Moran Cerf, the host of Pop!Tech, left, discusses the DNC hacks with cyber expert Dmitri Alperovitch, right. (Photo by C. Parrish)
Moran Cerf, the host of Pop!Tech, left, discusses the DNC hacks with cyber expert Dmitri Alperovitch, right. (Photo by C. Parrish)

It took Dmitri Alperovitch and the CrowdStrike cybersecurity team a few minutes on May 6, 2016, to find two hacks into the Democratic National Committee computer network. They recognized one, Fancy Bear, as being affiliated with Russian military intelligence.

Alperovitch, co-founder of CrowdStrike, is an expert in detecting and stopping hacks that can undermine financial systems and governments.

Fancy Bear had been on the DNC system for a month.

Cozy Bear, another form of Russian malware, had been installed almost a year earlier, likely via a simple spearfishing email with a link that looked official and, once clicked on, spread inside the network.

Neither was sophisticated. Once inside, the malware just hoovered up data and passed it on to a not-very-coordinated Russian intelligence system.

It was simple and effective.

The DNC data — or, at least some of it — would later be released to WikiLeaks, who would take the Russian bait and later release emails by the Clinton campaign.

America is living with the uncertainty that resulted.

Alperovitch was in Camden Saturday, October 21, to tell the Pop!Tech 2017 conference-goers the story behind the story of the hacks at the DNC and talk about other cybersecurity threats to the U.S.

America: Asleep at the Keyboard during the 2016 Presidential Campaign

In 2015, shortly after Cozy Bear was unleashed and started roaming around the DNC network, the hack was detected by the allied intelligence service monitoring Russian cyberespionage. They alerted U.S. intelligence, and the intel made its way to the FBI, who assigned an agent to contact the DNC.

“The FBI didn’t have a relationship with the DNC, so the agent called the main number and asked for the security guy,” Alperovitch told the Pop!Tech audience. “They didn’t have one. He was transferred to the help desk.”

The person who picked up the phone was not even a DNC employee. He was a contractor.

“He thought it was a prank call and literally hung up on the FBI agent,” said Alperovitch.

Apparently thinking he had done his job, the FBI agent moved on.

“Over time, the FBI kept calling the DNC, and the DNC kept ignoring them,” said Alperovitch. “It is sort of one of the ‘What ifs?’ in history that if they had listened in those days and done things to protect their network, it could have turned out differently.”

Cozy Bear had plenty of time to scoop up data at the DNC.

“Six or eight months later, the FBI finally sent an agent who flashed a badge,” said Alperovitch. That led to lawyers for the DNC contacting Alperovitch and the CrowdStrike team to come in and neutralize the cyber intruders.

How did the team know it was Russian intelligence and not a Romanian on a couch in his basement?

“We didn’t know at the time we were called in that it was the Russians,” said Alperovitch. “We were called in to do a health check of the DNC network and within minutes found the malicious code.”

Alperovitch recognized the malware right away.

“Attribution in cyberspace is not that different than in the physical world,”?said Alperovitch. “A lot of people think if you can’t trace it back to the original machine that did it, you can’t figure out who is responsible. That’s akin to saying that if there is a bank robbery and if you do not have the tire tracks going all the way to the bank robbers’ house there is absolutely no way for you to catch him.”

“We know that’s not true. There is lots of other forensic evidence like photographs and DNA evidence that are routinely used to catch bank robbers even when the tire tracks do not lead directly to their house.”

It’s very much the same in cyberspace. There are clues and identifying markers that give the identity of the malware away.

“When you look at the patterns, the crimes that have been committed in the past, it’s all there,” said Alperovitch. “In the end, these are humans that are doing this in the intelligence service. You have 22-year-old cadets, whether it is in the United States or Russia or China or elsewhere, and they make mistakes.”


The lack of privacy on the internet, which concerns all of us, is actually a benefit in tracking down malicious actors behind a hack, said Alperovitch.

“If they made one mistake 10 years ago, it is ultimately preserved and someone can find it and connect the dots,” he said.

Cozy Bear, the second malware inside the network, appeared to be connected to the Russian civilian intelligence agency that is the successor to the KGB, said Alperovitch. Cozy Bear and Fancy Bear did not appear to know they were both inside the DNC network.

“The reason we know that they didn’t know about each other is that they were literally going after the same things,” said Alperovitch. “So, one group would say, steal emails on a particular date, and five hours later the other group would steal the same information, so it was not very well coordinated.”

Alperovitch said that wasn’t particularly unusual for Russian intelligence services.

“It’s a dog-eat-dog world inside Russian intelligence and they are all trying to make themselves look good to their superiors and are known to sabotage each other to make themselves look better,” he said.

The next step at the DNC was to shut them down.

“Then we had a conversation with the DNC about doing a rapid clean-up,” said Alperovitch.

They said no. The primaries were racing to the end and Bernie Sanders and Hillary Clinton were close. The DNC wanted to wait.

The DNC Makes a Critical Choice: To Wait

“At the time it didn’t seem as bad as it does now,” said Alperovitch, who was not in favor of waiting.

Cyberspying and hacking was not new, he said, noting that the Chinese hacked the Obama campaign. No one expected the Russians to weaponize the DNC data to destabilize the American presidential elections, he said.

In early June, the DNC computers were taken down and rebuilt over a weekend. By Monday, a new network was installed and the two spywares were by name.

“The DNC asked us to come out publicly about the hacks,” said Alperovitch. “The misinformation campaign started the next day."

Who Should the U.S. Be Watching?

The U.S. has the best cyber stealth capacity in the world, according to Alperovitch.

“Most countries have cyber capabilities,” said Alperovitch. “The U.S. focuses on those that worry us: Russia, China, North Korea and Iran.”

Most hacks are not very sophisticated, but work because people, businesses and countries are simply not prepared, he said. In reality, hard targets like power grids being physically blown up is less likely than system-wide hacks, according to Alperovitch.

Power grids that are not connected to the internet are much more secure, since infiltrating them requires inside knowledge of a closed network. That is a lot more difficult to pull off. There are easier targets, like financial systems, that can be pulled down.

“It’s hard to achieve physical effects like blowing things up,” said Alperovitch. “In cyber security, the U.S. has over-emphasized that threat.”

Alperovitch said one of the biggest worries should be North Korea, which has had significant cyber capability since 2004 and benefited from being able to test its malware on nearby South Korea.

“North Korea has been using South Korea as their firing range to develop techniques,” he said.

The 2014 hack into Sony Pictures just prior to the release of “The Interview,” a comedy about an assassination attempt on Kim Jong Un, sucked up and later released huge amounts of confidential data in a hack that was attributed to North Korea.

“They have had significant success in penetrating the banking sector, too,” said Alperovitch. “That should concern us. It is just a few keystrokes between stealing sensitive data and eliminating it.”

So, too, with Russia, who was likely behind the Ukrainian cyber attack this past summer that Alperovitch said was far more sophisticated and far worse in its impact than any attack so far. The Petya malware attacked banks, airports, the energy grid, shipping companies and multinationals, like American pharmaceutical company Merck, disrupted the economy and cost some companies millions and even billions of dollars, said Alperovitch. It was potentially life threatening for those who were scheduled for surgery when hospital systems got infected, he said.

The malware wormed its way into the whole system of connections by infecting a Ukrainian tax software company, according to cyber analysts.

“Hacks are almost impossible to prevent, but they are not instant,” said Alperovitch. “That is complete nonsense.”

“It takes time to understand a network. To protect yourself, you should know your own terrain and get to them before they do damage.”

Cybersecurity Needs to Be a Top U.S. Priority

American politicians are paying attention, but progress is mired down in Washington. Sen. Angus King, who sits on the Senate Armed Services Committee, said it’s just a matter of time before the U.S. gets hit by such an attack. King introduced a bill earlier this year to launch a program to identify specific threats to the power grid and research and test technology to protect or isolate it.

Congress is paying attention. According to The Hill, which covers day-to-day national political and policy activity in Washington, D.C., and globally, it has been a busy week of cybersecurity threats and proposed solutions.

The U.S. House passed a port cybersecurity bill (partially in response to the Petya hack); lawmakers are calling for increased cybersecurity for small U.S. businesses (they make up half the U.S. economy); and the ransomware Bad Rabbit (which is probably related to Petya) was reported this week to have taken down Ukrainian subways, a major airport, Ukrainian agencies that oversee finance and infrastructure, hit targets in Turkey, and taken down several Russian news services.

Earlier this month, researchers reported on KRACK, a WiFi security connection flaw that leaves almost all modern devices connected to wireless networks vulnerable to hacking.

This month, King and other lawmakers on the Senate Armed Services Committee grew increasingly impatient with the lack of a clear national policy on what constitutes an act of war when it comes to cyber attacks and how the U.S. should respond.

Right now, multiple agencies are responsible for different aspects of cyber security, the U.S. has no unified strategy, and, this week, the president refused giving the Senate access to Rob Joyce, the Cybersecurity Coordinator for the National Security Council.

U.S. Sen. John McCain (R-AZ), who chairs the Senate Armed Services Committee, indicated he is considering a subpoena to get Joyce to answer the committee’s questions, according to The Hill.