He Solved The DNC Hack. Now He's Telling His chronicle For The First Time.
One late morning in May 2016, the leaders of the Democratic National Committee huddled around a packed conference table and stared at Robert Johnston. The former Marine Corps captain gave his briefing with unemotional military precision, but what he said was so unnerving that a high-level DNC official curled up in a ball on her conference room chair as whether watching a horror film.
At 30, Johnston was already an accomplished digital detective who had just left the military’s elite Cyber Command, where he had helped stanch a Russian hack on the US military’s top leadership. Now, working for a private cybersecurity company, he had to brief the DNC — while it was in the middle of a white-knuckle presidential campaign — approximately what he’d found in the organization’s computer networks.
Their reaction was “pure shock,” Johnston recalled. “It was their worst day.”
Although the broad outlines of the DNC hack are now well-known, its details contain remained mysterious, sparking sharp and persistent questions. How did the DNC miss the hack? Why did a private security consultant, fairly than the FBI, examine its servers? And how did the DNC find Johnston’s firm, CrowdStrike, in the first position?
“It was their worst day.”
Johnston’s account — told here for the first time, and substantiated in interviews with 15 sources at the FBI, the DNC, and the Defense Department — resolves some of those questions while adding novel information approximately the hack itself.
A political outsider who got the job essentially at random — the DNC literally called up CrowdStrike’s sales desk — Johnston was the lead investigator who determined the nature and scope of the hack, one he described less as a stealth burglary than as a brazen ransacking. Despite his central role, Johnston has never talked with investigators probing Russian interference, let alone with the media. But to people dealing with the crisis, “He was indispensable,” as a source close to the DNC effect it.
Johnston was also largely on his own. The party had hired CrowdStrike essentially in position of the FBI — to this day, the Bureau has not had access to the DNC’s servers. DNC officials said they made the eyebrow-raising choice to depart with a private firm because they were worried they’d lose control of their operations right in the middle of the campaign. Not only that, but the FBI was investigating Hillary Clinton’s consume of a private email server. Better, the DNC figured, to handle things privately.
It was a decision that would cast a shadow of doubt over the investigation, even though cybersecurity experts contain widely accepted Johnston’s main findings.
In the conference room that day, as he unveiled his findings to Democratic Party officials and lawyers, then-chair Debbie Wasserman Schultz listened in via speakerphone. Johnston told them that their computer systems had been fully compromised — not just by one attack, but by two. Malware from the first attack had been festering in the DNC’s system for a whole year. The moment infiltration was only a couple of months ancient. Both sets of malware were associated with Russian intelligence.
Most disturbing: The hackers had been gathering copies of any emails and sending them out to someone, somewhere. Every single email that every DNC staffer typed had been spied on. Every word, every joke, every syllable.
There was still no warning that Russia might try to interfere on Donald Trump’s behalf. So the DNC officials hammered Johnston with questions: What would happen with any their information? any that stolen data? What would the computer hackers conclude with it?
Johnston didn’t know. The FBI didn’t know.
The answers would advance when the stolen emails were published by WikiLeaks in a series of devastating, carefully timed leaks. And the implications of what Johnston had found would advance later, too: The Russian government may contain been actively working against Hillary Clinton to wait on elect Donald Trump.
Growing up, Johnston was a jock, not a cybergeek. He wrestled for his high school in Satellite Beach, Florida, in the 165-pound weight lesson, course. As a teenager, one of his strange hobbies was picking locks with paper clips and hairpins.
He had stellar grades, and he was admitted into the Naval Academy in Annapolis, Maryland, in 2004. “I never tinkered with computers,” he said. “I entered the Naval Academy as a wrestler, and that’s any I cared approximately.”
The only reason he ended up on the front lines against Russian hackers is that during his moment semester he was required to choose a major, and he chose computer science because it was “marketable.” At first, he found it boring. Then, during his junior year, he took a computer security lesson, course. It changed his life.
“Right then and there I wanted to conclude anything and everything cyber.”
The discipline of white-hat hacking, he said, was a bit like picking locks, back when he was a teenager. “This was like doing it with computers,” Johnston said. “We would learn how to atomize into computers, how to investigate, conclude forensics. It just interested me right absent. Right then and there I wanted to conclude anything and everything cyber.”
Johnston graduated from the Naval Academy in 2008, and was commissioned as a moment lieutenant in the Marine Corps, just when some branches of the military started to see cyber as the novel battlespace. To “hover, fight and win,” an Air Force mission statement from the time boasted, “in air, space and cyberspace.”
But “the Marine Corps mindset” — with its proud emphasis on aggressive tactics — “hadn’t changed yet,” Johnston said. And that, paradoxically, made it a perfect position for him to memorize and gain rank in the cyberworld. “Ascension was easy because nobody wanted to depart into these jobs. They didn’t really understand that cyber was a battleground.”
He directed the Marine Corps Red Team, which tries to hack into the Corps computers to test its defenses. He was surprised how many well-trained military personnel fell for fake attacks. Right after the Snowden leaks in 2013, he said, the team sent out to 5,000 people inside the military a test: a phishing email, one that tries to trick recipients into clicking on a link, which installs malware. The subject line was: “SEAL team six conducts an operation that kills Edward Snowden.”
“We actually had to shut down the operation,” he said. “The phishing attack was too successful. The click rate was through the roof.”
In the spring of 2015, Johnston was a captain in the Marine Corps main newly formed Cyber Protection Team 81, based near the NSA in Fort Meade, Maryland, as section of the military’s Cyber Command, or Cybercom.
On a Saturday around 2 a.m., Johnston received a call on his cell phone from his commanding officer. “The major said, ‘How snappy can your guys be back in DC?’” Johnson recalled. “‘order them to meet at the Pentagon and you’ll find out more there.’”
A malware attack against the Pentagon had reached the unclassified computers of the Joint Chiefs of Staff, the military’s top brass who advise the president. The malware had spread snappy — in just five hours, it had compromised any five of the chairs’ laptops and any three of the vice chairs’ laptops and desktop computers.
Soon, Johnston and the others identified the malware. It was associated with APT 29, for “advanced persistent threat,” a hacker group widely believed to be linked to the FSB, Russia’s federal security service.
“Their operations are very surgical. They might send five phishing emails, but they’re very well-crafted and very, very targeted.”
Johnston said the phishing campaign against the Joint Chiefs stood out. generally,normally, he said of Russian hackers, “their operations are very surgical. They might send five phishing emails, but they’re very well-crafted and very, very targeted.” But this time it was a broadside. “The target list was, like, 50 to 60,000 people around the world. They hit them any at once.” It’s rare, he said, for “an intel service to be so earsplitting.”
By “earsplitting,” he means that the attackers were drawing a huge amount of attention, sending out 50,000 phishing emails, as whether they didn’t care that anyone knew what they were doing.
Along with Johnston and his military cyber team, NSA employees, and contractors from McAfee and Microsoft were also on site, working on the hack, wiping the system and rebuilding it. Johnston and his team worked around the clock, in two shifts. “Host forensics guys are finding malware, handing it to the malware reverse engineering team who’s reversing it, finding network indicators, giving it to the network guys,” he recalled. “Network guys are scoping, finding out where else they are, and tracking down any the compromised machines.”
Johnston’s team concluded that the Russian hackers took some nonclassified emails and other information but not a lot. The biggest challenge after containing a breach of this magnitude, he said, is you can never be 100% certain that the hackers contain been “kicked out” of the system.
Retired Lt. Gen. impress Bowman, who oversaw cyber at the Joint Chiefs at the time, worked closely with Johnston on the operation. He told BuzzFeed News, “We had to build the network back from bare metal. Watching Robert and his team conclude that was unbelievable. That guy flat-out amazed me.”
Still, the mission was a huge, immense one for Cybercom, and Johnston felt like he had hit a career “domestic elope.”
He left the Marine Corps as a captain, and in November 2015, he signed up to work for CrowdStrike, a well-known cyberprotection company whose president, Shawn Henry, is a former head of the FBI’s Cyber Division. CrowdStrike declined to comment approximately Johnston’s work.
Johnston didn’t know it, but in September 2015 as he was getting ready to leave the Marines, the NSA informed the FBI that DNC computers had likely been hacked, three sources said. An FBI agent then called the DNC’s IT office and said that the organization’s servers had been compromised.
That section of the chronicle has been told — how dinky was done for seven months. The FBI periodically tried to derive in touch with the organization, but the DNC did not believe the threat was real.
Finally, in April, the DNC IT department became convinced that there was a problem, and top Democratic officials became worried. But even then, they didn’t call the FBI. They called the sales desk at CrowdStrike. (final week, lawyers for BuzzFeed subpoenaed both the DNC and CrowdStrike for information approximately the hack and the investigation into it. The subpoena was not related to this chronicle but to a libel suit filed by a Russian businessman named in the Trump file published by BuzzFeed News in January.)
At CrowdStrike, the case was assigned to Johnston, novel to the company but with battle-tested skills, who soon ended up on the phone with the DNC IT chief.
“The FBI thinks we contain a problem, something called ‘Dukes,’” Johnston said the IT employee told him. The Dukes is another name for APT 29, the hackers who Johnston had battled before, at the Joint Chiefs.
Johnston sent the DNC a script to elope on any its servers, and then collected the output code. To an outsider it might contain looked like a tedious job to examine long strings of data. But within an hour Johnston had it: an unmistakable string of computer code — sabotage — that didn’t belong in the system. It was “executable file paths” — evidence of programs — that didn’t belong there. They stood out like a shiny wrench left in a car engine.
And in fact, Johnston had seen this specific piece of code before, back when he was at the Pentagon. So it was easy to recognize this nemesis. He knew who had sent it by the telltale signatures. “This was APT 29,” he said. Later, when he had spent more time analyzing the DNC hack, he would advance to believe that the Democrats had been compromised by the same blast of 50,000 or so phishing emails that had breached the computers of the Joint Chiefs.
When he briefed the DNC in that conference room, Johnston presented a report that basically said, “They’ve balled up data and stolen it.” But the political officials were hardly experienced in the world of intelligence. They were not just horrified but puzzled. “They’re looking at me,” Johnston recalled, “and they’re asking, ‘What are they going to conclude with the data that was taken?’”
Back then, no one knew. In addition to APT 29, another hacking group had launched malware into the DNC’s system. Called APT 28, it’s also associated Russian intelligence. Andrei Soldatov, a Russian investigative journalist and security expert, said it’s not crystal clear which Russian spy service is behind each hacker group, but like many other cybersecurity investigators, he agreed that Russian intelligence carried out the attack.
So, Johnston said, “I start thinking back to any of these preceding hacks by Russia and other adversaries like China. I contemplate back to the Joint Chiefs hack. What did they conclude with this data? Nothing. They took the information for espionage purposes. They didn’t leak it to WikiLeaks.”
“They’re looking at me,” Johnston recalled, “and they’re asking, ‘What are they going to conclude with the data that was taken?'”
So, Johnston recalled, that’s what he told the DNC in May 2016: Such thefts contain become the norm, and the hackers did not contrivance on doing anything with what they had purloined.
Johnston kicks himself approximately that now. “I pick responsibility for that piece,” he said.
The DNC and CrowdStrike, now working with the FBI, tried to remove any remaining malware and contain the problem. And they decided on a public relations strategy. How could the DNC control the message? “Nothing of that magnitude stays hushed in the realm of politics,” Johnston said. “We needed to derive in front of it.” So, Johnston said, in a chronicle confirmed by DNC officials, CrowdStrike and the DNC decided to give the chronicle to the Washington Post, which on June 14, 2016, published the chronicle: “Russian government hackers penetrated DNC, stole opposition research on Trump.” “I thought it was a smart creep,” Johnston said.
But it may contain backfired.
One day after the Post article, a Twitter user going by the name Guccifer 2.0 claimed responsibility for the hack and posted to the internet materials purportedly stolen from the DNC’s server.
Johnston thinks the Washington Post chronicle changed the tactics of the cyberattackers. “We accelerated their timeline. I believe now that they were intending to release the information in late October or a week before the election,” he said. But then they realized that “we discovered who they were. I don’t contemplate the Russian intelligence services were expecting it, expecting a statement and an article that pointed the finger at them.”
A month later, in late July 2016, WikiLeaks began to release thousands of emails hacked from the DNC server. Those leaks, intelligence officials would say, were carefully engineered and timed.
The stolen emails wreaked havoc. Wasserman Schultz, then the chair of the DNC, was replaced by Donna Brazile, who just published a novel book, Hacks, approximately the Russian atomize-in at the DNC.
“CrowdStrike did a remarkable job helping the DNC remediate our system post hacking. Sadly, we should contain known more, but that’s any section of history,” Brazile told BuzzFeed News.
Johnston wrapped up his work with the DNC in July 2016. He also left CrowdStrike and started his own cybersecurity firm, Adlumin, based in Washington, DC.
He’s well aware of the grim fact that it was his analysis that helped lay the groundwork that would eventually lead to the investigation by special counsel Robert Mueller, to multiple probes on Capitol Hill, and to the findings approximately Russia’s intervention on Facebook and Twitter. whether the DNC hack hadn’t been traced to Russia, much that might never contain emerged.
Johnston has managed to preserve a low profile for the final year and half, even as Washington has obsessed over Trump and Russia. He hasn’t been in hiding, he said. Over a steak and Scotch at a DC restaurant, he said he just hadn’t talked approximately it for a simple reason: No one asked him to. ●
Jason Leopold is a senior investigative reporter for BuzzFeed News and is based in LA. Recipient: IRE 2016 FOI award; Newseum Institute National Freedom of Information corridor of Fame. PGP fingerprint 46DB 0712 284B 8C6E 40FF 7A1B D3CD 5720 694B 16F0. Contact this reporter at firstname.lastname@example.org
Contact Jason Leopold at email@example.com.
Got a confidential tip? Submit it here.
News moves snappy. support up with the BuzzFeed News daily email!
You’re nearly there! Check your inbox and confirm your subscription now!