WASHINGTON — Since Democratic National Committee officials first discovered their data networks had been compromised this spring, a growing chorus of experts and officials have seen evidence that the Russian government was responsible.
In the months since, the infiltration and its consequences have taken surprising and often bizarre turns, culminating in a political scandal this week as the Democratic National Convention opened in Philadelphia. But one constant has remained: a growing body of forensic evidence implicating the Russian government.
The first hints came in May, after committee officials noticed unusual activity in their network. They hired the cybersecurity company CrowdStrike to investigate, and its experts quickly found the source of the activity: a group of hackers had, in late April, gained access to the systems of the committee’s opposition-research team, from which the group had stolen two files containing information on Donald J. Trump, who would eventually become the Republican nominee for president.
The investigators determined that the hackers were part of APT 28, a group well-known among cybersecurity experts. The name is short for advanced persistent threat, which usually refers to government hackers. Security firms and law enforcement officials have also used the name Fancy Bear, a reference to a widespread belief that the group is run by Russia’s military intelligence agency, the G.R.U.
The investigation might have ended there, but CrowdStrike discovered another, better-hidden infiltrator in the computers of the Democratic committee: A group known as APT 29, or Cozy Bear, which is considered more skillful and has been linked to the F.S.B., the main successor to the K.G.B.
Cozy Bear, it seemed, had had complete access to the committee’s systems for almost a year. (Subsequent investigations by two other cybersecurity firms confirmed CrowdStrike’s findings.)
Linking a breach to a particular hacker group, and tying a group to a state agency, is always based on circumstantial evidence. But the forensic evidence the experts were able to collect connecting these intrusions to Russian agencies was very strong compared with other cases.
For example, the first group, APT 28, often uses the same tactic: registering a domain whose name is similar to that of its target, to trick users into disclosing their passwords when logging into the wrong site. In this case, hackers set up misdepatrment.com — switching two letters — to target users of MIS Department, which manages networks for the Democratic committee.
More tellingly, the hackers linked this domain to an IP address they had used in previous breaches, giving investigators a way to look for patterns. They also used the same malware tools, which sometimes included unique security or encryption keys, a kind of digital fingerprint. Those fingerprints were found in other attacks, like a 2015 breach at Germany’s Parliament, which German intelligence officials said Russia, specifically APT 28, had probably carried out.
Both APT 28 and APT 29 use methods “consistent with nation-state level capabilities,” according to a CrowdStrike report, and they target foreign militaries and military contractors in a pattern that “closely mirrors the strategic interests of the Russian government.”
Another report, issued by the security firm FireEye in July 2015, pointed out that the hackers had seemed to go offline on Russian state holidays, and had appeared to operate during hours consistent with the Russian workday.
Such intrusions, while troublesome, are within the expected bounds of international spycraft. The case took a surprising turn in June, after Democratic Party officials, perhaps seeing an opportunity to paint Mr. Trump as Moscow’s favored candidate, revealed the apparent Russian infiltration to The Washington Post.
Within 24 hours, someone using the name Guccifer 2.0 had opened a WordPress blog and made a far-fetched claim: He, not Russia, had been responsible for the Democratic committee breach, and he had done it alone.
He also said he had stolen thousands of internal emails, the first public mention of such a theft. He provided evidence, posting a series of stolen documents and leaking others to news outlets, as well as to WikiLeaks. His name, he said, was a homage to a famous Romanian hacker who went by Guccifer and who has been in prison since 2014.
But Guccifer 2.0’s documents, while authentic, contradicted his claims that he had acted alone — and provided evidence of Russian state involvement. Some files, for example, included metadata showing they had been opened by computers set to the Russian language. Another had been modified by a word processor registered to Felix Edmundovich, rendered in Cyrillic script, a clear reference to Felix E. Dzerzhinsky, the founder of the Soviet secret police.
Guccifer 2.0 made himself available to journalists, which is not something criminal hackers often do. He insisted that Russia had not infiltrated the Democratic committee, an odd claim because he would have had no way of knowing. When discussing how he had committed the breach, his comments were inconsistent and, according to cybersecurity experts, showed insufficient technical knowledge to understand — much less carry out — the attacks.
He also claimed to be Romanian, but was unable to hold a conversation in that language when prompted by a reporter from the technology site Motherboard. But if Guccifer 2.0 was not whom he said he was, how had he acquired thousands of documents stolen from the committee? And why did he lie?
ThreatConnect, a security analysis group, concluded that Guccifer 2.0 “most likely is a Russian denial and deception (D&D) effort” meant to cast doubt on Russian responsibility for the hack. It later found metadata in Guccifer 2.0’s emails suggesting he had sent them from Russian networks, as well as some parallels with networks used by ATP 28, the Russian group.
The theory, widely shared by cybersecurity analysts, is that the Russian intelligence agencies, once exposed by the June report in The Washington Post, constructed Guccifer 2.0 to distract from those accusations. The thinking behind such methods is detailed in Russia’s formal military doctrine, which calls for deception and disinformation, often through so-called information operations, to sow confusion and maintain deniability.
Last week, the hackers made public about 20,000 emails through a different channel: WikiLeaks, which has long experience in scrubbing documents of incriminating information. So this release offers little new forensic information. But security experts say we may have more opportunities to hunt for clues: The hackers had access to far more than just these emails, and after last week’s ploy, might be tempted to leak more.