On Tuesday, it came to light that the Democratic National Convention’s (DNC) network had been breached by not one, but two different hacker groups that are believed to work for the Russian government. The Washington Post reported that one group - designated Cozy Bear – was likely working for the FSB, the Russian internal security service, while the other – Fancy Bear – is likely associated with the GRU, the Russian foreign military intelligence agency.
The two services were not working together and indeed were pursuing different strategies geared towards obtaining different types of information. Cozy Bear had been loitering in the DNC network, undetected, for approximately a year, and appeared to be focused on passively monitoring communications. Fancy Bear, in contrast, gained access to the DNC’s network in April and immediately extracted opposition research information about Donald Trump.
The divergent goals and strategies of the two Bears allows for some insights into why the hack happened and what may happen next. Cozy Bear was clearly running a long term, passive information collection campaign, as evidenced by the fact that they had been unobtrusively eavesdropping on DNC communications since the summer of 2015. Since Cozy Bear is linked to the primary Russian intelligence service, the FSB, it is likely that their goal was to gain information about individuals within the Democratic Party. Michael Sulick, former director of CIA’s National Clandestine Service, told The Cipher Brief that “certainly part of their purpose is to try and identify individuals who might later be in positions in either a Trump or Clinton administration in a foreign policy role - specifically foreign policy towards Russia.”
In contrast, Fancy Bear entered in April and stole very specific information relatively quickly. Additionally, the DNC said no financial, donor, or personnel information was stolen from its network. The fact that they targeted information about Donald Trump specifically is significant. It means that they –like many other people – are attempting to understand Trump. Trump is a relative newcomer to the political sphere, and he has a habit of making grandiose, and occasionally unpredictable, claims about what he would do as President. Therefore, it makes sense that a group associated with Russian military intelligence, as Fancy Bear is, would want to gain information about the man who could be the commander in chief of the U.S. military. Given that objective, the DNC is an excellent target, as Trump is their primary opponent, and they would be researching him extensively.
Now that both Fancy Bear and Cozy Bear have been ejected from the DNC’s networks, there are real concerns about what may happen next. In the short term, there could be an attempt by Russian intelligence services to use information that they have already acquired to reestablish their access to privileged information sources – most likely through a spear-phishing campaign. Since Cozy Bear has been monitoring electronic communications, they are well placed to be able to send emails that seem legitimate, but which actually contain malware that could be used to continue their intelligence collection activities.
The longer term effects are harder to assess. According to Sulick, “they want to identify the people around [the candidates] who they can recruit as sources,” as well as people who could be influenced in order to change U.S. policy towards. Russia.
While the focus is currently on Russia, the eyes of the world are on this election, and Russia is not the only adversarial nation with a strong cyber capability. Both China and Iran have demonstrated skill at cyber operations, and China hacked both the Obama and the McCain campaigns in 2008. It is very difficult for a civilian organization to protect itself from a determined state actor. Both the Democrats and the Republicans will need to keep a close eye on their networks if they want to keep their private information private.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.
