The Apprentice

When Russia’s currency began tumbling under crippling sanctions imposed by the United States and the European Union, Mindiyarov was enlisted in a campaign to post glowing comments on Russian news sites and online magazines. “I was writing that everything was the opposite: how wonderful our life was, how wonderful it is that the ruble was strengthening … that sanctions were going to make us stronger and so on and so forth,” he recalled.

Days at the agency were divided into two twelve-hour shifts, Mindiyarov said, with quotas requiring employees to deliver 135 website comments per shift, 200 characters apiece. “You come in and spend all day in a room with the blinds closed and twenty computers,” he said, adding that he was paid 40,000 rubles, or about $800, a month after Russia’s currency crashed in late 2014. It was decent money at a time when Russia’s economy had been crumpled by Western sanctions.

Mindiyarov said he wasn’t involved in the “Translator Project,” but knew there were other sections of the company aimed at an audience in the United States. An unnamed troll told an independent television station in Russia that Internet Research Agency employees were told to engage with Americans online and “get into an argument in order to inflame it, and rock the boat.” The troll said their orders by 2016 were to specifically attack Clinton. “The main message is: aren’t you tired, brother Americans, of the Clintons, how long have they been around?” the station quoted the troll as saying. To ensure that their use of English was seamless enough for online political debate, employees in St. Petersburg watched the Netflix drama House of Cards, a show about a corrupt American pol who rises to become president.[1]

As an English speaker, Mindiyarov had been approached to apply for the “Facebook department,” where pay was twice as high. (The employees who emerged from that section for smoke breaks were younger, hipper, with newer phones and better haircuts.) But Mindiyarov was tripped up by the entrance test: his English wasn’t strong enough to pass as native in the rapid-fire encounters of social media, where you had to be fluent even in American idioms. In response to the essay question “What do you think of Hillary Clinton?” he wrote that she seemed to have a strong chance to be the next U.S. president. It was unclear, he reflected later, whether the answer itself was disqualifying or merely the caliber of the English he used to articulate it.

THE WEEKEND OF THE WHITE HOUSE CORRESPONDENTS’ ASSOCIATION Dinner at the start of May was supposed to bring a momentary respite from the pressure of the presidential campaign. Many Washington insiders, including senior officials at the DNC, would be donning gowns or tuxedoes for the annual bash near Dupont Circle. The so-called nerd prom always attracts an influential if eclectic crowd—cabinet secretaries, cable news anchors, and a smattering of Hollywood stars. Five years earlier, with Trump in attendance, Obama had mercilessly taken full advantage of the chance to return fire on the reality TV star who had used his fame to fan a baseless conspiracy about the president’s place of birth. The jokes mocked Trump’s ego and boorishness, and as the audience roared, Obama’s target was visibly annoyed, so much so that some would later wonder whether that moment of humiliation had motivated him to mount his own serious run for the White House.

Saturday night’s event, Obama’s last as president, was expected to have a more valedictory tone for the Democrats, but the prospect of another Democrat in the Oval Office come 2016 also provided reason to celebrate. Preparation for the pre-event parties was already under way on Friday when DNC executive director Amy Dacey learned for the first time around four P.M that the committee’s network had been penetrated. Immediately she picked up the phone and dialed Michael Sussmann at Perkins Coie.

“We’ve had an intrusion,” she told him. The contract IT team first thought they could contain the damage and keep the committee’s systems up and running, she explained, but it seemed obvious they were overmatched, especially if the bureau’s suspicions proved correct and the hackers were Russian. Finally Tamene and his team were getting it: the DNC was in big trouble. “They were mature enough to know that they couldn’t fight the Red Army,” Dacey said.

While still on the phone with Dacey, Sussmann fired off a text to Shawn Henry, a former top cyber official at the FBI who had left the bureau to take a top job with a Silicon Valley cybersecurity firm, CrowdStrike. With his shaved head and dark suits, Henry would never be mistaken for a member of the hacker crowd, but he had been on the front lines of previous election-cycle cyberattacks. In 2008, he was in charge of the FBI cyber division when Chinese officials hacked the computers of the presidential campaigns of John McCain and Barack Obama, looking to steal intelligence that would give them insight into how each man would steer U.S. foreign policy regarding China.

As the White House Correspondents’ Dinner and a weekend of follow-up events got under way in Washington, Sussmann formally moved to enlist CrowdStrike to protect the DNC. The intrusion and the plan to counter it were to be kept secret from most DNC staff. “You can’t let the attackers know you know they’re there,” Sussmann instructed Dacey. “You only have one chance to raise the drawbridge.” If the hackers were tipped off, they could destroy logs and wipe their tracks or worse—steal piles of data while making a scorched-earth retreat. Most Democrats would party in blissful ignorance of the potential nightmare going on back at their national committee headquarters.

For the DNC, the timing was terrible. Half a dozen primaries had just ended, with Clinton taking a commanding lead, but the coming weeks formed a brutal final sprint, with potentially decisive contests in ten states, including Oregon, Indiana, and California. The Democratic National Convention, the committee’s showcase event, was twelve weeks away. The party had picked Philadelphia for the 2016 event, and 50,000 people were expected to attend, including about 5,000 delegates, with millions more watching on television.[2] The DNC’s staff was working around the clock planning for the general election. It was also an intense period of political maneuvering. Supporters of Bernie Sanders, the senator from Vermont, were already suspicious that a party apparatus held tightly in the Clinton family grip had sought to deny them the nomination, and the internal debates about candidates, strategies, fundraising, and campaigning were detailed in thousands of internal DNC emails, spreadsheets, and other files—all residing on a computer system that might have been thoroughly compromised by Russia.

“You had staff running full tilt, gathering research on the Republican front-runner, Donald Trump,” Dacey recalled. “You had an intruder inside the system who was interested in that opposition research, and a convention to plan for. It was the perfect storm.”

By Friday, May 6, CrowdStrike had worked with Tamene’s team to install stronger threat detection system software. Immediately it turned up troubling evidence of two Russian hacking teams—the newly discovered, “noisier” intruder as well as the quieter one that the FBI had long warned the DNC was already inside.

U.S. intelligence agencies had for years been reluctant to publicly identify hacking groups by country out of concern that doing so would jeopardize sources as well as run the risk of complicating diplomatic relations. When they wanted to signal publicly that a nation-state was behind a cyber campaign, they adopted the euphemism “advanced persistent threat,” or APT. The term had been coined in 2006 by an Air Force intelligence officer looking for a way to pass information to defense contractors getting hammered by a specific set of foreign hackers, without revealing the classified detail that the country behind the assault was China. It had then spread to cyber firms in the private sector and now was used throughout the industry. A Chinese cell known as People’s Liberation Army Unit 61398 had carried off a string of thefts of intellectual property and commercial secrets from American and European defense contractors, and engaged in espionage against countries including the United States, Canada, India, and Israel as well as against the United Nations. They were so prolific and brazen that like graffiti artists, they sometimes left telltale signs of who they were, lines of computer code that sometimes included nicknames such as “Ugly Gorilla.” Unit 61398 became known as APT1.

The teams rummaging through the DNC machines were known from previous intrusions on other targets and already had their designated monikers: APT 28 and APT 29. CrowdStrike had its own branding conventions using animals to represent various countries. Chinese groups were pandas, while the label for the Russian teams was based on a symbol associated with that country for centuries: the DNC hackers were dubbed Fancy Bear and Cozy Bear.

CrowdStrike was confident that Fancy Bear—the later arrival at the DNC—was an extension of the GRU. Cozy Bear’s affiliation was less clear. CrowdStrike suspected that it was tied to Russia’s domestic intelligence service, the FSB. But U.S. intelligence agencies had for years been certain that whatever the name—Cozy Bear, APT 29, or the Dukes—the team was an extension of Russia’s foreign intelligence service, the SVR.

The original Cozy Bear DNC hack had taken place so long ago that log files were difficult to come by, but with what they could find, CrowdStrike investigators began to reconstruct the intruders’ actions. The Cozy Bear crew had been disciplined and patient. They had compromised the DNC’s email, chat, and internet phone systems. They had set up an automated mechanism so that every time a DNC employee got an email, a copy was forwarded to Cozy Bear. The unit stole passwords and log-ins for system administrators, but behaved cautiously with these keys, never gorging themselves on data they could access, always minimizing the chances of getting caught. The April newcomer, however, had no such manners—it foraged without restraint.

Investigators saw no indication the two teams were working together or were even aware of one another’s presence, though they did seem to target separate areas of the network: Fancy Bear went after research files, at one point making off with a trove of opposition material on Trump, while Cozy Bear focused on emails and chats. The bottom line was clear: the committee and many of its internal secrets had been utterly exposed. Yet in calculating the damage, DNC leaders and investigators relied on an assumption that seemed reasonable: that while whatever information the Russians had taken might be mined by Kremlin analysts, it wouldn’t be exposed publicly. Cozy Bear, after all, had attacked other nongovernmental organizations and defense contractors as well as foreign governments and political organizations. “This is a sophisticated foreign intelligence service with a lot of time, a lot of resources,” Henry concluded. “There’s no doubt this is a nation-state targeting a United States political system. What are candidates thinking about? What are they developing? What are their strategies? It’s classic espionage.” And classic espionage meant not revealing to the world what had been stolen, if for no other reason than it would jeopardize subsequent efforts.

Having taken measure of the breach, the experts began drafting a plan to kick the hackers out. Doing so would require rebuilding entire systems, resetting passwords, and picking a time to shut the network down. On an aggressive timeline, the operation could be carried out starting around May 20. But DNC leaders were reluctant to disrupt the network at a time when the party’s nomination had not yet been secured, so a date was set for the three-day Memorial Day weekend, when it would be easier to take the system offline without cutting into work time or raising suspicions. Yet while Clinton’s lead was commanding, Bernie Sanders was still in the race and drawing energetic crowds. The DNC leadership decided it was better to wait even longer and ensure that the contest was clinched. CrowdStrike held off, scheduling the work for mid-June.

During that stretch, the Russians amassed more emails that appeared to show DNC bias in favor of Clinton—not only old correspondence, but new messages written during the stretch when the DNC could have been in cleanup mode. And because the hacking was still being kept secret, nobody outside the inner circle had any sense that they should be more cautious than usual when sending emails and documents. On May 21, Mark Paustenbach, a committee communications official, wrote to a colleague, “Wondering if there’s a good Bernie narrative for a story, which is that Bernie never ever had his act together, that his campaign was a mess.” Other damaging emails had been written before CrowdStrike had even had enough time to conclude the attack was being carried out by Russians. For example, on May 5, a committee staffer emailed Paustenbach and Dacey suggesting a way to call voters’ attention to Sanders’s faith. “It might make no difference, but for KY and WVA can we get someone to ask his belief. Does he believe in a God,” wrote Brad Marshall, the DNC’s chief financial officer, who had lived and worked for years in Kentucky. “He had skated on saying he has a Jewish heritage. I think I read he is an atheist … My Southern Baptist peeps would draw a big difference between a Jew and an atheist.” This was way beyond the official DNC position, which was that the organization was there to help all Democratic candidates without favor toward any in particular. Marshall added in a second email that it came down to the “Jesus thing.” Dacey replied: “AMEN.” Dacey later insisted that she had meant her remark not as affirmation of the plan but to express understanding of the venting by her staff. Regardless of intention, it was a comment that would later add fuel to a fire.

On Monday, June 6, Clinton clinched the Democratic nomination, making history as the first woman in the United States ever to be selected to represent one of the two major parties in a presidential contest. Breathing easier that their secret had held for five weeks, the DNC leadership finally turned to the task of getting rid of the intruders. But as plans took shape for what the cyber team called “Remediation Weekend,” officials knew that word of Russian penetration of a major party was unlikely to hold. Sussmann, the lawyer, recommended preempting this possibility by contacting a reporter at The Washington Post.

ON WEDNESDAY, JUNE 8, ELLEN NAKASHIMA WALKED A FEW BLOCKS from The Washington Post’s building on 13th and K Streets to Sussmann’s office at Perkins Coie. In a sixth-floor conference room, she met Dacey for the first time. Henry was there, too, along with Sussmann. The three of them proceeded to tell her about the dramatic events of the preceding month. Dacey was no expert in cyberattacks, but she was intent on making sure that people knew what happened and understood the stakes.

On the evening of Friday, June 10, after the DNC staff had gone home, a crew of about ten committee technology workers, including Tamene, as well as a separate team of CrowdStrike investigators, arrived at committee headquarters for Remediation Weekend.

The crew worked Friday, Saturday, and Sunday, pausing for only brief stretches of sleep. The entire DNC network was shut down. To keep the mission secret, the committee had told employees the unusual arrangement was required for a system upgrade. The process was tedious and repetitive. The committee had collected hundreds of laptops from staffers—some of whom fretted that this meant their jobs were at risk because Clinton was taking over the party leadership. The remediation team piled the devices in stacks, side by side, on a large rectangular table in a first-floor conference room. Each laptop had to be reimaged, a manual process consisting of wiping the hard drives clean, reinstalling the operating system, and clicking through a series of tiresome fields to select the correct language, time zone, etc. Meanwhile, a parallel team backed up terabytes of committee data to a clean collection of servers. Every laptop, once reimaged, had to have its data restored.

By Sunday night, the project was finished, and Dacey, who came into the office to check on the work, breathed a sigh of relief. In appreciation of the magnitude of the operation, one of CrowdStrike’s founders, Dmitri Alperovitch, a Russian-born expert with degrees from Georgia Tech, showed up to take his exhausted team to dinner at a Brazilian steakhouse. Monday morning, the network was back online, the laptops, with new software running to detect any return of the Russians, redistributed.

DNC officials had shared their account with Nakashima on the condition that it not be published until the committee’s networks had been secured. She began composing a draft of the article and made plans with editors to put the story online on Monday, June 13. But on Sunday the twelfth, as the DNC team was completing its scrub, devastating news broke in Florida: Omar Mateen, a twenty-nine-year-old security guard, had opened fire in the packed Pulse nightclub in Orlando, killing forty-nine people and wounding fifty-three others—then the deadliest mass shooting by a single gunman in U.S. history.

The Post put the hacking story off for an extra day. At 11:30 A.M. on Tuesday it appeared atop the paper’s website, opening, “Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump.”[3] The article emphasized that the hackers had been expelled from the DNC’s systems over the preceding weekend and quoted a range of officials and experts casting the intrusion as a classic case of cyber espionage. Moscow, it was agreed, was far more likely to hoard the stolen material and mine it for insights that could provide critical leverage in global affairs. The prospect that Russia would wage an unprecedented campaign of information warfare—sowing doubt about the democratic process, damaging the candidacy of Hillary Clinton, and ultimately seeking to help elect Donald Trump—was beyond imagining at that moment. Kremlin spokesman Dmitry Peskov quickly denied any Russian involvement.

On June 15, within twenty-four hours of the Post’s story, the website The Smoking Gun posted a story saying it had been contacted by an “online vandal” using the name Guccifer 2.0. Elaborating on a blog site, he claimed to be flattered by accounts depicting the operation as “sophisticated,” insisting that “in fact, it was easy, very easy.” He insisted he was not Russian, but a Romanian who had chosen his moniker partly to honor his hacking predecessor Guccifer but also because he loved the Gucci brand. “I’m a hacker, manager, philosopher, woman lover,” he proclaimed. But in online correspondence with journalists, his persona seemed to crack. Posed questions in Romanian by the journalist Lorenzo Franceschi-Bicchierai, writing for the online tech publication Motherboard, Guccifer 2.0’s responses came back in fractured syntax that seemed to betray a reliance on Google Translate. In subsequent exchanges, his online personality seemed to shift, suggesting more than one hand was operating the Guccifer 2.0 persona.

To establish his credentials, he passed along a collection of pilfered DNC documents. The files included internal memos and a list of donors that catalogued six-figure contributions to the party from, among others, movie star Morgan Freeman, director Steven Spielberg, and Hollywood executive Jeffrey Katzenberg. Guccifer 2.0 referred those interested to the DCLeaks website that GRU hackers had set up in April and where even more DNC material was now placed. The document that got the most attention was a 237-page collection of DNC opposition research.

Marked confidential, “Donald Trump Report” was a sprawling catalogue of Trump’s perceived political vulnerabilities, recounting his privileged upbringing, his lawsuits and bankruptcies, affairs and broken marriages, vacillating party affiliations, crass comments about women, fierce verbal attacks on Muslims, penchant for falsehoods, and alleged racism. “One thing is clear about Donald Trump,” read the file’s first sentence. “There is only one person he has ever looked out for and that’s himself.”

To Democrats, all of this added up to a portrait of an ideal opponent, someone who by any conventional standard had to be considered unelectable. But damning as it was, the material laid out in the document was, for the most part, already widely known. If Democrats were hoarding any bombshells, they weren’t listed in the pages of its “Donald Trump Report.”

Guccifer 2.0’s message labored to divert suspicion from Russia. “Hi. This is Guccifer 2.0 and this is me who hacked Democratic National Committee,” it said. The writer offered a brief account of his or her exploit, explaining that it involved breaching “mail boxes of a number of Democrats” and then exploiting the information to get “into committee servers.” The hacker claimed to have been inside the DNC network for more than a year and stolen “thousands of files and mails.”

In reality, Guccifer 2.0 was a GRU creation, an online persona operated by the same hackers who had rampaged through the DNC and DCCC networks. On June 22, one week after Guccifer 2.0’s debut, the Russian hackers behind this online puppet got a message from an eager ally in their unfolding operation against Clinton: WikiLeaks. The organization, determined not to watch from the sidelines, urged Guccifer 2.0 to send “any new material here for us to review and it will have a much higher impact than what you are doing.” Weeks later, WikiLeaks was pleading again for access to the trove, saying, “if you have anything Hillary related we want it,” noting that the Democratic convention was rapidly approaching and unless the digital saboteurs intervened “she will solidify Bernie supporters behind her.”

THE UNITED STATES AND WIKILEAKS HAD BEEN IN A STATE OF OPEN hostility since the group in 2010 published half a million military records from Afghanistan and Iraq and approximately 250,000 diplomatic cables. That release triggered a criminal investigation of WikiLeaks and indirectly led its Australian founder, Julian Assange, to seek asylum in Ecuador’s embassy in London. Assange had been accused of sexual assault in Sweden and said he feared that if he was extradited there to face charges, he would be ultimately transferred to the United States, regardless of the outcome of any court proceeding in Sweden.

Yet while WikiLeaks professed to be concerned only with demolishing the wall of secrecy maintained by the powerful, its publication of confidential information—couched as a moral imperative—has been consistently amoral, with no concern for how such revelations might damage those whose names turned up in the material. Without notable regret they have publicly released a wealth of personal data belonging to people who have little to do with their larger political causes, including credit card numbers, medical records, and Social Security numbers.

Assange, who has hosted a talk show on RT, the Kremlin’s propaganda channel, has made no effort to hide his own disdain for the United States or his relish at the prospect of its downfall. With “a faint smile,” he told The New Yorker in 2017 that the American empire might finally be collapsing. Although Assange denied that Russia was his source for the DNC emails, he has never much cared how he obtains what he publishes. “If it’s true information, we don’t care where it comes from,” he once said. “Let people fight with the truth, and when the bodies are cleared there will be bullets of truth everywhere.”[4] That disregard for sources was matched by an increasing affection for authoritarian leadership (including his own of WikiLeaks) that would eventually place him firmly in the pro-Trump camp.

After a series of failed attempts to transfer the stolen documents to WikiLeaks, Guccifer 2.0 sent the organization an email with an attachment—“wk dnc link1.txt.gpg.” It arrived on July 14 with instructions on how to unzip the trove. Four days later, WikiLeaks responded that it had accessed “the 1 Gb or so archive” and would begin publishing “this week.”