Watch & Learn

The Populist founder & Editor-in-Chief Lee Stranahan tells you what you can look forward to at Thursday’s hearing and explains why people people should be suspicious of media claims about the story,

The Hacker Files

The controversy about allegations of “Russian Hacking” are a thicket of confusing issues, combining technical jargon, the natural secrecy of intelligence agencies and a megadose of political partisanship.

As part of our ongoing commitment to bringing you resources to make you smarter, I bring you The Hacker Files – a treasure trove of links so you can examine the story yourself in greater depth.

The Hacker Files are a chronological list of stories about hacking and the groups being accused of it, going back to 2013 with the original Guccifer — the person that Guccifer 2.0 said inspired their hack of the DNC and DCCC.

This list is meant to serve as a jumping off point for your own research, so don’t feel the need to go through it in order. If you find an article that interests you, read it!

Please Note: There’s conflicting information in these articles, bringing you different sides of the many controversial issues.

Dig in!

Prior to Release of DNC Hacks

03/19/13, Gawker – Who Is Guccifer, the Hacker Who’s Terrorizing Politicos?

06/09/15, Buzzfeed – Experts Say Russians May Have Posed As ISIS To Hack French TV Channel

07/27/15 Daily Beast – How a U.S. Think Tank Fell for Putin

08/18/15, Trend Micro – Pawn Storm’s Domestic Spying Campaign Revealed; Ukraine and US Top Global Targets

01/16/16, Trend Micro – Operation Pawn Storm: Fast Facts and the Latest Developments

04/08/16, Dark Reading – Russian Hackers Breached White House Via US State Department

05/11/16, Trend Micro – Pawn Storm Targets German Christian Democratic Union

05/13/16, BBC – Russia ‘was behind German parliament hack’

The DNC Hacks Released by Guccifer 2.0

06/14/16, Bloomberg – Russian Hackers Accused of Taking Democrats’ Files on Trump

06/14/16, Crowdstrike – Bears in the Midst

06/14/16, WaPo – Russian government hackers penetrated DNC, stole opposition research on Trump

06/15/16, CSM – Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack


06/16/16, Vice Motherboard – ‘Guccifer 2.0’ Is Likely a Russian Government Attempt To Cover Up Their Own Hack

06/16/16, Forbes – Russian Hackers Targeted Hillary Clinton Campaign Google Accounts

06/17/16, Bloomberg – Hackers Targeting Clinton Aides Struck Across U.S. Politics

06/17/16, ThreatConnect – Rebooting Watergate: Tapping into the Democratic National Committee


06/21/16, Vice Motherboard – Here’s the Full Transcript of Our Interview With DNC Hacker ‘Guccifer 2.0’

06/27/16, DarkReading – Google Accounts Of US Military, Journalists Targeted By Russian Attack Group

06/28/16, Softpedia – Russian APT Launched Massive Spear-Phishing Campaign Targeting Google Accounts

06/29/16, ThreatConnect – Shiny Object? Guccifer 2.0 and the DNC Breach


07/07/16, ThreatConnect – What’s in a Name Server?

07/14/16, Guccifer 2.0 – NEW DNC DOCS

07/20/16, ThreatConnect – Guccifer 2.0: the Man, the Myth, the Legend?

07/26/16, ThreatConnect – Guccifer 2.0: All Roads Lead to Russia

07/27/16, Wired – Here’s What We Know About Russia and the DNC Hack

07/29/16, ThreatConnect – FANCY BEAR Has an (IT) Itch that They Can’t Scratch

08/05/16, Politico – Democrats fear ‘October surprise’ as White House ponders hack response

08/12/16, ThreatConnect – Does a BEAR Leak in the Woods?

08/19/16, ThreatConnect – Russian Cyber Operations on Steroids

09/02/16, ThreatConnect – Can a BEAR Fit Down a Rabbit Hole?

09/12/16, Jeffrey Carr – The Guccifer 2.0 Problem at the White House

09/13/16 – Democrat Hacker Guccifer 2.0 ‘Appears’ At London Show — Here’s What Was Said

Podesta Emails Released

10/17/16 Wikileaks — The Podesta Emails; Part One

10/11/16 7 biggest revelations from WikiLeaks release of Podesta emails


10/19/16, New York Times – Russian Hacker, Wanted by F.B.I., Is Arrested in Prague, Czechs Say

10/24/16, Esquire – The Russian Expat Leading the Fight to Protect America

10/25/16, WeLiveSecurity – Lifting the lid on Sednit: A closer look at the software it uses

10/28/16, TheSmokingGun – How Podesta’s Gmail Account Was Breached

Post Election

12/12/16, Scott Ritter – The ‘Slam Dunk’ That Isn’t – The CIA, Russia And The Hacking Of The 2016 Presidential Election

12/13/16, TruthDig – William Binney, Ray McGovern and Other Intel Experts Call Russian Hacking Allegations ‘Baseless’

12/14/16, The Intercept – Here’s the Public Evidence Russia Hacked the DNC — It’s Not Enough

12/16/16, The Hill – Assange: Some leaks may have been Russian

12/29/16, – Cyber-Related Sanctions Designations

12/30/16, WashingtonsBlog – Creator of NSA’s Global Surveillance System Calls B.S. On Russian Hacking Report

12/30/16, Jeffrey Carr – FBI/DHS Joint Analysis Report: A Fatally Flawed Effort

12/30/16, Rolling Stone – Something About This Russia Story Stinks

12/30/16, Ars Technica – White House fails to make case that Russian hackers tampered with election


Timeline of Crowdstrike’s Ukrainian Debacle


This timeline is a companion piece to my story Fix Is In: Comey Praised DNC-Hired Cybersecurity Firm Even After Botched Report, I detail how beginning in June, 2016 the Democratic National Committee and Crowdstrike, the FBI-connected cybersecurity firm that they hired, began to create a narrative about “Russian Election Hacking” that now overwhelms the news cycle. I go into detail on how despite no conclusive technical evidence, Crowdstrike and DNC pushed this narrative to attempt to influence the election by smearing Donald Trump and now to delegitimize his victory over Hillary Clinton.

I also lay out how DNC-hired Crowdstrike produced a report purported to connect Russian intelligence to a alleged hack of the Ukrainian military art the end of December, 2016…just one week prior to the Obama administration imposing sanction on Russia. This report was throughly debunked, yet days after the Ukrainian military denied the claims, FBI director James Comey praised Crowdstrike.

At press time, no mainstream media outlet has picked up on Crowdstrike’s retraction.

Crowdstrike’s Ukrainian Report and Responses

December 22nd, 2016: Crowdstrike publishes report on Ukrainian artillery hacking:Key claims are:

  • From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk.
  • The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military.
  • Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.
  • Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.
  • This previously unseen variant of X-Agent represents FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices, and reveals one more component of the broad spectrum approach to cyber operations taken by Russia-based actors in the war in Ukraine.
  • The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia.

December 22nd, 2016: Washington Post covers the report:

While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.

Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”

The FBI, which has been investigating Russia’s hacks of political, government, academic and other organizations for several years, privately has concluded the same. But the bureau has not publicly drawn the link to the GRU.

December 22nd, 2016: A number of other news outlets cover the report, almost all uncritically.

Reuters – Russian hackers tracked Ukrainian artillery units using Android implant: report


The Inquirer – Russian military hackers used Android malware to seek-and-destroy Ukrainian artillery

National Post – The Russians who hacked the DNC found to have also hacked Ukraine’s antiquated howitzers

Engadget – Russian hackers reportedly attack Ukrainian weapons, power grid

DarkReading – Malware Used In DNC Breach Found Tracking Ukraine Military

BankInfoSecurity – Russian DNC Hackers Tied to Ukrainian Artillery App Hack

SecurityAffairs – Fancy Bear APT tracked Ukrainian artillery units with an Android implant

SearchSecurity – Fancy Bear ties to Kremlin strengthened with Ukraine military hack

GrahamCluley – Fancy Bear used Android malware to track Ukrainian artillery

Softpedia – Fancy Bear Hackers Breached Ukrainian Artillery Using Android Malware

December 22nd, 2016: Forbes covers the report:

The most convincing evidence yet tying Russia’s GRU intelligence agency to the hack of the Democratic National Committee has been found in a bizarre tale involving an Android app developed by a Ukrainian military officer, security firm CrowdStrike claimed today.

Critical Responses

December 22nd, 2016: Bloomberg article titled ‘Why I Still Don’t Buy the Russian Hacking Story’:

I’m willing to believe that Russia sought to hack the U.S. election, but I still find the evidence lacking. That skepticism applies to the latest sensation — a report that Russian proxies in Ukraine are employing the same malicious software used on the U.S. Democratic National Committee.

December 23rd, 2016: Skeptics Doubt Ukraine Hack, Its Link to DNC Cyberattack:

…there are fresh doubts concerning the evidence Crowdstrike used in determining that the Ukrainian military was hacked.

Yaroslav Sherstyuk, the creator of the app that CrowdStrike says was hacked by the GRU, called the CrowdStrike report “delusional” in a Facebook post.

And Pavlo Narozhnyy, a technical adviser to Ukraine’s military, told VOA the app could theoretically have been reverse engineered and hacked, but he stressed that if such hacking had taken place, it would have been spotted.

Narozhnyy stated on Facebook that he outfitted Ukraine’s armed forces with nearly 300 tablets that carried the allegedly hacked software, and some of those tablets were sent to units with D-30 howitzers.

He told VOA that contacts in the Ukrainian military units that used the app reported no losses of D-30 howitzers, which contradicts large battlefield losses referenced in the CrowdStrike report.

“I personally know hundreds of gunmen in the war zone. None of them told me of D-30 losses caused by hacking or any other reason,” Narozhnyy stressed to the VOA.

January 3rd, 2017: Jeffrey Carr posts an article on Medium debunking each claim made by Crowdstrike:

Crowdstrike’s core argument has three premises:

Fancy Bear (APT28) is the exclusive developer and user of X-Agent 1

Fancy Bear developed an X-Agent Android variant specifically to compromise an Android ballistic computing application called Попр-Д30.apk for the purpose of geolocating Ukrainian D-30 Howitzer artillery sites2

The D-30 Howitzers suffered 80% losses since the start of the war.3

If all of these premises were true, then Crowdstrike’s prior claim that Fancy Bear must be affiliated with the GRU 4 would be substantially supported by this new finding. Dmitri referred to it in the PBS interview as “DNA evidence”.

In fact, none of those premises are supported by the facts.

Aftermath: Comey Still Supports Crowdstrike Despite Debunked Report

January 4th, 2017: BuzzFeed reports FBI never even asked for access to the DNC Servers:

The FBI did not examine the servers of the Democratic National Committee before issuing a report attributing the sweeping cyberintrusion to Russia-backed hackers, BuzzFeed News has learned. Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.

“The DNC had several meetings with representatives of the FBI’s Cyber Division and its Washington (DC) Field Office, the Department of Justice’s National Security Division, and U.S. Attorney’s Offices, and it responded to a variety of requests for cooperation, but the FBI never requested access to the DNC’s computer servers,” Eric Walker, the DNC’s deputy communications director, told BuzzFeed News in an email.

January 5th, 2017: FBI, Dems bicker over investigation of hacked servers:

“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated,” the official said.

“This left the FBI no choice but to rely upon a third party for information. These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”

January 6th, 2017: The Ukrainian Defense Ministry posts denial on their website:

In connection with the emergence in some media reports which stated that the alleged “80% howitzer D-30 Armed Forces of Ukraine removed through scrapping Russian Ukrainian hackers software gunners,” Land Forces Command of the Armed Forces of Ukraine informs that the said information is incorrect .

According Command Missile Forces and Artillery Land Forces of Ukraine, artillery weapons lost during the time of ATO times smaller than the above and are not associated with the specified cause. Currently, troops Missile Forces and Artillery Army Forces of Ukraine fully combat-ready, staffed and able to fulfill the missions.

Ministry of Defence of Ukraine asks journalists to publish only verified information received from the competent official sources. Spreading false information leads to increased social tension in society and undermines public confidence in the Armed Forces of Ukraine.

January 10th, 2017: Comey: DNC denied FBI’s requests for access to hacked servers:

The FBI requested direct access to the Democratic National Committee’s (DNC) hacked computer servers but was denied, Director James Comey told lawmakers on Tuesday.

The bureau made “multiple requests at different levels,” according to Comey, but ultimately struck an agreement with the DNC that a “highly respected private company” would get access and share what it found with investigators.

“We’d always prefer to have access hands-on ourselves if that’s possible,” Comey said, noting that he didn’t know why the DNC rebuffed the FBI’s request.

March 24, 2017: Cyber Firm Rewrites Part of Disputed Russian Hacking Report

U.S. cybersecurity firm CrowdStrike has revised and retracted statements it used to buttress claims of Russian hacking during last year’s American presidential election campaign. The shift followed a VOA report that the company misrepresented data published by an influential British think tank.

In December, CrowdStrike said it found evidence that Russians hacked into a Ukrainian artillery app, contributing to heavy losses of howitzers in Ukraine’s war with pro-Russian separatists.

VOA reported Tuesday that the International Institute for Strategic Studies (IISS), which publishes an annual reference estimating the strength of world armed forces, disavowed the CrowdStrike report and said it had never been contacted by the company.