Cyber Security

How Is Russia Hacking Our Election? An Explainer

And why does it look like WikiLeaks is helping?

Cyber Security
Illustration: Vocativ
Oct 15, 2016 at 1:05 PM ET

Since late spring, a specter has loomed over the U.S. election: that Russian government hackers were trying to influence it.

It’s clear that someone out there doesn’t mind seeing the Democratic party burn. The party admitted in June that it had been severely hacked. The evidence quickly became public: Files from DNC servers have steadily leaked ever since, and the party has yet to point to evidence that any have been falsified.

Why isn’t it universally accepted that Russia’s trying to hack the Democratic Party?

It’s true: To date, there’s no public, indisputable evidence of such attacks. But that’s in part due to the nature of major hacks in general. Unless a hacker is extremely sloppy or openly admits what they’ve done and shows their work, it’s extremely difficult to pin down a culprit for any cyberattack.

But that doesn’t mean such attacks are a total black box. Researchers who study numerous major cyberattacks categorize them by a number of factors, like how they enter a network and how they act once they’ve breached it. They look for threat patterns, and often designate a group that follows an established profile as an Advanced Persistent Threat, followed by a number. CrowdStrike, the cybersecurity firm hired by the DNC when it suspected a breach, discovered not one but two distinct groups in those servers. It found them consistent with APT 28 and 29, both of which have been active for years, and both of which have previously been tied to the Russian government.

In October, after plenty of unofficial comments to the press, federal authorities who have examined the DNC’s servers announced they’d come to the same general conclusion. Though they didn’t share their methodology or specifically name an APT, in October, the Department of Homeland Security and office of the U.S. Director of National Intelligence — which oversees the NSA, CIA, and FBI — announced it agreed with CrowdStrike on its general conclusion that the DNC hackers were indeed from the Russian government. That’s a big deal: The government rarely addresses cyberattacks from nation-state actors.

It’s worth noting that some cybersecurity experts caution they don’t take the government at its word that it has enough evidence to blame Russia, and fear that openly accusing them would needlessly escalate tensions between the countries.

Why didn’t Russia target the GOP?

They probably did. The GOP hasn’t announced a major breach, but multiple Republicans have reportedly been targeted for hacks. But either the hack wasn’t as severe, or those hackers were less interested in making the content public, or both.

Is Russia hacking our political parties unprecedented?

Absolutely not. Spy agencies exist for a reason, and countries hack each other for intelligence all the time. As documents provided by former NSA employee Edward Snowden showed, the U.S.’s NSA routinely hacks its own allies — Germany, for instance — to stay informed. It’s probably safe to assume the U.S. has a lot of intelligence on Russian politics, too.

What’s different here is that the information is leaked, and in a manner that appears to try to harm the Democrats specifically.

Who’s leaking this DNC information?

There are three main groups here: Guccifer 2.0, DC Leaks, and WikiLeaks.

Guccifer 2.0 — no connection with Guccifer, the pseudonym of Marcel Lazar, the Romanian hacker arrested for getting into a number of American political figures’ AOL accounts in 2013 — appeared online in June, one day after CrowdStrike announced its findings. Using both a Twitter and WordPress account, he began sending out authentic DNC documents and asking the press to write about them.

From the start, Guccifer 2.0 claimed to have been an independent Romanian hacker with no political agenda except to expose the powerful. But there are a number of holes in that story. He seemed unable to speak Romanian and linguists found his speech patterns to be Russian, and cybersecurity experts found his attempts to explain how he had hacked the DNC nonsensical. Later, as Guccifer 2.0 began leaking state-specific files on various Democratic candidates, he claimed he was doing picking states based on requests from his “fans.” But a Vocativ analysis showed that he was actually ignoring his fans’ requests and instead leaking swing states instead.

Guccifer 2.0 has repeatedly claimed these files showed evidence of the Democrats somehow unduly influencing elections — “the congressional primaries are also becoming a farce,” he wrote at one point — but to date, the leaks have been mundane. They largely consist of third party research on various congressional races, like who the likely Democratic and Republican candidates will be for a given district, that districts’ demographic makeup, and which issues those candidates are expected to highlight while campaigning.

DC Leaks has received considerably less attention. It has released a hodgepodge of political information from hacked individual accounts, including hacked emails from former Secretary of State Colin Powell and aides to Hillary Clinton. According to the DHS and DNI, both DC Leaks and Guccifer 2.0’s material was hacked by the Russian government.

WikiLeaks has, in recent months, published huge caches of stolen DNC information and emails from Clinton aides. Despite some conspiracy theories and the fact that he once syndicated a video show to the government-owned Russia Today, there’s no evidence that founder Julian Assange has direct ties to Russia. He does, however, have a longstanding and open hatred of Clinton.

Per its own policy, WikiLeaks refuses to name its sources. But there’s ample evidence it comes from those same Russian government sources. Not only does it consist of files from the DNC and hacked emails from Clinton aides, both the Guccifer 2.0 and DC Leaks characters openly support WikiLeaks. Guccifer 2.0 even openly claimed to be WikiLeaks’ source, a claim the official WikiLeaks Twitter account retweeted.

Why would Russia prefer Trump to Hillary?

Russia has, for its part, denied it’s behind these attacks — though Russian president Vladimir Putin has praised them — so there’s no a clear indication of a motive. The U.S.’s statement blames not a rogue Russian agency, but insists such a decision would have come from “senior-most officials.”

You can take your pick of possible reasons why. Trump has long praised Putin as a strong leader, has had substantial business ties to Russia, and has employed advisors with Russian ties.

Clinton, on the other hand, made a concentrated effort to encourage Russians to vote against Putin back in 2011, when she was Secretary of State. Putin reportedly took it personally at the time.

How will the U.S. respond?

That remains to be seen, but it might be big. A world superpower using standard intelligence gathering techniques to nakedly try to influence another superpower’s election is new territory. The U.S. is normally extremely secretive with its own cyberattacks, and its response to Russia may not be made public for a long time. The White House has vaguely said it will respond “at a time and place of our choosing.” 

But according to a new report, it’s already happening. Multiple current and former CIA officers told NBC News that the agency has been working on a large-scale effort to “embarrass” Putin and the Kremlin, though it’s not clear exactly what form such an operation would take take.