Wikileaks dumped 19,252 emails and 8,034 attachments from the Democratic National Committee on Friday afternoon, three days before the start of the Democratic National Convention in Philadelphia. The emails span the period from January 2015 to May 2016 and have produced — within forty-eight hours of release — a sequence of political consequences including the resignation of DNC chairwoman Debbie Wasserman Schultz on Sunday and what is, as of this morning, an active discussion at every level of the United States political and journalism community about election interference. (Wikileaks DNC email release page)
The disclosure timing is the tactical detail that I want to write about, because it is a different attack pattern from the breaches I have been writing about for the last eighteen months. The DNC emails are not being dumped for commercial extortion (Sony 2014, Ashley Madison 2015), for ideological exposure of an industry (Hacking Team 2015, Panama Papers 2016), or for credential-stuffing fuel (LinkedIn 2012-resurfaced, MySpace, Tumblr). They are being released at a moment chosen for maximum disruption to a specific political event, with content curated and presented to produce a specific political reading. That is a different category of operation.
CrowdStrike's incident report, published on the 14th of June (crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee), attributes the DNC compromise to two distinct Russian state actors — Cozy Bear (APT29) and Fancy Bear (APT28). The two groups, on CrowdStrike's analysis, were both present in the network independently for some months before the discovery, neither group apparently aware of the other, and the compromise pattern matches a long catalogue of earlier attributed activity by both clusters. The Guccifer 2.0 persona, which appeared on a WordPress blog the day after CrowdStrike's report and claimed sole responsibility as a "lone Romanian hacker", is being treated by most serious analysts — and the metadata in the documents the persona has released (documents containing Russian-language metadata, multiple analyses including ThreatConnect) — as a deliberate misattribution operation. The technical metadata supports the latter reading. The political reading is more contested, will remain contested through the next few months, and is going to be the subject of formal US government attribution statements in due course.
The operational pattern is therefore: state-sponsored intrusion into a political-organisation network, exfiltration over a sustained period, then disclosure-as-information-operation timed and curated to produce a political effect. That triple — compromise, dwell, weaponised disclosure — is a category that the operational security community has anticipated for some time but has not, until this year, seen executed at this scale against a Western political target with this clarity of effect.
For the operational work, the lessons are layered. At the technical level, the CrowdStrike report describes both Cozy Bear and Fancy Bear's TTPs in detail, and those TTPs are present in the wild against many other targets — not just political ones, but think tanks, NGOs, journalist organisations, and the executive ranks of corporate entities with strategic relevance. Spear-phishing remains the primary initial-access vector. The implants are well-engineered and the operational tradecraft (legitimate cloud services for command and control, careful avoidance of high-noise techniques, patient lateral movement) is what one would expect from sustained state operations. The detection-engineering response has been documented in Mandiant and CrowdStrike materials, and incorporating it into customer detection rules is on this week's pad.
At the organisational level, the lesson is that organisations holding politically sensitive information — broadly defined — face a different threat-actor population than organisations holding only commercially sensitive information. The threat-actor population has different incentives, different timescales, different operational discipline, and different exit conditions. A criminal actor wants money and will leave when the take is sufficient. A state actor with an information-operation objective will dwell until the moment of maximum leverage. The defensive posture for the latter is more demanding and the patience required for operational adversary management is greater.
For the vCISO portfolio, the relevant question is which of the customer organisations face state-actor threat models. The honest answer is that several do, in ways that the customer-organisation board has not always appreciated. Browne Jacobson has client matters that touch on regulatory and policy issues at a level where state interest is not improbable. The manufacturing client has subsidiaries operating in jurisdictions with active state-cyber programmes. Towry's client base includes politically exposed persons whose data the firm holds in fiduciary capacity. The conversation I want to have at the next board cycles is not the standard "are you a target" conversation, but the more specific "what is the threat-actor population for whom your information is operationally valuable, and is your defensive posture matched to that population".
The wider concern is for the autumn US election cycle. The DNC release is, in the context of the campaign, a discrete event with discrete content. Whether it is the only such release before the November vote is the question that journalists, intelligence officials, and the campaigns themselves are asking, and the working assumption — at least in the conversations I have had with US-side colleagues this week — is that it is not. The information-operation playbook, having been demonstrated to work at this scale in this medium, will be reused. Whether any specific further release happens, what its content is, and how the political response evolves are the questions the next four months will answer.
I am writing this down because the pattern is going to be referenced in retrospect and I want a contemporaneous record of what I was thinking on the 25th of July 2016. The thing I am most struck by is the legitimacy question — who, if anyone, has the standing to opine on whether this kind of disclosure should be reported on, ignored, or actively suppressed by news organisations. The journalism profession has been working through that question in real time over the past five days, and the answer has not yet stabilised. Aaron Sorkin's New York Times piece on Sony two years ago argued for restraint. The current moment is, on the evidence so far, not arriving at the same answer. That difference is going to matter.