sign in sign up
<<
Home , Fancy Bear, Guccifer

H .‘ Ä l“: \

I I ‘ \ l k ,.._

E ¥ \

FASSBENDER TEES OFF! ‘ CLOAK & How nusslks DIGITAL sms ARE PLANNING To INVAIJE AMERICA PENN STATE wnv Is FOOTBALL THESPoRToF sex PREDATORS?

nun .' ' ' i ‘ *flfsmf WHO [00K GREAT. .ALLTHE RULES "SHOW IE I I STIIIGHTFOIHAID 54,99 "III III llFE. IT CAN BE VERY SIMPLE, BIIT IT CAI SET VERY COMPLICATED.‘ —Ii|:lael Installer UH“) HE TABLE OF NTENTS

Ta INTO THE COUNTRY Joe Alwyn, the breakout smr nfb‘i'lly Lynn's Long Halfr‘ime Walk. tries on the seron's most stylish outdoor clothes, pg. 122

The Spark Michael Fassbender has a gift that makes great directors want to line up for him. But what happens to the life Ufa private man when he always has m reveal himself? Best of Times. BY AMANDA Worst of Times. I’ETRUSICH Some days. \I'nu \\ oke up p g . 10 6 feelim.r like yuu \\ ere “\ng in the spring See No Evil, Hear No of hope: other days. the Evil, Speak No Evil \\ inter nfdespuiiz Have He u b the head {mitlmll we reached utnpia 0r much zit .in elite prep Armageddon? \,k'l1|)l)l. HL‘ “1h. JIM) .1 CONTRIBUTION.'S HY \eriul pudnphih’ TED HELLER AND HY hlx’H' LE“ IS DANIEL SCHOFIELI) p g . 114 p g. ‘l 3 8

The Plot Against That '805 Show America Just like the mnmter I he mxhle «um ul hmv nn Stranger Things. HIHHJH xpiwhuckcd their hit slut“. the Ihx- l .N, elm'tiun buffer hmthen wenn-d “Y III()\I \\. II”) \'\II m come out ufnmvhere \ [(‘l\\ \\ \l'xll BY S'I‘EVI‘ZN I.I'.'k‘l\v\l>\”l' pg. 130 p g . 144

ON THE COVER: MICHAEL FASSBENDER PHOTOGRAPHED EXCLUSIVELY FOR ESOUIRE BY CEDRIC BUCHET. SUIT, SHIRT, AND TIE BY BURv BERRY; WATCH BY PATEK PHILIPPE PRODUCED BY LAURA OUGHTON FOR ROSCO PRODUCTION. STYLING BY NICK SULLIVAN. STYLING (UK) BY CHRIS BENNS ASSISTANT STYLING (UK) BY NATASHA CHANG LEWIS GROOMING BY CARLOS FERRAZ FOR CAROL HAYES MANAGEMENT SET DESIGN BY ALEXANDRA LEAVEY FOR THE MAGNET AGENCY. THIS PAGE: PHOTOGRAPH BY DUSAN RELJIN. SHIRT BY BILLY REID; T-SHIRT BY SAVE KHAKI UNITED; JEANS BY DSQUAREDZ.

19

confidential files from the eratit DNL‘ THE USED THE LANGUAGE 0F ins would still m n'kjustfine. found their way to the public. On July 3.“. three days before AMERICANS FRUSTRATED Throughout the campaign. Guc- the Democratic National (.‘unven- "ASYOU SEE cifer maintained that he was the WITH WASHINGTON. tion in Philadelphia, Wikilcaks only person behind the hacking THE U. S. PRESIDENTIAL ELECTIONS published the largest troveol‘iilcs and leaking. “This is my personal ARE BECOMING A FARCE.” to date, which included nearly project and I‘m proud ofit," he— twenty thousand hacked emails. or they—wrote in late June. But Press coverage of the release several sloppy mistakes soon re— quickly centered on emails that vealedwhowas reallybehind the operation. designed to trick their victims into clicking suggested a bias among some DNC staff- The unraveling happened more quicklythan a link that would install or send ers in favor oinllar\_' Clinton. The leaked anybody could have anticipated. them to a fake but familiar-looking login site emails lentcredence to a suspicion held by to harvest their passwords. The malicious some Democrats that the party establish- AS SOON AS 's files hit the linkswere hiddenbehind short URLs ofthe ment had never intended to give Bernie open Internet. an armyofinvestigators—in- sort often used on . Sanders, Clinton‘s opponent in the prima— cludingold—school hackers, former spooks. T0 manage so many short URLs, Fan- ries, a fairshake. Protesters in Philadelphia security consultants, and journalists—de- cy Bear had created an automated system held up signs that read ELECTION FRAUD scended on the hastily leaked data. Infor- that used a popular link—shortening ser— and DNC LEAKS SHAME. One day before the mal, self—organized orgoups of sleuths dis— vicecalled Bitly. Thespear- emails convention, the Russian kompromat cam— cussed their discoveries over encrypted worked well—one in seven victims revealed paign took its first trophy: Debbie Wasser- messaging apps such as Signal. Many of their passwords—but the hackers forgotto man Schultz, the DN C chair, resigned from the self-appointed analysts had never met set two oftheirBitly accounts to “private.” the organization. in person, and sometimes they didn't know As a result, acybersecurity company called The episode shocked the Democratic es- one another's real names, b SecureWorks was able to glean information tablishment, not least because of what it about ’s targets. Between Octo- augured for the future. As Clinton’s lead ber 2015 and May 2016, the hackinggroup in the polls widened after the convention, used nine thousand links to attack about commentators began to speculate that a intelligen four thousand Gmail accounts, including damaging leak late in the campaign might ' and o targets in Ukraine, the Baltics, the United be the only chance for Donald Trump to a“ States, China, and Iran. Fancy Bear tried win the election. Fears of a -spon- to gain access to defense ministries, em- sored October surprise grew as it became bassies, and military attaches. The largest clearer thatthe subversion effort was im- _ group oftargets, some 40percent, were cur- proving. When files appeared, they were >tlent and former military personnel. Among now scrubbed of the sort of distinguish— e group’s recent breaches were the Ger- ing metadata that had allowed analysts to parliament, the Italian military, the trace the leak back to Russian intelligence. . l u ' foreign ministry, the email accounts The operators behind Guccifer and DC ‘p Breedlove, , and John Leaks also appear to have recognized that ~—’s campaign chair— American journalists were desperate for . d, ofcourse, the DNC. scoops, no matter their source. The Rus- sians began to act like a PR agency, provid- ' ID P U B L I C reconstruc- ing access to reporters at Politico, The Inter~ metadata settings, which, he sugge I NC break-in appears to have cept, and BuzzFeed. Journalists were eager q vealed a failure ofoperational security. ckers offguard. Researchers to help. On August 27, when part ofthe DC A second mistake had to do with the com- ‘ Russianspies had not ex— Leaks website was down for some reason, puterthat had been usedto control the hack- pected to "I ntified so quickly, a theory Twittersuspended the @DCLeaks account. ing operation. Researchers found that the that would explain, among other things, the The DailyCaller, a conservative news web- malicious software, or malware, used to peculiaranimus Guccifer seemed to havefor site, posted a story about the events, draw- break into the DNC was controlled bya ma- CrowdStrike. Accordingto this hypothesis, ing an outcry from Trump supporters. Lou chine that had been involved in a2015 hack the tradecraft blunders that Tait and others Dobbs, the Fox Business anchor, sneered ofthe German parliament. German intelli- had identified were the result ofa hasty ef- that “leftist fascism” was throttling the last gence later traced the breach to fortby the GRU to cover its tracks. best hope for aTrump victory. Twittersoon the Russian GRU, aka Fancy Bear. As ifto regroup after the initial rushof ac- reinstated @DCLeaks. There were othererrors, too, includinga tivity, Guccifer and DC Leaks went quiet at The most effective outletby far, however, Russian smile emoji—“)))"—and emails to the end of June. But the 2016 presidential was WikiLeaks. Russian intelligence like— journalists that explicitly associated Guc- campaign, already the most bizarre in liv- ly began feedinghacked documents to Ju— cifer 2.0 with DC Leaks, as the cybersecu- ingmemory, had a further surprise in store, lian Assange’s “whistleblower” site in June rity firm ThreatConnect pointed out. But one thatworked in favorofthe Russians. At 2015, after breaching Saudi Arabia's foreign the hackers’ gravest mistake involved the a time when only 32 percent ofAmericans ministry. A group called WikiSaudiLeaks. emails they'd used to initiate their attack. say that they trust the media to report the probably a Guccifer-like front for Fancy AS part of a so—called spear-phishing cam- news fairlyand accurately, the hackers were Bear, claimed that “WikiLeaks have been Pai’ng, Fancy Bear hademailedthousands of about to learn that gettingcalled out public- given access to some part of these docu— targets around the world. The emails were lydidn't really matter: Theirkompromatop- ments.“ The so-called Saudi Cables showed

133

princes buying influence and monitoring

dissidents. They became a major news sto- ry. Proving that the old methods \\ orked PART 2 even better in the t\\'ent\_‘—h‘rst century. A leak released at theendofthis past sum— mer showed how frictimilesslythe kompro— THE RUSSIAN E'MIGRE' mat campaingi was able to operate in the fact—free atmosphere of the 2016 Ameri- can presidential campaign. In late Septem- LEADING ber, DC Leaks publishedhundreds ofemails. from the account of a twenty—two—year—old freelancer for the Clinton campaign. Lach— THE lan Markay, a reporter for The Ha’shingron FreeBeacon, found an audio clip buried deep in the cache. In the recording, which was FIGHT made at a fundraiser in Virginia, Hillary Clinton could be heard describing Sanders TO PROTECT AMERICA supporters as “children ofthe Great Reces- sion” who “are living in their parents' base— BY VICKY WARD ment.” The comments were clumsybut. in context, hardly damning; Clinton was de— scribing the appeal of Sanders‘s “political O'CLOCK on the morning of

revolution" for young voters. (“We want " ay 6, woke up in a

people to be idealistic." she said.) Never- . os Angeles hotel to an alarming email.

theless, within a few days, Donald Trump ' Alperovitch is the thirty-six-year-old co- was telling a roaring crowd in ,1): q founder of the cybersecurity firm Crowd- nia, “Clinton thinks Bernfii‘b‘e _ v Strike, and late the previous night, his hopeless and ignoran - at" companyhadbeen asked by the Democrat- ic National Committee to investigate apos- I N M I D -AU G U 5 sible breach ofits network. A CrowdStrike DC Leaks were making nea security expert had sent the DNC a pro—

third mysterious social-media ." prietary software package, called Falcon, that monitors the networks of its clients in real time. Falcon “lit up,” the email said, within ten secondsofbeing installed at the DNC: Russia was in the network. 462/ such as Github. The group said__\ Alperovitch, a slight man with a sharp, soon hold an auction to sell off a second quick demeanor, called the analyst who cache of tools. After a security researcher had emailed the report. “Are we sure it’s posted alink to a repositoryofthe supposed Russia?” he asked. NSA software, analysts flocked to the dump. The analyst said there was no doubt. Fal- Securityresearchers quicklydiscovered that conhad detected malicious software, or mal— I the tools, a collection ofmalware designed ware, that was stealing data and sending it EM I'Yl IVA. I ‚ I, to steal data from their targets, were the real to the same servers that had been used in a é | >' l l thing. Crucially, The Intercept, a media out- 2015 attack on the German Bundestag. The in )7 l (1‘ ‚J letwith access to the NSAfiles leakedbyEd- code and techniques used against the DNC .l n I U? Ulr‘ ward Snowden, found a sixteen-character resembled those from earlier attacks onthe CO? lA lie-q, string (“ace02468bdf13579”) in the Shadow WhiteHouse andtheState Department.The Brokers" tools that was referenced in a top- analyst, a former intelligence officer, told secret, and previously unpublished, NSA Alperovitch that Falcon had identified not manual. The connection proved the prov- one buttwo Russian intruders: , a enance ofthe Shadow Brokers’ find. group CrowdStrike’s experts believed wasaf- Robbingr the NSA, of course, is not easy. filiated with the FSB, Russia’s answerto the The agency‘s elite hacking unit, called Tai— CIA; and Fancy Bear, which they had linked lored Access Operations, has an internal net~ to the GRU, Russian military intelligence. work known as the “high side" that is phys— BEAR Alperovitch then called Shawn Henry, a ically segregated from the Internet (the HUNTER tall, bald fifty-four—year-old former exec- For Dmitri “low side"). Data diodes, devices that allow Alpeiovitch, the utive assistant director at the FBI who is data to How one way only, like water from cofounder now CrowdStrike's president of services. of CrowdStnke, impossible to led a forensics team that retraced a faucet. make it nearly hack defending against Henry high~side computersfromthelow side. When hackers is about the hackers” steps and pieced together the psychology, not TAO hackers want to attack an adversary, pathology ofthe breach. Over the next two technology. they move their [continued on page 152] weeks, they learned that Cozy Bear had

134 ESQUIRE / DEC + JAN 2017

ofeniin'ls stolen from John Podcsta's account. ation Arnn‘ had been indicted In a gn mi." i'm; The, Plot: Part 1 0n the day “'ikiLeakspublished the first in I’enns\ lvania forstealing"econ:nniru ‘ sets. [continuedfi‘oni page 13-1] tools from the batch of Podesta's emails. the U. S. govern— from the computers of If. 5. firms in MM high side to a sewer on the low side. navi- ment took the unprecedented step of an- gate through a series ofaddresses that make nouncing that it was "confident" Russia's me that the indictments n ere mean: .a s " = theirtracks difficultto trace, and install mal— “seniormost officials" had authorized the ant No Trespass sign: Get offour i.i~.'. :i " i ware on their target. To steal the NSA‘s mal— DNC hacks. So far US. investigators have the indictment didn't stop the hacke rs K" . ware, had to compro— not said publicly who was responsible for erovitchwent on television to call fr ‚r .1 v.2 . v mise a low—side machine that the TAD was the Podesta hack. but the data harvestedby ger response. In April 2015. after Preside" usingtohack itstargets.The Shadow Brokers SecureWorks makes it clearthat Fancy Bear Obama signed an executive order threate likelygot lucky: Some analysts believe that an broke into the Clinton chairman‘s account ing sanctions against the Chinese. Alpe: NSA operator mistakenly uploaded a whole as early as late March. The CIA briefed vitch received a call from the White Haus; set oftools to a stagingcomputerthe hackers Trump about the origin ofthe kompromat, “You should behappy," he was told. "Yet: t: were alreadywatching.The alternative theo- but he continued to cite the material, telling the one who’sbeen pushing for this." ry: An old-fashioned mole passed on the tools. a Pennsylvania crowd, “I love WikiLeaks!" Six months later,justbefore the state x :s Aftergoing to all that trouble,whypublish it, reported that (lit the results? A possible answer is suggrrested ON OCTOBER 12, PUTIN appeared U. S. was considering making good on th. by a surprising discovery made by the U. S. at another forum, this time with more than executive order. A senior State Department intelligencecommunity around the time Pu- five hundred guests in Moscow. Sittingcom— official told me that Xi did not want to be tin was addressing the journalists in St. Pe- fortably in front of a giant banner that said embarrassed byan awkwardvisit. The C hi— tersburg. American investigators had long R I'SSIA CALLIN n! he answered an audience nese sentovera negotiatingteam. and diplo - known that the Russians were doing more question about the hacks. “Everyone is talk- matsfrombothcountries stayed up all night than spear-phishing, but sometime around ingabout who did it,” Putinsaid. “Isit so im- workingout an agreement. During the state April they learned thatthe intruderswere us— portant?" The former KGB officer, proving visit, Obama and Xi announced that “nei— ingcommercial cloud services to “exfiltrate” his full command of U. S. political intrigue, thercountry’s government will conduct or data outofAmerican corporations and polit— suggested thattheDemocratshad “support- knowingly support cyber-enabled theft of ical tar'gets. Cozy Bear, the hackinggroup be— ed one intrapartycandidate at the expense of intellectual property” for the purpose of lievedtobeaffiliated withthe FSB, used some theother."Any talk of the hacksbeing in Rus- economic espionage. Since then, the Chi- twohundred OneDrive accounts sia’s interest, he said, was “hysteria” intend- nese burglaries have slowed dramatically. tosenddata from its\ictims back to Moscow. ed to distractAmericans fromwhatthe hack- Using cloud services such as OneDrive ers discovered: “the manipulation ofpublic T H IS PAST M A RC H, Alperovitch was a clever but risky move—it was a little opinion.” When the audience applauded, a hosted a cyber war game at the Moscone like taking the bus to make off with stolen smirk returned to Putin’s face. “I think I an— Center in San Francisco. Four teams of ten goods from a burglary. Though the wide~ swered yourquestion,” he said. u. people—representingthe government, the spread use ofthe services by legitimate us- private sector, European and Australian al-

ers offered a degree of cover for the hack- lies, and the hackers—met for two hours to ers, data provided by Microsoft also helped MW° 2 play the game. Shawn Henry; John Carlin: America‘s elitedigital spiesidentifytheDNC Chris Painter, coordinator for cyber issues intruders"withconfidence" as Russian. It is [continuedfrompage 137] announcement, at the State Department; and Chris Inglis. even possible that the U. S. government has Alperovitch believed that the government, the formerdeputydirector ofthe NSA,were been ableto identifythe names and person— paralyzed by bureaucracy and politics, was all part ofthegovernment team. Executives al details of individual operators. The Rus— stillmovingtooslowly. In 2014, Sonycalled in from JPMorganChase and Microsoft repre— sians knew they‘d been caught. On July 30, CrowdStriketoinvestigate a breachofits net- sentedthe private sector.A former member an FSB press release announced that twen- work. The company needed justtwohours to ofGCHQ,the British intelligence organiza- ty government and defense organizations identifyNorthKorea as the adversary. Exec- tion, was on the international team. Frank had been hitby high—powered spyingtools. utives at Sony asked Alperovitch to go pub- Cilluffo played ahacker. Ash Carter, the de- Some intelligence analysts believe that lic with the information immediately,butit fensesecretary, arrived halfwaythrough and the Shadow Brokers‘ publication ofthe NSA took the FBI another three weeks before it askedtoplay, but the game was already un— spy kit was a message from one group of pro- confirmed the attribution. der way, so he was politely turned down. fessionals to another. “You see us?” the Rus- The delay still frustrates Alperovitch, The game’s premise was that ISIS had sians seemed to be saying, perhaps in refer— who saw the longsilence as a kind of disin- hacked the databasesofseveral state DMVs ence to ongoing U. S. efforts to investigate formation. “Yesterday you had no idea. To— and their European counterparts. After a the DNC breach. “Fine,but we see you, too.” day you're 100 percent certain. It wasn’t twenty—minutebrainstorm, the govemment Similarly, the announcement ofanauction— credible.” From the perspective ofthe gov- teamsaid itwas organizingacrisis-response all but certainly ph()n_\"was‘ probably in— ernment, however, the handlingofthe Sony group, speaking to the private sector. and tended as a warning that the hackers were hack was a triumph. “In twenty—six days we sharing information with the Department prepared to publish a key that would un- figured out it was North Korea," John Carlin ofHomeland Security and the FBI. The pri- lock an encrypted container holding a sec~ told me. The attribution changed the focus, vate team said it was tryingto get informa- ond batch ofstolen tools. Like a severed ear he said, fromwhatSonydid wrongtohowthe tion from the government. Theinternation- in an envelope, the announcement told the government was goingto respond to North alteam, meanwhile,complained that no one Americans: Don’t mess with us. Korea.AsPhyllis Schneck, who now works at had briefed it—a mistake,Alperovitch said. Meanwhile, thekompromat can‘ipaig‘n pro— the Department ofHomeland Security, told The adversary team then stood up and ceeded apace. August and September each me, the governmentmovesslowlybecauseit announced, “While the government team sawsix data dumps, including files from the cannot afford to be wrong: "Vendors like to is deliberating and talking to the private Democratic Congressional Campaimg Com- be first. Government must be right." sector, we're going to kill some people." It mittee, which had also been hacked. In Oc- The government’s attitude toward attri- was a chilling moment that had real—life tober. as the presidential election drew near, bution moved closer to Alperovitch’s in Sep— echoes for many people in the room. In Guccifer published a massive cache, more tember 2015, in the run-up to a state visitby June 2015, a Kosovar named Ardit Ferizi than twenty-one hundred files. Three days Chinese president Xi J inping.Ayearearlier, hacked an online retailer and passed the later. Wik'iLeaks began publishingthousands fivemembers ofthe Chinese People’s Liber- personal details of more than a thousand

152 ESQUIRE / DEC + JAN 2017