Republican presidential nominee Donald Trump is reasserting that whoever hacked the Democratic National Committee and stole years of internal emails remains a mystery. But private security experts — although not yet any U.S. government agencies — say they found persuasive clues that point to hacking groups whose previous targets track closely with the strategic interests of Russia's government, especially its civilian and military intelligence and security agencies.
Q: Who got hacked? What happened?
A: During the primary elections in April, months before Hillary Clinton had effectively clinched her party's presidential nomination, the Democratic National Committee said it noticed unusual activity on its internal computer network. It hired Crowdstrike Services of Irvine, California, to investigate, which secretly monitored the hackers and discovered evidence of separate break-ins by two groups it recognized. The first happened in mid-2015 and the second was earlier in April.
The hackers stole opposition research on Trump, information about Democratic donors and years' worth of internal DNC emails before Crowdstrike cut off their access last month. Most of the DNC emails appeared to have been stolen on May 25. The committee publicly acknowledged the hacking on June 14.
The website Gawker said June 15 a hacker claiming responsibility gave it the Trump research report. The same hacker set up a website June 15 and a Twitter account June 20. The Smoking Gun website said June 21 the hacker provided it with stolen files, and the trade publication Motherboard said June 23 it interviewed the hacker. The Hill news organization said July 13 the hacker gave it stolen DNC files, and WikiLeaks on July 22 published on its website more than 19,000 stolen DNC emails.
The emails showed DNC staffers supporting Clinton when they were publicly promising to remain neutral during the primary elections between her and rival Sen. Bernie Sanders. The head of the DNC, Debbie Wasserman Schultz, resigned July 24 over the disclosures and the DNC formally apologized July 25 to Sanders about its staffers' remarks in the emails.
Q: Trump says the identity of the hackers is a mystery? Why is Russia the chief suspect?
A: Trump said Wednesday and repeated Thursday that no one knows who was responsible for hacking the DNC. "They have no idea if it's Russia, if it's China, if it's somebody else," Trump said. "Who knows who it is?"
But Crowdstrike and another security firm, ThreatConnect of Arlington, Virginia, said they found compelling clues pointing to Russia's government when they analyzed the hackers' methods and efforts to distribute the stolen emails and other files. The hacker groups, identified by Crowdstrike as Cozy Bear and Fancy Bear, used different but sophisticated techniques to break into the DNC and try to avoid detection.
"Our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist-terrorist groups we encounter on a daily basis," the company said.
Comparing the groups' tools, techniques and previous known targets, Crowdstrike said the groups were affiliated with Russia's civilian and military intelligence agencies, including the GRU.
Separately, ThreatConnect said it studied the communications between the hacker and news organizations using French computers and a Russian-based privacy-masking technology that it said was characteristic of a careful, government-controlled hacker. "The persona is a Russia-controlled platform that can act as a censored hacktivist," the company wrote. "Moscow determines what (the hacker) shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives."
Leo Taddeo, chief security officer at Cryptzone who previously oversaw FBI cyber investigations in New York, said he believed CrowdStrike was correct in blaming Russia. He said the company had been thorough in tying malicious code from the DNC hack to samples previously used by the suspected hackers, and correlating programming features and other indicators. "I think if you follow a straight line, there's reason to believe that the Russians were likely the ones to provide that information to WikiLeaks," he said.
Director of National Intelligence James Clapper said at an Aspen Institute conference on Thursday that "I don't think we're quite ready yet to make a call on attribution" but added that "we all know there are only just a few usual suspects out there."
Q: Who is Guccifer 2.0? Did he openly claim responsibility?
A: A self-described Romanian hacker, calling himself Guccifer 2.0, has claimed responsibility and delivered stolen DNC materials to news organizations. His name is a rip-off of another hacker, Marcel Lehel Lazar of Romania, who called himself Guccifer and pleaded guilty to hacking charges in May in U.S. District Court in Virginia.
Lazar admitted hacking into the email and social media accounts of U.S. politicians and celebrities between October 2012 and January 2014, including former Secretary of State Colin Powell and the family of former presidents George W. and George H.W. Bush. Lazar is expected to be sentenced to prison Sept. 1.
The new Guccifer has denied working for Russia, but Motherboard said when it interviewed him online he did not appear to be a native Romanian speaker. And Crowdstrike and ThreatConnect concluded that the hacker was a ruse intended to obfuscate Russia's involvement. "Guccifer 2.0 is a Russian propaganda effort and not an independent actor," ThreatConnect said.
Q: Who gave the stolen DNC emails to WikiLeaks?
A: WikiLeaks won't say. "We never identity our sources," it wrote Wednesday in a tweet. WikiLeaks founder Julian Assange has said in television interviews there is no proof Russia was behind the hack and has promised that more material was on its way. He has also declined to say how WikiLeaks got the documents and would not say whether Guccifer 2.0 was involved.
Q: If the U.S. government decides Russia is responsible, will it go public with that conclusion?
A: Probably yes, if past is any precedent.
The Obama administration's inclination in the last few years has been to "name and shame" foreign governments believed to be responsible for attacks on American corporations and infrastructure. Federal officials have tied North Korea to the hack on Sony Pictures Entertainment, accused Chinese military officials of siphoning secrets from nuclear power and solar companies and indicted Iranian hackers in connection with a cyberattack on a small dam outside New York City.
Though foreign hackers may never see the inside of an American courtroom, Justice Department officials believe public attribution can function as an important deterrent.
Pointing the finger at Russia isn't as simple as blaming North Korea, given Russia's significant diplomatic clout and America's dependence on it for critical national security matters.
Even so, there will be pressure on the administration to make its findings known eventually.
"I would hope that when the administration feels comfortable with the attribution, they would be blamed, they would be shamed, they would potentially be indicted," Rep. Adam Schiff of California, the ranking Democrat on the House Intelligence Committee, said in an interview.