The Associated PressWASHINGTON (AP) — It was just before noon in Moscow on March 10, 2016, when the first volley of malicious messages hit the Hillary Clinton campaign.
The first 29 phishing emails were almost all misfires. Addressed to people who worked for Clinton during her first presidential run, the messages bounced back untouched. Except one.
Within nine days, some of the campaign’s most consequential secrets would be in the hackers’ hands, part of a massive operation aimed at vacuuming up millions of messages from thousands of inboxes across the world.
An Associated Press investigation into the digital break-ins that disrupted the U.S. presidential contest has sketched out an anatomy of the hack that led to months of damaging disclosures about the Democratic Party’s nominee.
While U.S. intelligence agencies have concluded that Russia was behind the email thefts, the AP drew on forensic data to report Thursday that the hackers known as Fancy Bear were closely aligned with the interests of the Russian government.
The AP’s reconstruction— based on a database of 19,000 malicious links recently shared by cybersecurity firm Secureworks — shows how the hackers worked their way around the Clinton campaign’s top-of-the-line digital security to steal chairman John Podesta’s emails in March 2016.
Defunct email used
One of the first people targeted was Rahul Sreenivasan, who had worked as a Clinton organizer in Texas in 2008 — his first paid job in politics. Sreenivasan, now a legislative staffer in Austin, was dumbfounded when told by the AP that hackers had tried to break into his 2008 email — an address he said had been dead for nearly a decade.
“They probably crawled the internet for this stuff,” he said.
Almost everyone else targeted in the initial wave was, like Sreenivasan, a 2008 staffer whose defunct email address had somehow lingered online.
But one email made its way to the account of another staffer who’d worked for Clinton in 2008 and joined again in 2016, the AP found. It’s possible the hackers broke in and stole her contacts; the data shows the phishing links sent to her were clicked several times.
Within hours of a second volley emailed March 11, the hackers hit pay dirt. All of a sudden, they were sending links aimed at senior Clinton officials’ nonpublic 2016 addresses, including those belonging to longtime Clinton aide Robert Russo and campaign chairman John Podesta.
Two-factor authentication may have slowed the hackers, but it didn’t stop them. After repeated attempts to break into various staffers’ hillaryclinton.com accounts, the hackers turned to the personal Gmail addresses. It was there on March 19 that they targeted top Clinton lieutenants — including campaign manager Robby Mook, senior adviser Jake Sullivan and political fixer Philippe Reines.
A malicious link was generated for Podesta at 11:28 a.m. Moscow time, the AP found. Documents subsequently published by WikiLeaks show that the rogue email arrived in his inbox six minutes later. The link was clicked twice.
Podesta’s messages — at least 50,000 of them — were in the hackers’ hands.
Though the heart of the campaign was now compromised, the hacking efforts continued. Three new volleys of malicious messages were generated on the 22nd, 23rd and 25th of March, targeting communications director Jennifer Palmieri and Clinton confidante Huma Abedin, among others.
The torrent of phishing emails caught the attention of the FBI, which had spent the previous six months urging the Democratic National Committee in Washington to raise its shield against suspected Russian hacking. In late March, FBI agents paid a visit to Clinton’s Brooklyn headquarters, where they were received warily, given the agency’s investigation into the candidate’s use of a private email server while secretary of state.
The phishing messages also caught the attention of Secureworks, a subsidiary of Dell Technologies, which had been following Fancy Bear, whom Secureworks codenamed Iron Twilight.
Fancy Bear had made a critical mistake.
It was late March when Secureworks discovered the hackers were going after Democrats.
By early April Fancy Bear was getting increasingly aggressive, the AP found. More than 60 bogus emails were prepared for Clinton campaign and DNC staffers on April 6 alone, and the hackers began hunting for Democrats beyond New York and Washington, targeting the digital communications director for Pennsylvania Gov. Tom Wolf and a deputy director in the office of Chicago Mayor Rahm Emanuel.
Employees at several organizations connected to the Democrats were targeted, including the Clinton Foundation, the Center for American Progress, technology provider NGP VAN, campaign strategy firm 270 Strategies, and partisan news outlet Shareblue Media.
As the hacking intensified, other elements swung into place. On April 12, 2016, someone paid $37 worth of bitcoin to the Romanian web hosting company THCServers.com , to reserve a website called Electionleaks.com, according to transaction records obtained by AP. A botched registration meant the site never got off the ground, but the records show THC received a nearly identical payment a week later to create DCLeaks.com.
On Tuesday, June 14, the Democrats went public with the allegation that their computers had been compromised by Russian state-backed hackers, including Fancy Bear.
Shortly after noon the next day, William Bastone, the editor-in-chief of investigative news site The Smoking Gun, got an email bearing a small cache of documents marked “CONFIDENTIAL.”
“Hi,” the message said. “This is Guccifer 2.0 and this is me who hacked Democratic National Committee.”
Guccifer 2.0 acted as a kind of master of ceremonies during the summer of leaks, proclaiming that the DNC’s stolen documents were in WikiLeaks’ hands, publishing a selection of the material himself and constantly chatting up journalists over Twitter in a bid to keep the story in the press.
Later that month Guccifer 2.0 began directing reporters to the newly launched DCLeaks site, which was also dribbling out stolen material on Democrats.
Guccifer 2.0, WikiLeaks and DCLeaks ultimately published more than 150,000 emails stolen from more than a dozen Democrats, according to an AP count.
All three leak-branded sites have distanced themselves from Moscow. DCLeaks claimed to be run by American hacktivists. WikiLeaks said Russia wasn’t its source. Guccifer 2.0 claimed to be Romanian.