One late morning in May 2016, the leaders of the Democratic National Committee huddled around a packed conference table along with stared at Robert Johnston. The former Marine Corps captain gave his briefing with unemotional military precision, nevertheless what he said was so unnerving that will a high-level DNC official curled up in a ball on her conference room chair as if watching a horror movie.
At 30, Johnston was already an accomplished digital detective who had just left the military’s elite Cyber Command, where he had helped stanch a Russian hack on the US military’s top leadership. at that will point, working for a private cybersecurity company, he had to brief the DNC — while the idea was inside middle of a white-knuckle presidential campaign — about what he’d found inside organization’s computer networks.
Their reaction was “pure shock,” Johnston recalled. “the idea was their worst day.”
Although the broad outlines of the DNC hack are at that will point well-known, its details have remained mysterious, sparking sharp along with persistent questions. How did the DNC miss the hack? Why did a private security consultant, rather than the FBI, examine its servers? along with how did the DNC find Johnston’s firm, CrowdStrike, inside first place?
“the idea was their worst day.”
Johnston’s account — told here for initially, along with substantiated in interviews with 15 sources at the FBI, the DNC, along with the Defense Department — resolves some of those questions while adding brand new information about the hack itself.
A political outsider who got the job essentially at random — the DNC literally called up CrowdStrike’s sales desk — Johnston was the lead investigator who determined the nature along with scope of the hack, one he described less as a stealth burglary than as a brazen ransacking. Despite his central role, Johnston has never talked with investigators probing Russian interference, let alone with the media. nevertheless to people dealing with the crisis, “He was indispensable,” as a source close to the DNC put the idea.
Johnston was also largely on his own. The party had hired CrowdStrike essentially in place of the FBI — to that will day, the Bureau has not had access to the DNC’s servers. DNC officials said they made the eyebrow-raising choice to go having a private firm because they were worried they’d lose control of their operations right inside middle of the campaign. Not only that will, nevertheless the FBI was investigating Hillary Clinton’s use of a private email server. Better, the DNC figured, to handle things privately.
the idea was a decision that will could cast a shadow of doubt over the investigation, even though cybersecurity experts have widely accepted Johnston’s main findings.
inside conference room that will day, as he unveiled his findings to Democratic Party officials along with lawyers, then-chair Debbie Wasserman Schultz listened in via speakerphone. Johnston told them that will their computer systems had been fully compromised — not just by one attack, nevertheless by two. Malware via the first attack had been festering inside DNC’s system for a whole year. The second infiltration was only a couple of months old. Both sets of malware were associated with Russian intelligence.
Most disturbing: The hackers had been gathering copies of all emails along with sending them out to someone, somewhere. Every single email that will every DNC staffer typed had been spied on. Every word, every joke, every syllable.
There was still no warning that will Russia might try to interfere on Donald Trump’s behalf. So the DNC officials hammered Johnston with questions: What could happen with all their information? All that will stolen data? What could the computer hackers do with the idea?
Johnston didn’t know. The FBI didn’t know.
The answers could come when the stolen emails were published by WikiLeaks in a series of devastating, carefully timed leaks. along with the implications of what Johnston had found could come later, too: The Russian government may have been actively working against Hillary Clinton to help elect Donald Trump.
Growing up, Johnston was a jock, not a cybergeek. He wrestled for his high school in Satellite Beach, Florida, inside 165-pound weight class. As a teenager, one of his unusual hobbies was picking locks with paper clips along with hairpins.
He had stellar grades, along with he was admitted into the Naval Academy in Annapolis, Maryland, in 2004. “I never tinkered with computers,” he said. “I entered the Naval Academy as a wrestler, along with that will’s all I cared about.”
The only reason he ended up on the front lines against Russian hackers is usually that will during his second semester he was required to choose a major, along with he chose computer science because the idea was “marketable.” At first, he found the idea boring. Then, during his junior year, he took a computer security class. the idea changed his life.
“Right then along with there I wanted to do anything along with everything cyber.”
The discipline of white-hat hacking, he said, was a bit like picking locks, back when he was a teenager. “that will was like doing the idea with computers,” Johnston said. “We could learn how to break into computers, how to investigate, do forensics. the idea just interested me right away. Right then along with there I wanted to do anything along with everything cyber.”
Johnston graduated via the Naval Academy in 2008, along with was commissioned as a second lieutenant inside Marine Corps, just when some branches of the military commenced to see cyber as the brand new battlespace. To “fly, fight along with win,” an Air Force mission statement via the time boasted, “in air, space along with cyberspace.”
nevertheless “the Marine Corps mindset” — with its proud emphasis on aggressive tactics — “hadn’t changed yet,” Johnston said. along with that will, paradoxically, made the idea a perfect place for him to learn along with gain rank inside cyberworld. “Ascension was easy because nobody wanted to go into these jobs. They didn’t definitely understand that will cyber was a battleground.”
He directed the Marine Corps Red Team, which tries to hack into the Corps computers to test its defenses. He was surprised how many well-trained military personnel fell for fake attacks. Right after the Snowden leaks in 2013, he said, the team sent out to 5,000 people inside the military a test: a phishing email, one that will tries to trick recipients into clicking on a link, which installs malware. The subject line was: “SEAL team six conducts an operation that will kills Edward Snowden.”
“We actually had to shut down the operation,” he said. “The phishing attack was too successful. The click rate was through the roof.”
inside spring of 2015, Johnston was a captain inside Marine Corps leading newly formed Cyber Protection Team 81, based near the NSA in Fort Meade, Maryland, as part of the military’s Cyber Command, or Cybercom.
On a Saturday around 2 a.m., Johnston received a call on his cell phone via his commanding officer. “The major said, ‘How fast can your guys be back in DC?’” Johnson recalled. “‘Tell them to meet at the Pentagon along with you’ll find out more there.’”
A malware attack against the Pentagon had reached the unclassified computers of the Joint Chiefs of Staff, the military’s top brass who advise the president. The malware had spread fast — in just 5 hours, the idea had compromised all 5 of the chairs’ laptops along with all three of the vice chairs’ laptops along with desktop computers.
Soon, Johnston along with the others identified the malware. the idea was associated with APT 29, for “advanced persistent threat,” a hacker group widely believed to be linked to the FSB, Russia’s federal security service.
“Their operations are very surgical. They might send 5 phishing emails, nevertheless they’re very well-crafted along with very, very targeted.”
Johnston said the phishing campaign against the Joint Chiefs stood out. Usually, he said of Russian hackers, “their operations are very surgical. They might send 5 phishing emails, nevertheless they’re very well-crafted along with very, very targeted.” nevertheless that will time the idea was a broadside. “The target list was, like, 50 to 60,000 people around the earth. They hit them all at once.” the idea’s rare, he said, for “an intel service to be so noisy.”
By “noisy,” he means that will the attackers were drawing a huge amount of attention, sending out 50,000 phishing emails, as if they didn’t care that will anyone knew what they were doing.
Along with Johnston along with his military cyber team, NSA employees, along with contractors via McAfee along with Microsoft were also on site, working on the hack, wiping the system along with rebuilding the idea. Johnston along with his team worked around the clock, in two shifts. “Host forensics guys are finding malware, handing the idea to the malware reverse engineering team who’s reversing the idea, finding network indicators, giving the idea to the network guys,” he recalled. “Network guys are scoping, finding out where else they are, along with tracking down all the compromised machines.”
Johnston’s team concluded that will the Russian hackers took some nonclassified emails along with some other information nevertheless not a lot. The biggest challenge after containing a breach of that will magnitude, he said, is usually you can never be 100% sure that will the hackers have been “kicked out” of the system.
Retired Lt. Gen. Mark Bowman, who oversaw cyber at the Joint Chiefs at the time, worked closely with Johnston on the operation. He told BuzzFeed News, “We had to build the network back via bare metal. Watching Robert along with his team do that will was unbelievable. that will guy flat-out amazed me.”
Still, the mission was a big one for Cybercom, along with Johnston felt like he had hit a career “home run.”
He left the Marine Corps as a captain, along with in November 2015, he signed up to work for CrowdStrike, a well-known cyberprotection company whose president, Shawn Henry, is usually a former head of the FBI’s Cyber Division. CrowdStrike declined to comment about Johnston’s work.
Johnston didn’t know the idea, nevertheless in September 2015 as he was getting ready to leave the Marines, the NSA informed the FBI that will DNC computers had likely been hacked, three sources said. An FBI agent then called the DNC’s the idea office along with said that will the organization’s servers had been compromised.
that will part of the story has been told — how little was done for seven months. The FBI periodically tried to get in touch with the organization, nevertheless the DNC did not believe the threat was real.
Finally, in April, the DNC the idea department became convinced that will there was a problem, along with top Democratic officials became worried. nevertheless even then, they didn’t call the FBI. They called the sales desk at CrowdStrike. (Last week, lawyers for BuzzFeed subpoenaed both the DNC along with CrowdStrike for information about the hack along with the investigation into the idea. The subpoena was not related to that will story nevertheless to a libel suit filed by a Russian businessman named inside Trump dossier published by BuzzFeed News in January.)
At CrowdStrike, the case was assigned to Johnston, brand new to the company nevertheless with battle-tested skills, who soon ended up on the phone with the DNC the idea chief.
“The FBI thinks we have a problem, something called ‘Dukes,’” Johnston said the the idea employee told him. The Dukes is usually another name for APT 29, the hackers who Johnston had battled before, at the Joint Chiefs.
Johnston sent the DNC a script to run on all its servers, along with then collected the output code. To an outsider the idea might have looked like a tedious job to examine long strings of data. nevertheless within an hour Johnston had the idea: an unmistakable string of computer code — sabotage — that will didn’t belong inside system. the idea was “executable file paths” — evidence of programs — that will didn’t belong there. They stood out like a shiny wrench left in a car engine.
along with in fact, Johnston had seen that will particular piece of code before, back when he was at the Pentagon. So the idea was easy to recognize that will nemesis. He knew who had sent the idea by the telltale signatures. “that will was APT 29,” he said. Later, when he had spent more time analyzing the DNC hack, he could come to believe that will the Democrats had been compromised by the same blast of 50,000 or so phishing emails that will had breached the computers of the Joint Chiefs.
When he briefed the DNC in that will conference room, Johnston presented a report that will basically said, “They’ve balled up data along with stolen the idea.” nevertheless the political officials were hardly experienced inside earth of intelligence. They were not just horrified nevertheless puzzled. “They’re looking at me,” Johnston recalled, “along with they’re asking, ‘What are they going to do with the data that will was taken?’”
Back then, no one knew. In addition to APT 29, another hacking group had launched malware into the DNC’s system. Called APT 28, the idea’s also associated Russian intelligence. Andrei Soldatov, a Russian investigative journalist along with security expert, said the idea’s not crystal clear which Russian spy service is usually behind each hacker group, nevertheless like many some other cybersecurity investigators, he agreed that will Russian intelligence carried out the attack.
So, Johnston said, “I start thinking back to all of these previous hacks by Russia along with some other adversaries like China. I think back to the Joint Chiefs hack. What did they do with that will data? Nothing. They took the information for espionage purposes. They didn’t leak the idea to WikiLeaks.”
“They’re looking at me,” Johnston recalled, “along with they’re asking, ‘What are they going to do with the data that will was taken?'”
So, Johnston recalled, that will’s what he told the DNC in May 2016: Such thefts have become the norm, along with the hackers did not plan on doing anything with what they had purloined.
Johnston kicks himself about that will at that will point. “I take responsibility for that will piece,” he said.
The DNC along with CrowdStrike, at that will point working with the FBI, tried to remove all remaining malware along with contain the problem. along with they decided on a public relations strategy. How could the DNC control the message? “Nothing of that will magnitude stays quiet inside realm of politics,” Johnston said. “We needed to get in front of the idea.” So, Johnston said, in a story confirmed by DNC officials, CrowdStrike along with the DNC decided to give the story to the Washington Post, which on June 14, 2016, published the story: “Russian government hackers penetrated DNC, stole opposition research on Trump.” “I thought the idea was a smart move,” Johnston said.
nevertheless the idea may have backfired.
One day after the Post article, a Twitter user going by the name Guccifer 2.0 claimed responsibility for the hack along with posted to the internet materials purportedly stolen via the DNC’s server.
Johnston thinks the Washington Post story changed the tactics of the cyberattackers. “We accelerated their timeline. I believe at that will point that will they were intending to Discharge the information in late October or a week before the election,” he said. nevertheless then they realized that will “we discovered who they were. I don’t think the Russian intelligence services were expecting the idea, expecting a statement along with an article that will pointed the finger at them.”
A month later, in late July 2016, WikiLeaks began to Discharge thousands of emails hacked via the DNC server. Those leaks, intelligence officials could say, were carefully engineered along with timed.
The stolen emails wreaked havoc. Wasserman Schultz, then the chair of the DNC, was replaced by Donna Brazile, who just published a brand new book, Hacks, about the Russian break-in at the DNC.
“CrowdStrike did a remarkable job helping the DNC remediate our system post hacking. Sadly, we should have known more, nevertheless that will’s all part of history,” Brazile told BuzzFeed News.
Johnston wrapped up his work with the DNC in July 2016. He also left CrowdStrike along with commenced his own cybersecurity firm, Adlumin, based in Washington, DC.
He’s well aware of the grim fact that will the idea was his analysis that will helped lay the groundwork that will could eventually lead to the investigation by special counsel Robert Mueller, to multiple probes on Capitol Hill, along with to the findings about Russia’s intervention on Facebook along with Twitter. If the DNC hack hadn’t been traced to Russia, much that will might never have emerged.
Johnston has managed to maintain a low profile for the last year along with half, even as Washington has obsessed over Trump along with Russia. He hasn’t been in hiding, he said. Over a steak along with Scotch at a DC restaurant, he said he just hadn’t talked about the idea for a simple reason: No one asked him to. ●
Jason Leopold is usually a senior investigative reporter for BuzzFeed News along with is usually based in LA. Recipient: IRE 2016 FOI award; Newseum Institute National Freedom of Information Hall of Fame. PGP fingerprint 46DB 0712 284B 8C6E 40FF 7A1B D3CD 5720 694B 16F0. Contact that will reporter at email@example.com
Contact Jason Leopold at firstname.lastname@example.org.
Got a confidential tip? Submit the idea here.