April 19, 2016
Website DCLeaks registered
An unknown party registers the domain DCLeaks.com. In June, July and August of 2016, DCLeaks releases emails from both Democrats (mostly Gmail-accounts) and Republicans (John McCain, Lindsay Graham, Michele Bachmann). We know that most of the people whose emails were published, received a phishing mail from Fancy Bear.
Cyber security company Threatconnect assesses that DCLeaks is part of a Russian operation to influence the elections.
April 22, 2016
DNC: ‘Fancy Bear exfiltrates data’
The GRU staged several gigabytes of DNC data located on the DNC’s servers for unauthorized and surreptitious exfiltration- or, more commonly, theft.
Source: DNC lawsuit.
April 25, 2016
“Fancy Bear” creates X-Tunnel malware
This is the creation date for the X-Tunnel malware found on the Democratic Party server. The hash from this malware is published by cybersecurity company CrowdStrike:
X-Tunnel malware is associated with Russian hacker group Fancy Bear. It is so-called “second stage” malware. This means that it is a different type of malware than was previously used to enter the Democrats’ computers. Thus, the actual hack took place sometime before this. CrowdStrike did not publish the hash of this stage one malware (thought to be a dropper).
We found the creation date of the malware by entering the hash into online malware-scanner VirusTotal. It is possible to manipulate the creation date, although this seldom happens. A source at CrowdStrike informed us that we can assume that April 25, 2016 is the actual creation date.
April 28, 2016
DNC discovers hack
DNC IT-staff detected and ultimately confirmed access to the DNC network by unauthorized users.
Source: DNC lawsuit.
April 29, 2016
Emergency meeting after discovery hack
A secret committee is created, consisting of Amy Dacey (CEO DNC), Debbie Wasserman-Schultz (chairperson DNC) and Michael Sussman (Perkins Coie, DNC’s law firm responsible for hiring Fusion GPS / Christopher Steele to investigate Trump).
A reconstruction by the New York Times asserts that the DNC hired CrowdStrike that same day “to scan its computers, identify the intruders and build a new computer and telephone system from scratch”. Within a day, CrowdStrike identifies the Russians as perpetrators of the hack.
CrowdStrike confirms receiving a phone call from the Democratic Party “at the end of April”.
Within 24 hours, CrowdStrike had installed software on the DNC’s computers so that it could analyse data that could indicate who had gained access, when and how.
Source: Washington Post.
May 5, 2016
CrowdStrike installs anti-malware platform Falcon
“Fancy Bear” creates another X-Tunnel malware
At this moment in the timeline a contradiction arises. Although CrowdStrike has stated that upon their hire on April 29, they immediately got to work and discovered the Russian hackers, other articles assert that they installed their flagship anti-malware platform Falcon on May 5.
“Almost immediately, Falcon started lighting up with a number of indications of breaches of the DNC network," Alperovitch (Dmitri Alperovitch, founder of Crowdstike, ed.) says.Source: Wired.
The US Federal Election Commission Database shows that payments from the DNC to CrowdStrike started on May 5.
In addition to Falcon, the DNC used Overwatch, a service where an elite team of CrowdStrike cybersecurity experts monitors the servers 24/7.
A managed threat hunting service built on the CrowdStrike Falcon® platform. Providing an additional layer of oversight and analysis to ensure that threats don’t get missed and ultimately to prevent the mega breach. This service is comprised of an elite team of security experts who proactively hunt, investigate and advise on threat activity in your environment.
Source: CrowdStrike Overwatch website
Rickey Gevers, cybersecurity expert for Dutch cybersecurity company RedSocks, tells Argos that with Overwatch in place, CrowdStrike must have witnessed it if Fancy Bear created new malware and accessed the DNC server. And if thousands of emails were exfiltrated, they should have seen that as well.
Considering this, it stands out that more than half of the emails released by WikiLeaks is sent later than May 5: after CrowdStrike installs Falcon (see also May 25).
Information from Crowdstrike’s own website (a second hash, published on their blog) reveals that a second type of malware (again X-Tunnel) was created by Fancy Bear on May 5, and found on the servers of the DNC.
May 10, 2016
“Fancy Bear” creates spy malware X-agent
This is the compilation date of the X-Agent malware that was found on the DNC’s servers. X-Agent is espionage-malware, used in unison with the aforementioned X-Tunnel malware. Both types of malware are associated with hacker group Fancy Bear.
CrowdStrike published the hash of the malware on their website.
The compilation timestamp can be identified by entering the hash on website VirusTotal.
Something stands out when looking at the creation date: the malware has a ‘first seen into the wild’-timestamp from 2010. This is years before the malware was compiled, according to the ‘creation date’ timestamp. We have checked both dates with the VirusTotal helpdesk, who concludes that the ‘first seen into the wild’ timestamp is wrong, whereas the creation date is correct.
A source within cybersecurity company Crowdstrike shared that they have no reasons to believe that the compilation timestamp has been tempered with. Thus, they consider the ‘first seen into the wild’ timestamp an error.
Alexis Dorais-Joncas, Security Intelligence Team Lead for cybersecurity company ESET has told Argos that the X-Agent malware ‘had its source code leaked or made available for a short period online’, ‘ESET has a copy of the source code, which we found a few years ago. There are indications that other parties, among which security investigators, also have access to this code.’
As such, ESET states that it is plausible that anyone with access to this source code for Fancy Bear’s malware and knowledge of their usual tactics (TTP’s) could impersonate a hack by Fancy Bear. ‘If someone would obtain that source code and could easily modify it and perpetrate an attack, researchers could attribute this attack to Fancy Bear while in fact anyone could have done it.’
Such an impersonation could be made even better if the attackers had access to the X-agent source code and would modify in such a way that researchers would see it as an evolution of the tool, rather than just a copy of the old one, ESET tells Argos.
May 18, 2016
Intelligence services warn Republicans and Democrats for hacks
National Intelligence Director Jammer Clapper announces that hackers intend to influence the American presidential campaign.
Clapper said the Department of Homeland Security and the Federal Bureau of Investigation are working to educate “both campaigns” about cyber threats, likely referring to the campaigns of Trump, the presumptive Republican nominee, and Hillary Clinton, the likely Democratic nominee.
May 25, 2016
Final send date of released DNC-mails
The DNC-emails released by WikiLeaks dated up until the 25th of May. As such, the person who forged these emails must have had access to the email accounts until this date.
June (exact date unknown) 2016
Democrats hire Steele for more dirt on Trump
Perkins Coie, the law firm working for the Democratic Party, expands the investigation on Trump by Fusion GPS through hiring Christopher Steele. Steele is a former employee of the British intelligence service. The aim of his research is to find out more on the link between the Trump Campaign and the Kremlin.
In one of his memos, Steele contends that the Trump Campaign knew about the DNCLeaks and even supported it. In exchange Trump’s team ‘had agreed to sideline Russian intervention in Ukraine as a campaign issue’. According to Vox, no actual evidence supporting this claim has been brought forward. ‘This is obviously a subject of ongoing investigation, but none of the conversations about Russian dirt on Clinton that have come to light so far demonstrate what the dossier claims.’
June 8, 2016
Website DCLeaks launches
Website DCLeaks publishes internal emails from both Democrats and Republicans (see also April 19, 2016). The website states that it is run by American ‘hacktivists’. American intelligence services however, link DCLeaks to GRU, the Russian military intelligence service.
The first batch of campaign material that it published looked like a test: seventy-two inconsequential memos tracking media coverage of Clinton in 2015.
Source: The New Yorker.
The DCLeaks website is offline as of now. In this timeline we do not go into the dates of the different email releases.
June 10, 2016
Remediation event: DNC system is thoroughly cleansed
Six weeks after CrowdStrike is hired, the DNC computer system secretly gets replaced. All employees are required to leave their laptops behind. Phones and mail accounts are deactivated for the weekend.
According to Donna Brazile’s (DNC Chair) book ‘Hacks’ it took this long to start this so-called ‘remediation event’ because the Democratic Party did not want to have their system down while the primaries for the presidential elections were happening.
In a reaction to Argos, CrowdStrike states:
‘In regards to your questions about the timeline, we were engaged by the DNC in May 2016 and scheduled the remediation event on June 10th to eject the adversary and clean the network. It is a best practice in incident response cases to coordinate the remediation event with the client to avoid alerting the adversary that they had been detected before the comprehensive remediation can take place. Otherwise, you run the risk of the adversary taking destructive actions or disrupting the network, which may make the remediation event more challenging to successfully execute. In this case, we had completed the investigation and identified the adversaries with our technology before the June 10th date.’
June 12, 2016
Assange announces WikiLeaks will publish new Clinton-mails
In an interview with ITV Network’s Robert Peston, Julian Assange, founder of WikiLeaks, states that his organization received emails related to Hillary Clinton, which await publication.
Note: this is the first time it is confirmed that WikiLeaks will publish ‘something’. Of which emails Assange is talking, or what their source is, is unknown at this point.
June 14, 2016
Democrats announce ‘Russian hack’
The Democrats state in the Washington Post that their party has been hacked.
When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network.
Debbie Wasserman Schultz, DNC chairwoman, in the Washington Post.
The Democrats have been advised to do this by Micheal Sussmann, lawyer for Perkins Coie. That way, they figured, they could get ahead of the story, win a little sympathy from voters for being victimized by Russian hackers and refocus on the campaign. (Source: New York Times).
The Washington Post reads: One group, which CrowdStrike had dubbed Cozy Bear, had gained access last summer and was monitoring the DNC’s email and chat communications, Alperovitch said. […] The other, which the firm had named Fancy Bear, broke into the network in late April and targeted the opposition research files. It was this breach that set off the alarm. The hackers stole two files, Henry said.
What’s striking, is that the report by the NSA, FBI and CIA (see January 6, 2017) states that Fancy Bear (GRU) was behind the stolen emails. Furthermore, in this first article there is no reporting on stolen emails. Rather, according to the statement, only two files have been stolen.
‘It appears that no financial information or sensitive employee, donor or voter information was accessed by the Russian attackers’, DNC-lawyer Susmann tells the Washington Post.
June 15, 2016
Guccifer 2.0 claims Democratic Party hack
In a blog post, Guccifer 2.0 declares he is the one responsible for the Democratic Party hack. He claims to be a ‘lone hacker’ from Romania, and not a hacker group from Russia. He also publishes a number of documents on his blog to prove he was behind the DNC hack. None of these documents appear in the later WikiLeaks publication. Some of them can be found as an attachment to the Podesta-mails published by WikiLeaks at a later point in time.
Guccifer 2.0 is the first to link the DNC hack to the upcoming WikiLeaks publications. On his blog he writes: The main part of the papers, thousands of files and mails, I gave to WikiLeaks. They will publish them soon.
Cyber security company ThreatConnect connects Guccifer 2.0 to Russia. This is partly due to the fact that some of the published documents have been edited in a Russian version of Word and that he uses a Russian VPN. The American intelligence services also state with ‘high confidence’ that Russian military intelligence service GRU was behind the attacks.
Bloggers Adam Carter (pseudonym) and Forensicator have expressed their doubts with regard to Guccifer 2.0 being the Russian military intelligence service. They partly base this on the times Guccifer 2.0 publishes its tweets and blogs. They publish the information that they have gotten from the metadata of the documents and files published by Guccifer 2.0.
In July 2016, Guccifer 2.0 states again that he was behind the DNC hack. VIPS (Veteran Intelligence Officials for Sanity) analysed the timestamps and other metadata of this hack/download. They conclude that the transfer speed is too high for a trans-Atlantic hack and that there must have been a leak rather a hack.
Several websites interpret the statement by VIPS as stating that the DNC-mails were obtained through a leak. However, the finding refers to a different set of files belonging to Guccifer 2.0 and not to that download (which presumably took place in May). Former NSA-employee Bill Binney (VIPS member) discovered that Guccifer 2.0 manipulated the download dates of these files. So what does this tell us? ‘Guccifer 2.0 is playing with us’, says Binney in an interview with Argos. Nothing more, nothing less.
In March 2018, The Daily Beast reports that Guccifer 2.0 used an IP-address in Moscow that can be traced back to a specific intelligence officers in the GRU headquarters. They base this on sources familiar with the government’s Guccifer investigation.
Argos did not conduct their own research on Guccifer 2.0. He has not responded to our Twitter DMs.
July 10, 2016
DNC employee Seth Rich killed
At 4AM, DNC-employee Seth Rich gets shot in Bloomgindale, the Washington neighbourhood he lives in. According to the police Rich died from two shots in the back, possibly as part of an armed robbery. Nothing is stolen. The perpetrators were never caught.
Rich worked as Voter Expansion Data Director with the Democratic Party. This fed into theories that he was murdered because he was the one responsible for leaking the DNC-mails and providing them to WikiLeaks. WikiLeaks has put out a 20.000 dollar reward for information leading to the conviction of Rich’s killers. This added fuel to the rumour that Rich was WikiLeaks’ source, although this has neither been denied or confirmed by WikiLeaks.
Fox News retracted its publications on the link between Rich and WikiLeaks. In March of 2018 the news that Rich’s parents were starting a lawsuit against Fox, because they used Rich’s death as ‘political football’.
Argos did not do any investigating on Rich’s death. We do not have evidence that Rich was WikiLeaks’ DNC source.