the presidents of the Soviet Union and the United States in emergencies.
The new hotline was integrated into the existing infrastructure of the Nuclear Risk Reduction Center, located in the Harry S Truman Building, the headquarters of the US State Deparment. It was from there at the end of September that Michael Daniel, Obama’s cyber czar who had a background in national security, passed a message to Sergei Buravlyov, a deputy secretary of the Russian Security Council and colonel-general of the FSB. “It was used the first time since it was established,” said Daniel, whose mission was “to communicate the US government’s serious concerns about the Russian information operation to attempt to influence the election.” The line was built to pass a message, and only if there is further escalation does it provide an option to communicate by voice. “We didn’t get to that,” recalled Daniel. He declined to comment how his Russian counterpart received the message, but it obviously was not a diplomatic success.
There was, it turned out, a fundamental flaw in Michele Markoff’s logic. Modern cyber conflict is simply not comparable with conventional armed or nuclear conflict. When there is a missile launch or preparation for a missile launch, there is no way for the government to deny responsibility. However, all kinds of informal actors who are not easily detected can launch cyber attacks. This is called the problem of attribution, and it means a government can disown responsibility. The Kremlin saw this flaw and exploited it to the fullest. They had a different playbook. The message to Buravlyov was a dead end.
Vladimir Putin was clearly enjoying himself when, on September 1, a Bloomberg reporter asked him about the DNC hack. He laughed and said, “There are a lot of hackers today, you know, and they perform their work in such a filigreed and delicate manner that they can show their ‘tracks’ anywhere and anytime. It may not even be a track; they can cover their activity so that it looks like hackers are operating from other territories, from other countries. It is hard to check this activity, maybe not even possible.”
The president was apparently under the impression that hackers could not be identified and thus the attack could not be attributed. Putin clearly had not been briefed about the major shift in digital forensic and attribution policy that had taken place within the cybersecurity community in the spring and didn’t expect the US government to accuse Russia of running the hacking operation. But just in case, he carefully repeated the line of defense his spokesperson Peskov had previously used: “Anyway, we do not do that at the government level.”
Putin didn’t leave it there; he made a point of adding, “Besides, does it really matter who hacked Mrs. Clinton’s election campaign team database? Does it? What really matters is the content.”
This exactly echoed Julian Assange, who had said in a July interview with NBC that commentators should be focusing on what the documents say, that “the real story is what these emails contain.” (A hardly consistent claim given WikiLeaks’ April attack on Mika Velikovsky and his friends.)
Putin gave the Bloomberg interview in Vladivostok, on his way to the G20 Summit in China. There he met US president Barack Obama. There was no proper conversation between them—Obama just pulled Putin aside and told him to “cut it out and there were going to be serious consequences if he didn’t.” Putin responded that the United States had long funded media outlets and civil-society groups that meddled in Russian affairs.
The sticky question of attribution remained unresolved despite the cyber community’s new guidelines. Although several cybersecurity companies confirmed CrowdStrike’s findings and US intelligence supported the thesis that two Russian intelligence agencies conducted the DNC hack, the Kremlin continued to deny any responsibility. Meanwhile informal actors, like Guccifer 2.0, kept claiming they were behind the hack.
Inside Russia, Kremlin propaganda mocked US hacking claims while private Russian cyber companies were busy briefing journalists, apparently with one objective: to destroy the credibility of the CrowdStrike June report. The media were trying to figure out whether the Russian military intelligence cyber capabilities were up to the task of hacking the DNC servers. Cyberwarfare had been an FSB monopoly for more than two decades, and the Russian Ministry of Defence set to form its own so-called cyber troops relatively late, only in 2014. Although the military immediately joined the FSB in actively recruiting at Russian technical universities, spotting the best and brightest, this didn’t quite support the claims that Fancy Bear was a military intelligence front—most cybersecurity experts thought Fancy Bear had been operational since at least 2007, long before the Russian military had joined the cyberwar scene.
On September 26, 2016, we were in Moscow when we got a message on WhatsApp from a friend at an American TV network: “Let me know if you have a few mins to chat.” He then sent us a collection of scraps from what appeared to be intelligence briefings on Trump’s connection with the Kremlin. Three days later another journalist from a top US newspaper contacted us with something that looked like it was coming from the same source. This information gave some insight into the Kremlin’s thoughts about the US election.
The document—the now-famous dossier prepared by Christopher Steele—read like a series of reports and included prurient details of an alleged assignation during Trump’s stay in the Ritz hotel in Moscow, among other things. It also made strong allegations about Trump’s closeness to Putin’s people. The American journalists were hesitant and wanted us to check the facts in the report. “It’s starting to smell like BS…. It seems like a smear campaign,” one of them told us.
So what was it? Was it a smear campaign? The answer was not immediately clear. Kremlin outsiders had no way of verifying most of the claims in the document. Some details, including names, were clearly erroneous—misspelled or misattributed. For instance, the name of the Russian diplomat withdrawn from the embassy in DC was Kalugin, not Kulagin, and the FSB unit named as responsible for gathering compromising material on Hillary Clinton, Department K, has nothing to do with eavesdropping or cyber operations. (Apparently, it was a confusion—there is another Department K in the Interior Ministry, and this is what oversaw cyber investigations.)
But the dossier was accurate in one thing: it correctly described the decision-making process in the Kremlin, and this suggested human sources in high places in Moscow.
The dossier also included some information about the DNC hacking, and it was strikingly different from the story told by CrowdStrike and repeated by the US intelligence. It implied that it was not the GRU or FSB but rather Sergei Ivanov who was “ultimately responsible for the operation,” though he was not entirely happy with the outcome. Dmitry Peskov, Putin’s spokesperson, “remained a key player in the operation” and played the crucial role in “handling and the exploitation of intelligence” by his “PR team.” And Ivanov was one of the six KGB officers present at the April meeting of the Security Council in the Kremlin Senate. In terms of foreign intelligence Ivanov was the most experienced person at the meeting. On August 12 he had been removed from his position of chief of Putin’s administration, but he maintained access to the marble-covered hall of the Kremlin Senate—Putin preserved his seat on the Security Council.
The dossier also asserted that the hacking operation had been organized through informal channels and used informal actors—hackers’ groups and companies. The FSB, not military intelligence GRU, was named as “the lead organization within the Russian state apparatus for cyber operations”—something that meshed better with what we had been finding when we investigated CrowdStrike’s report. The report further claimed that the FSB “often uses coercion and blackmail to recruit the most capable cyber operatives in Russia for its state-sponsored programmes” with the goal “to carry out its, ideally deniable, offensive cyber operations.” Further, the dossier said that Putin knew about the hacking and “was generally satisfied with the progress of the anti-Clinton operation up to date.”
Still, it was full of unverified claims and mistakes. Nobody knew what to do about it, and despite its wide circulation among reporters, it wasn’t made public until January 2017, when Buzzfeed posted it online and it became known as the Trump Dossier.
In early October 2016 the US government took an unprecendented step: they officially accused Russia of a hacking operation, apparently trying to force the Kremlin to stop. The denunciation, made by the Department of Homeland Security and Office of the Director of National Intelligence, stated that “the U.S. Intelligence Community is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.” The statement went on to say, “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.” Washington just raised the stakes for the Kremlin.
This step, however, had no immediate consequences. The hacking operation seemed to be suspended, but not the publication of kompromat: on October 2 Roger Stone, a longtime unofficial adviser to Donald Trump, tweeted cheerfully:
Wednesday @HillaryClinton is done. #Wikileaks.
He was mistaken: the WikiLeaks publication came out not on Wednesday but had been postponed until Friday, October 7, when WikiLeaks published thousands of emails from John Podesta’s Gmail account. The emails had excerpts from Clinton’s paid speeches, including the speeches at Goldman Sachs. Three days later, on Monday, Trump was at a campaign rally in Wilkes-Barre, Pennsylvania. “This just came out. I love WikiLeaks!” he told the crowd. Trump then read aloud quotes from Clinton’s speeches revealed by WikiLeaks. In his hand Trump also had an email he said had been sent by Clinton adviser Sidney Blumenthal, in which Blumenthal appeared to admit that the killing of a US ambassador in Benghazi had had been “almost certainly preventable.” Next Trump read, “Clinton was in charge of the State Department and it failed to protect US personnel at an American consulate in Libya.” Trump said this email had come from the WikiLeaks trove. But it hadn’t. In fact, the Russian pro-Kremlin agency Sputnik had fabricated this quote. A Newsweek journalist had actually originated the quote in an article, and Blumenthal had copied and pasted it to Clinton. Sputnik, however, reported the comment as having been written by Blumenthal.
By then the WikiLeaks website was hosted at least partially on the premises of the Russian hosting company HostKey on Barabanny Lane in the east of Moscow—WikiLeaks had moved its hosting to Russia in August.
On November 6, on the eve of the election, WikiLeaks released a second collections of DNC emails, more than 8,263 in total.
On the US election day of November 8, at 3:45 p.m. Moscow time, when the polling stations in the United States just opened, Putin summoned his Security Council. This time the marble-covered hall in the Kremlin palace was more crowded. Along with the April group, Putin invited Prime Minister Dmitri Medvedev; Foreign Minister Sergei Lavrov; Minister of Defence Sergei Shoigu; the new head of the Administration of the President, Anton Vaino; and Vyacheslav Volodin, the Speaker of the Duma.
Officially Putin convened the meeting to talk about the pension system and how reform could affect servicemen. But this could hardly explain the presence in the room of Sergei Ivanov. And it didn’t explain the presence of Sergei Lavrov either, who was evidently nervous and drummed his fingers during Putin’s opening remarks, the only part of the meeting the Kremlin press office allowed to record.
The next morning when the results of the election became known, Trump’s victory was met with jubilation in Moscow. Parties were given and, in the State Duma, champagne bottles were popped.
Russian officials openly praised Trump on TV. But the anxiety was also palpable—Trump was not expected to win, and nobody thought his victory would go over easily in Washington. Lots of people started asking themselves what the American intelligence services might do now about Trump’s Russian connections.
For the Kremlin it was time to cover some tracks.
Unlike in Soviet times, these days Moscow is extremely well lit at night; in fact, the authorities take a special pride in the capital’s sparkling lights. Even so, no one driving along Leningradskoe highway toward the city center could possibly miss the two five-story, cube-shaped buildings of Kaspersky Lab: day and night the offices radiate electric light. Thanks to transparent walls, everyone who passes can see Kaspersky Lab’s employees at their desks at all hours, working on their black Dell computers. However, on the first floor of the main building the glass walls are always shuttered.
This floor houses Kaspersky’s investigation unit, headed by Ruslan Stoyanov. In Russian, Stoyanov’s unit goes by the acronym ORKI (from Otdel Rassledovania Kompruternikh Incidentov), which calls to mind Orcs, a race of creatures in Tolkien’s fantasy books who live underground and fight the men of the West. This was not a coincidence—Stoyanov has a weakness for symbolic names. The company he had founded before joining Kaspersky was called Indrik, a fabulous beast in Russian folklore—a gigantic bull with a head of a horse and an enormous horn, the king of all animals, who also spends his time wandering underground.
Stocky and short cut with a goatee, Stoyanov has always had strong patriotic feelings and likes to spend his holidays off-roading his four-wheel winch-equipped Niva (a Russian version of a Landrover Defender) through the woods.
Stoyanov built his reputation serving in the famous K Department of the Interior Ministry (the same one that, presumably, the Trump Dossier meant to refer to). In the K Department Stoyanov spent six years investigating cybercrimes. In 2006 he left the Ministry. Four years later he launched Indrik, which provided DDoS-protection to the corporate market. Before long, Stoyanov’s company’s future was all but secured when Kaspersky Lab began providing Indrik’s services to its customers. In 2012 they joined forces. Working for Kaspersky now, Stoyanov formed his investigation unit, the orcs—ORKI. Next Stoyanov became the contact point between Kaspersky’s big clients—banks and corporations under cyber attack who wanted to find their attackers—and the Interior Ministry and the FSB. Stoyanov’s role was to provide expertise for criminal investigations, but Kaspersky worried that the influx of requests for help from the FSB and the Interior Ministry were getting out of control. So they decided that Stoyanov should be the company’s single entry point for the secret services. Stoyanov cultivated his contacts with his former colleagues in the K Department of the Interior Ministry and with its counterpart in the FSB, the Information Security Center. At the FSB Stoyanov dealt primarily with the Information Security Center’s deputy head, Colonel Sergei Mikhailov. Mikhailov had a tarnished reputation outside the Lubyanka—in 2011 he had tried to force the online media Roem.ru, specializing in web enterprises and social networks, to disclose the identity of one of its journalists. Surprisingly, he failed—the General Prosecutor’s Office found his interest unlawful. But Mikhailov also served as a handler of companies running crucial parts of the Russian Internet infrastructure.
Stoyanov also took pains to cultivate his contacts with Western counterparts—not only American but also German, British, and Dutch law enforcement agencies, among others. Russian hackers tended to live in Russia, but their hacking fingerprints existed globally.
Stoyanov’s patriotic feelings didn’t prevent him from traveling abroad. Travel was important to his sense of self-esteem—a former major of the Russian police, he could go to the United States and talk with American cyber experts as an equal about fascinating things.
In the fall of 2016 Stoyanov, now in his late thirties, had a special reason to be proud of himself: he had helped collect evidence for Russia’s biggest-ever crackdown on financial hackers, involving the arrest of fifty members of a cyber crime ring known as Lurk that had stolen more than 3 billion rubles ($45 million) from banks in Russia and abroad. Stoyanov’s unit had been investigating the group’s activities for years, and a joint operation with the FSB and the Interior Ministry had finally resulted in arrests.
Stoyanov knew just about everyone in the murky world of cyber, and he seemed indispensable for Kaspersky and the secret services. But as the winter of 2016 fell on Moscow, the city’s paranoid atmosphere turned Stoyanov’s assets into his biggest liability. In short, Stoyanov and his friends knew too much about the Russian digital underground and its intricate and complicated connections with the secret services. They also had contacts in the West. Thus, they were a vulnerability.
On December 4, a Sunday, the operatives of the FSB went after Stoyanov. He was arrested in the airport on his way to China. Stoyanov’s wife and colleagues at Kaspersky learned of his arrest only after he failed to get online when his plane landed the next day. Mikhailov and his subordinate, Dmitry Dokuchaev, once known by the hacker alias Forb, were also seized by the FSB. (A few months later it turned out that Dokuchaev was the only confirmed connection between criminal hackers and the Russian secret services engaged in offensive operations in the United States—in March 2017 the FBI identified Dokuchaev as a member of a group that had hacked Yahoo in 2014.)
The FSB charged Stoyanov, Mikhailov, and Dokuchaev with state treason and threw them into the Lefortovo Prison. Lefortovo is Russia’s closest equivalent to Dumas’s Ch?teau d’If. It is entirely isolated, with tough and effective guards, and unauthorized contacts are completely impossible. Although there are always ways to communicate with the outside world in other Russian prisons, Lefortovo is an exception. Its guards make every effort to prevent inmates from seeing one another. When escorting prisoners guards use little clackers—a circular piece of metal—or snap their fingers to make their presence known to the other guards. If two escorts meet, one puts his charge into one of many wooden cabinets lining Lefortovo’s corridors. This has been the practice since Tsarist times.
Most cells house two people, and as a rule a newcomer is placed with an undercover FSB agent as his inmate for several months—to spy on him constantly inside the cell.
Stoyanov, Mikhailov, and Dokuchaev were locked up and safely secured. The FSB also worked on their relatives and colleagues—the information about the arrests remained secret to the public until the next year.
In January Sergey Buravlyov, the FSB general at the Russian end of the cyber hotline with the Americans in 2016, was quietly removed from the Security Council. Contrary to all Kremlin rules, no public announcement was made about his resignation.
With that, all the doors to the information about the Russian cyber operations were shut and sealed.
Or were they?
In April 2017 Stoyanov managed to smuggle a letter out of Lefortovo. In the first sentence Stoyanov asks the question on everyone’s mind: “Why me?” He explains that he is “one of the people who fought cybercrime for the last 17 years… but the paradigm in cybercrime has changed. Now cybercrime is closely connected with geopolitics. That’s why [cybercriminals] could unleash the full power of the government against an expert like me. And that’s why I was prosecuted.” Stoyanov clearly believes that there is a connection between the Kremlin and hackers.
Vladimir Putin built a fortress out of the Russian government—impenetrable and suspicious, with dead-ends and trap pits to trick the enemy and protected by thousands of guards and secret agents. Here decisions are made for unclear reasons, and there is almost no way for outsiders to understand what’s going on. The officials behind the Kremlin walls accept by definition that the environment outside is hostile, so why tell the truth when it’s more practical to lie and thus surprise the enemy? The Kremlin adopted this logic years ago. This is why understanding what actually happened in 2016 is so tricky.
The Russian hackers did not compromise polling stations, nor did they affect the critical infrastructure of the United States during the presidential campaign. Donald Trump found himself in the White House for a number of very serious reasons, most of them originating in the United States, not from abroad.
Yet there was something the Kremlin did foster in the political culture of America, something that was all too familiar to Russian—and, before them, Soviet—citizens. The Soviet officials never trusted the people. They strongly believed that any Russian citizen at any moment could spontaneously go mad or get drunk, crush the equipment in the workplace or come into contact with a suspicious foreigner and expose state secrets. In short, the authorities wholeheartedly despised the people they governed. The people are unreliable and, thus, needed to be managed and kept under control. That’s why every Soviet citizen was limited in his or her travels and contacts and entangled in hundreds of instructions, all with the goal of preventing him or her from doing anything unauthorized. And there was always someone behind the next door—a party official or a KGB officer—to be asked for permission.
The KGB believed in the same theory, but it went deeper. They were trained to think that every person was driven only by baser, inferior motives. When confronting Soviet dissidents, they looked for money, dirty family secrets, or madness, as they couldn’t accept for a second that someone could challenge the political system simply because they believed in their cause.
Putin is a product of this thinking. He doesn’t believe in mankind, nor does he believe in a benign society—the concept that people could voluntarily come together to do something for the common good. Those who tried to do something not directed by the government were either spies—paid agents of foreign hostile forces—or corrupt—i.e. paid agents of corporations. Any public debate with them about important issues was thus meaningless and dangerous. For Putin the serious business of governance should be left to professionals—his government officials.
This message was spread inside the country and was used to attack the political opposition; it also targeted all sorts of activists, from enviromentalists to feminists, using all the tools of propaganda available, from TV channels to social networks. Political or civic activity is a dirty business by definition, and nobody could be trusted—that was the main message. In the fragmented, confused post-Soviet society, it worked pretty well.
This cynicism was Putin’s gift to America.
In 2016 this message was widely propagated through social media in the United States, to a great extent supported by the publication of leaks, most of which were the result of Russian hacking operations. Conspiracy theories about Hillary Clinton, supplied by “the evidence” provided by WikiLeaks, were picked up by the pro-Kremlin English-speaking media like Sputnik, then promoted by trolls on Facebook, Twitter, and YouTube. Donald Trump was keen to exploit them, as the Blumenthal fake email story proved.
But this alone was not the reason Trump won the presidency. Large sections of American society had already lost their trust in political institutions—and particularly in the media. The process had started long ago and is also apparent in many other Western countries. The Russian hackers and their bosses did not create a wholly new narrative in America but instead sought to exploit the weaknesses that already existed.
This dark concept of total distrust was mostly spread via the Internet because it was what the Internet was built for—sharing ideas. Although the Internet is the most democratic means of communicating, it can be used by governments and groups that understand nothing about its nature. Creating disruption on the Internet doesn’t need advanced technology—North Korea very quickly developed cyber capabilities strong enough to hack Sony servers, and for years ISIS has outmaneuvered the West in online propaganda. Russia simply combined hacking, the public use of stolen information, and the moment—acting during the election period.
Does this mean we should accept the concept that the Internet carries more threats than benefits?
The creators of the Internet supported the opposite concept. Unlike Putin, they believed in people and built the global network under the assumption that it would be used for sharing something good. They may look na?ve these days, but we got our modern linked-up technological world thanks to their concepts, not Putin’s. The Internet—and the concepts behind it—are still full of potential.
- CHAPTER 16 The Red Web Comes to the United States
- Òåñòèðîâàíèå Web-ñåðâèñà XML ñ ïîìîùüþ WebDev.WebServer.exe
- Shared Cache file
- 4.4.4 The Dispatcher
- About the author
- Chapter 5. Preparations
- Chapter 6. Traversing of tables and chains
- Chapter 7. The state machine
- Chapter 8. Saving and restoring large rule-sets
- Chapter 9. How a rule is built
- Chapter 10. Iptables matches
- Chapter 11. Iptables targets and jumps