Pages

20 July 2018

Tracing Guccifer 2.0’s Many Tentacles in the 2016 Election

By David E. Sanger, Jim Rutenberg and Eric Lipton

The message from WikiLeaks in July 2016 to a group of Russian intelligence officers who prosecutors say were posing as a Romanian hacker named Guccifer 2.0 urged swift action before the opening of the Democratic National Convention that month. “If you have anything hillary related we want it in the next tweo days prefable because the DNC is approaching,” the error-ridden message read. “and she will solidify bernie supporters behind her after.” WikiLeaks had begun seeking stolen files from Guccifer 2.0 weeks earlier, after revelations that the Democratic National Committee’s server had been hacked, according to private messages cited in an indictment filed Friday by the special counsel, Robert S. Mueller III. The organization had told Guccifer that publishing the stolen material on the WikiLeaks site will “have a much higher impact than what you are doing.”

But WikiLeaks’ administrators, including Julian Assange, its founder, did not know what was in the trove — they were simply seeking anything that would widen the divisions inside the party between supporters of Hillary Clinton and those of Bernie Sanders, the Vermont senator who had also sought the nomination.

The exchange offers a new look at the central role of Guccifer 2.0, the digital persona alleged to have been set up by Russian military intelligence, which passed the stolen Democratic documents and misinformation to WikiLeaks and some Americans, who then spread it through social media and news organizations.

The indictment provides never-before-seen detail of how the Russian cyberspies operated, based on intercepts that had to have come from American, British or Dutch intelligence, interviews in recent months show. All three eventually got into the Russian networks, but it was the British who had first warned the National Security Agency that they were seeing the D.N.C.’s messages running through communications lines controlled by the Russian military intelligence service, called the G.R.U.

When Guccifer 2.0 appeared, many experts suspected it was an avatar for members of an elite military cyberunit operating from Moscow. The indictment documented the evidence against 12 Russian officials, mostly military officers, who were charged with conspiracy to influence the 2016 presidential election.

Those charges loom over President Trump’s meeting on Monday with Vladimir V. Putin, who American intelligence officials say launched and oversaw the operation to interfere in the election. A year ago, when the men met for the first time, the Russian leader insisted that Russia had nothing to do with the attacks, telling Mr. Trump, as he later related to a reporter, “If we did, we wouldn’t have gotten caught, because we’re professionals.”

INTERNATIONAL By Christoph Koettl, Natalie Reneau and Barbara Marcolini 3:16From Mind Games to Election Hacking: Russia’s Trolling Tactics Explained

Cyberattacks. “Little green men.” Frozen conflicts. These are just a few of the tactics Russia and its leader, Vladimir V. Putin, have used to try to disrupt the world order.Published OnJuly 15, 2018

Mr. Trump said, “I thought that was a good point because they are some of the best in the world.” Now, he meets Mr. Putin again just after prosecutors issued an unusually detailed account of the Russian military officers’ role in the hacks.

The effort by the team that posed as Guccifer to disseminate the fruits of the audacious cyberattack shows how aggressively the Russian operatives worked in 2016 to interfere with the presidential election. They showed dexterity in navigating their way through the national political debate and an increasingly sophisticated understanding of American electoral politics.

In addition to WikiLeaks, the Russians made contact with Americans who held sway both in Republican circles and with Mr. Trump, the indictment says. It does not assert that the Americans knew that Guccifer 2.0 was a creation of Russian spies.

Those figures included Roger J. Stone Jr., the longtime Trump friend who exchanged messages with Guccifer during the campaign but said in an interview on Saturday that he did not believe at the time that Russian state actors were behind it. “I originally thought he was a Romanian hacker because that’s what he claimed to be,” Mr. Stone said.

There was Lee Stranahan, who is now a co-host of “Fault Lines” on the Russian-owned Sputnik radio network but back then was at Breitbart News, whose chief during that period, Stephen K. Bannon, joined Mr. Trump’s campaign that August.

The indictment mentions that Guccifer 2.0 had sent some documents to a lobbyist in Florida, which had been previously reported. But it also reveals that a congressional candidate whom it did not name connected with the operatives, looking for stolen documents about a political opponent, which were then sent.

Using Guccifer 2.0 as their main means of communication, the Russian agents had regular contact with both conservative and mainstream journalists, the indictment said. In one case, it said, the Russians gave an unidentified reporter a password to view documents. The Smoking Gun said in a Twitter message that it was the “reporter” in the reference. In another case, according to the indictment, the Russians conferred with a writer about the timing of one planned leak; Mr. Stranahan announced on Twitter that he was the writer, then at Breitbart.

Suspicions that Guccifer 2.0 was of Russian provenance surfaced from the moment it was created. The avatar brazenly engaged on questions about its origins and its work with journalists at BuzzFeed, Vice and The Wall Street Journal, telling The Journal in September 2016 that the accusation “made me angry.” Nonetheless, the suspicions never seemed to have interfered with its mission.

The G.R.U. was no newcomer to attacks in the United States: It had been central to previous thefts of emails from the unclassified systems at the State Department, the White House and, later, the Joint Chiefs of Staff.

“Anybody who was sophisticated about Russian behavior immediately spotted what this was — it was not like you needed forensic data or any real insight,” said Andrew S. Weiss, a Russia specialist at the Carnegie Endowment for International Peace and a former staff member of the National Security Council.

The indictment fills in several critical gaps in the sequence of events that unfolded after the electronic break-in at the D.N.C. and its partner group, the Democratic Congressional Campaign Committee, which helps elect House Democrats.

Top D.N.C. executives, emails previously obtained by The New York Times show, knew by April 19, 2016, that the D.N.C. system had been compromised. The committee’s lawyers that day discussed plans to meet with senior staff members who were aware of the hack, some of whom had already alerted the F.B.I.

But just three days later — as the D.N.C. was scrambling to try to contain the attack — the conspirators procured gigabytes of data, including so-called opposition research, the indictment said. That suggests that the worst of the hack occurred even after the committee knew that its systems had been breached.

Guccifer 2.0 made its first public appearance two months later, on June 15, just days after the last Republican primaries. On its newly created website, the Guccifer persona announced it was releasing “just a few docs from many thousands I extracted when hacking into DNC’s network.” The new blog post included the Democratic Party’s secret research dossier on Mr. Trump.

The name Guccifer 2.0 echoed that used by the Romanian hacker Marcel-Lehel Lazar, who, under the original Guccifer handle in 2013, hacked and then released emails from the Bush family, Colin Powell and Sidney Blumenthal, an informal adviser to Mrs. Clinton. Mr. Lazar, who is now in prison, said he came up with his handle by combining the words “Gucci” and “Lucifer.”

Five days after the first Guccifer 2.0 blog post, the military unit believed to be behind it sent out its first message under its connected Twitter account: “Hi! I’m on Twitter now! this is my official account!”

By June 22, Guccifer was encouraging anyone to communicate directly with its hacker avatar — and, as the indictment shows, it immediately drew in a host of Americans with influence in the media and Republican politics.

Some of the cache was particularly valuable because it included reports that the Democrats had compiled on vulnerabilities involving their own candidates — a due-diligence check to bolster their defenses — and never intended to make public.

In mid-August, the indictment noted, Guccifer 2.0 received a request for stolen documents from a candidate for Congress. The Russian intelligence operatives, it said, responded by sending the information about the candidate’s rival.

Stolen material from Democrats related to their House candidates from 2016 was passed out in states including Florida, Pennsylvania, New Hampshire, Ohio, Illinois, New Mexico and North Carolina.

In one case, a Republican lobbyist from Florida reached out to Guccifer, according to Aug. 22, 2016, text messages previously obtained by The Times. The lobbyist, Aaron Nevins, runs a website called HelloFLA! and was preparing to post some of the stolen documents.

In a later exchange, Mr. Nevins, who uses the pen name Mark Miewurd, wrote: “Let’s do an interview.”

“I’m not sure anyone has written about your motivation,” he wrote, before adding that “the democrats say you are a russian operative, what do you say to that?” He got no specific response, according to messages he shared with The Times.

The same day in mid-August that Mr. Nevins received material from Guccifer 2.0, he started to post it to his blog, boasting that he had exclusive access to once-confidential Democratic Party voter turnout models and weakness assessments of the party’s Florida candidates.



Guccifer 2.0’s Twitter account in September 2016 forwarded one of Mr. Nevins’s blog posts detailing the Florida voter turnout modeling to someone the indictment called “a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump.” In a direct message, the Guccifer account wrote: “What do you think of the info on the turnout model for the democrats entire presidential campaign.”

That person was Mr. Stone, an informal adviser to Mr. Trump and a prominent Republican operative who has long reveled in being called a “dirty trickster.” After receiving the message about the turnout model, Mr. Stone wrote back that he was unimpressed: “pretty standard.”

Mr. Stone was in contact with Guccifer 2.0 as of at least mid-August 2016, when he sent a direct message on Twitter congratulating it on overcoming a temporary suspension. (A Twitter spokesman said Saturday it had now shut the account down.)

“Thank you for writing back,” Guccifer 2.0 wrote to Mr. Stone. “Do you find anyting interesting in the docs i posted?” The exchange, which Mr. Stone had publicly shared in March 2017, showed that he then asked Guccifer to retweet an article he had written for The Hill titled “How the Election Can Be Rigged Against Donald Trump,” a request Guccifer said it fulfilled.

Justice Department officials said Friday that they were not alleging that Mr. Stone knew he was communicating with Russian intelligence officers.

Mr. Stone said on Saturday that he eventually concluded that the D.N.C. had not been hacked and that its emails had been stolen by an insider — something Guccifer 2.0 alleged in pointing to conspiracy theories that the hack involved a murdered Democratic National Committee staff member.

Mr. Stone described his interactions with Guccifer as “pretty innocuous,” noting that after the account “sent me some voter model which evidently they sent to a number of people, I looked at it and said ‘pretty standard stuff’ and didn’t pass it on to anybody.”

The avatar was particularly complimentary to Mr. Stone, telling him at one point, “Please tell me if i can help u anyway … it would be a great pleasure to me.”

That was in keeping with the chummy and sometimes self-deprecating personality that the Russian military operatives gave Guccifer 2.0 as they sought, according to prosecutors, to use it to build relationships with Americans.

“Hi man, how’s life,” it said by way of introduction in a direct message to Mr. Stranahan. (Mr. Stranahan said in a video message over the weekend that he did not know of ties between Guccifer and Russian intelligence and is not convinced even now.)

The Daily Caller reported in late 2016 that after one Guccifer 2.0 lead did not live up to its initial billing, the purported Romanian hacker acknowledged in a direct Twitter message to the site that “he lacked the best news judgment and it was up to journalists to find the stories in his leaks.”

The Times needs your voice. We welcome your on-topic commentary, criticism and expertise. 

Maggie Haberman contributed reporting. Jaclyn Peiser contributed research.

No comments:

Post a Comment