chapter05

AUGUST 2016

Linda Power, a US intelligence operative, first tipped me off to the extent of the Russian operation. I was upstairs in my office after I finished delivering a report close to the top of the 7:00 a.m. hour on CBS This Morning.1 It was about the time of day I try to reach sources I depend on. Linda was always at the top of the list, mostly because she and I had developed an easy rapport. I enjoyed talking with her. I always learned something new, and it wasn't always the kind of information that would end up in one of my reports on the Evening News. I would often keep the substance of our discussions to myself.

I dialed her number, and after we had exchanged some quick small talk, I asked her what was going on.

“Jeff. They are hacking the hell out of us,” she said.

“What do you mean they are hacking the hell out of us?” I asked.

“The Russians. They are hacking the hell out of us, and we're not doing anything.”

There was a bite of anger in her tone. Normally, Linda was plainspoken. She didn't connect her emotions to her work. If she didn't want to answer a question, she'd flat out tell you.

“Did something new happen since the convention?” I asked. “Did a new attack occur?”

She sighed and then drew in a deep breath. She was putting not only her job on the line by talking to me, but potentially her freedom, since she could be imprisoned for divulging classified information.

“Did you hear Trump on the campaign trail? Did you hear what he said about Putin?”

“Yeah. You mean where he says Putin was nice because he called Trump a genius?” I said and then laughed.

She didn't respond.

“Oh, and he called him a strong leader, too, right?” I coaxed. Trump's statements on the campaign trail had US intelligence officials scratching their heads.2

“Why is he saying that? How could he say that? Putin is KGB,” she said.

At this point I didn't know a whole lot about Russia. But I did know Linda wasn't alone in this sentiment about Trump's relationship to President Vladimir Putin. The prevailing feeling in Washington about Putin was that he was a manipulator and couldn't be trusted. When Trump praised Putin during his campaign, it was inordinately offensive to people in intelligence circles.

It was dangerous, too. While in the United States there are limits on a president's powers—checks and balances—in Russia there really is no cap on how far Putin can extend his influence. So the consensus in US intelligence circles is that anything big related to Russia has Putin's fingerprints on it. He is the one who gives the go-ahead.

Linda was a real pro, and a patriot. If she sensed something was off-kilter, there was a reason she was telling me.

I asked her what she thought about Trump telling the Russians to find Hillary's thirty-three thousand illegally deleted emails. The whole campaign had seemed so surreal.

I was referring to a press conference that occurred on July 27 when Trump, after calling on Russia to find the emails, said the media would thank them. Trump believed that the media was like pigs to mud when it came to any new revelation about Hillary Clinton.³ He was speaking of Hillary Clinton's use of a private email server (rather than secure federal servers) for work communications while she was secretary of state. Her use of these servers was exposed publicly in March 2015, one month before she announced she was running for president, and an FBI investigation began. Clinton maintained the legality of using her personal email for these communications. On July 2, 2016, Clinton underwent an intensive interview by the FBI, and on July 5, 2016, FBI director James Comey cleared Clinton of any wrongdoing but scolded her when he said the way she dealt with classified information was “extremely careless.”4

Linda sighed. I waited. Other sources had clammed up when they were asked about Clinton's emails. I presumed it was because the FBI was already under scrutiny for being too lenient with Clinton.

“Did anything new happen? With the hacks, I mean? Did they find anything new?”

She said no.

I tried a different tack. I asked Linda if there was a human component to all of this.

“Kompromat,” she said.

“What?”

“Russian operatives are renowned for compromising people. They use Russian operatives to contact people; they get them to trust them. You may not know you are being compromised, but they are using you. That's what Russian operatives do.”

Of course, it was obvious to anyone who had ever read John le Carré's The Spy Who Came in from the Cold, but at that point I still needed those things spelled out.

I took a sip of coffee and put it down, reminding myself to stay cool. And, truth be told, at that point I wasn't that hungry for the story. It would be a few weeks before I recognized it for what it was, before I ran down the stairs into the newsroom essentially stomping and ranting that we had to shift our focus from terrorism to the Russia story.

Still, I could tell there was something more Linda wanted to divulge.

“What else?” I asked quietly.

She drew in her breath again. “Nothing new happened. Nothing new.” She sounded agitated.

“Something old then? They've known about this longer than we thought?” I asked.

Linda was referring to some US officials who had been aware of the Russian cyber intrusions for some time. But at that moment there were only a handful of people who knew before word began to spread to a larger group.

“It's been going on longer than we thought,” she said.

“What has? The hacking? Breaches? Computer breaches? Like cyberattacks or what? Espionage from Russia specifically? What are we talking, like years here?”

“I don't understand how nobody knew,” she said.

It is true many government officials didn't know about the hacking. Surely, this was the case with many of the men and women in that situation room with Michael Daniel, who was special assistant to President Barack Obama and White House cybersecurity coordinator. Daniel himself admits his team only found out about the hacking after WikiLeaks started dumping the DNC emails and they read about it in the Washington Post. Over the years, many of my sources admit to learning about major threats to our country due to information from inquiring reporters. Of course, it is possible that some of these sources may have “known” about the hacks through official channels but chose not to reveal the information to me in order to protect their jobs and the classified information. However, I am certain the siloed nature of the information kept many from finding out about the cyberattacks until the media broke the story, which also parallels how Watergate was exposed.

In the 1970s as details of Watergate were emerging, Nixon's attacks on the media grew more intense. This is noteworthy because the Trump administration seems to have taken the same adversarial approach toward the media (except for Fox News). President Trump overtly attacks and tries to discredit the media, advising the public that news outlets don't tell the truth. There are bad apples in every profession. In journalism, I like to think that 99 percent of us work to uncover the facts. That is certainly the case at CBS News, where everything we put on the air is checked and vetted through numerous filters. We take pride in what we do because we have a tradition that is deeply engrained in the culture of the organization. A culture born through legendary journalists like Walter Cronkite, Edward R. Murrow, Ed Bradley, Bob Schieffer, Leslie Stahl, Scott Pelley, David Martin, and many others.

Even as a target for a White House that seeks to discredit the media, reporters must persevere. We cannot be deterred. But we must also continue to get the story right.

As for the Russian cyberattacks, top US officials knew about them prior to any kind of media report, at least as early as June 2016 when the Democratic Party hired the cybersecurity firm CrowdStrike to investigate. Adam Meyers, vice president of CrowdStrike, posted a blog about their findings, called “Bears in the Midst. Intrusion into the Democratic National Committee,” in early June.5

CrowdStrike Services Inc., our Incident Response group, was called by the Democratic National Committee (DNC), the formal governing body for the US Democratic Party, to respond to a suspected breach. We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network—COZY BEAR and FANCY BEAR. We've had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of “living-off-the-land” techniques enable them to easily bypass many security solutions they encounter.⁶

Meyers, who wears black wire-rimmed glasses, three earrings in his left ear, and has spiky gelled hair, may not fit preconceived ideas about how a cybersecurity expert should look. He has over fifteen years’ experience in security, and his territory includes more than seventy “criminal, state sponsored and nationalist cyber advisory groups around the world.”⁷

The team flew out from CrowdStrike's offices in Sunnyvale, California, which looks like a place that might fit the mold for brilliant and young security experts: replete with a break room filled with video games and a large-screen television. CrowdStrike was the firm that investigated the Sony Pictures hack, and uncovered (within forty-eight hours) that the attack came from the North Korean government.⁸

I wanted to interview Meyers to learn more about the DNC hacks and how these cyber investigators knew that it was indeed the Russians. Meyers spoke in the crypto-language of computer code and explained how CrowdStrike deployed their technology at both the DNC and the Democratic Congressional Campaign Committee (DCCC), which “provided visibility and saw the Russian intrusion activity against the DNC.” He explained how the “surreptitious monitoring tools” associated with Fancy Bear and Cozy Bear went by different names, including a remote access Trojan, an implant, or a remote access tool kit. Meyers and his team used their own tools to poke around and see what was happening. “Imagine somebody breaks in to a bank, and they use a special saw to cut through the safe. We found that saw as they were using it and were able to then analyze it and track it back to the actor.”9

That actor (computer security professional speak for the hackers) was most likely Russian, Meyers said. The tools that were used were known to be “uniquely associated with this Russian threat actor.” He explained how the infrastructure (for example, the domain names) the actor used to put in the implant and poke around had the Russian hackers’ style and cyber fingerprints all over them. He spoke specifically about the implants. “These things, somebody has to control them; it's not like a drone, where you just fire it off and it comes back with the stolen data: there are people operating that malware, that implant, and using it to move within that environment.”¹⁰

The malware used was in line with Russian objectives, and had been used in other Russian attacks, he explained.

The malware that we've identified that's not widely available is something specially built by this actor. We've seen this actor use this malware across multiple platforms, so they've targeted Windows and Mac and Linux and mobile devices like Apple and Android. Having that same tool, being developed across platforms is pretty unique in the malware world. You don't see a lot of that, so that kind of leads us to the assessment that this is something that they've built and they control and they've continued to develop over the last ten years.¹¹

Meyers said this attack was likely orchestrated by hundreds of people. Those who broke in with the malware probably belonged to a different team that was connected to the people who disseminated the information. He noted it was hard to ping their location.

We don't know exactly where they are. I think it's reasonable to assume that there's probably an element in Moscow and they may also have other elements across the rest of Russia. We have some belief that this is tied to the Russian Main Intelligence Directorate, the GRU, which can have locations elsewhere within Russia.12

Hackers’ fingerprints are essentially clues. “We have to make some assertions or…intelligence assessments around what we believe to be true based on having a piece of the story,” Meyers said. He notes that story is hard to decipher because of the nature of computers. “These things are deliberately obfuscated. They're not trying to make it very obvious where it ties back to,” he said. Just as the intelligence folks are cautious about their language, so are the cybersecurity firms. In this case they speak in confidence levels. They had a “high degree of confidence” Russian hackers were behind the attacks.¹³

They were, however, clear on the timeline.¹⁴

“We went through the timeline pretty well,” Meyers said, “which was that the attacks began over a year before with Cozy Bear around September 2015, probably this past spring [2016] with Fancy Bear, and that they released the data from that intrusion back in June concerning the DNC and the DCCC later, and that we stand by the initial analysis and assessment that we made that this ties back to Russian intrusion operations that were deliberately targeting political entities within the United States.”¹⁵

Meyers explained how the hackers didn't even try to hide their tracks, because it is part of their culture in the cyber-espionage realm; they don't “necessarily pull back after something like that happens; you know they're doing their thing.”¹⁶

The Russians have done their thing in their own unique manner for generations. Cyber espionage is just the most recent way they have employed tactics they have been using for years to target their enemies for information, or to undermine their institutions. It has a long and fascinating history.