What Was the Relationship Between FSB and GRU in the DNC Hack, Redux?

I want to return to last week’s House Intelligence Hearing on Russia (because that fecker Devin Nunes canceled my birthday hearing with James Clapper and John Brennan today), to revisit a question I’ve asked a number of times (in most detail here): what was the relationship between Russia’s FSB and GRU intelligence services in the DNC hack?

The public narrative (laid out in this post) goes like this: Sometime in summer 2015, APT (Advanced Persistent Threat) 29 (associated with FSB, Russia’s top intelligence agency) hacked the DNC along with 1,000 other targets and because DNC ignored FBI’s repeated warnings, remained in their network unnoticed. Then, in March 2016, APT 28 (generally though not universally associated with GRU, Russia’s military intelligence) hacked DNC and John Podesta. According to the public story, GRU oversaw the release (via DC Leaks and Guccifer 2.0) and leaking (to Wikileaks via as-yet unidentified cut-outs) of the stolen documents.

Under the public story, then, FSB did the same kind of thing the US does (for example, with Enrique Peña Nieto in 2012), collecting intelligence on a political campaign, whereas GRU did something new (though under FBI-directed Sabu, we did something similar to Bashar al-Assad in 2012), leaking documents to Wikileaks.

Obama’s sanctions to retaliate for the hack primarily focused on GRU, but did target FSB as well, though without sanctioning any FSB officers by name. And in its initial report on the Russian hack, the government conflated the two separate groups, renaming attack tools previously dubbed Cozy and Fancy Bear the “Grizzly Steppe,” making any detailed discussion of how they worked together more confusing. As I noted, however, the report may have offered more detail about what APT 29 did than what APT 28 did.

Last week’s hearing might have been an opportunity to clarify this relationship had both sides not been interested in partisan posturing. Will Hurd even asked questions that might have elicited more details on how this worked, but Admiral Mike Rogers refused to discuss even the most basic details  of the hacks.

HURD: Thank you, Chairman.

And gentlemen, thank you all for being here. And thank you for your continued service to your country. I’ve learned recently the value of sitting in one place for a long period of time and listening and today I’m has added to that understanding and I’m going to try to ask questions that y’all can answer in this format and are within your areas of expertise. And Director Rogers, my first question to you — the exploit that was used by the Russian’s to penetrate the DNC, was it sophisticated? Was it a zero day exploit? A zero day being some type of — for those that are watching, an exploit that has never been used before?

ROGERS: In an open unclassified forum, I am not going to talk about Russian tactics, techniques or procedures about how they executed their hacks.

HURD: If members of the DNC had not — let me rephrase this, can we talk about spear fishing?

ROGERS: Sure, in general terms, yes sir.

HURD: Spear fishing is when somebody sends an email and they — somebody clicks on something in that email…

ROGERS: Right, the user of things (inaudible) they’re receiving an email either of interest or from a legitimate user, they open it up and they’ll often click if you will on a link — an attachment.

HURD: Was that type of tactic used in the…

ROGERS: Again, I’m not in an unclassified forum just not going to be…

The refusal to discuss the most basic details of this hack — even after the government listed 31 reports describing APT 28 and 29 (and distinguishing between the two) in its updated report on the hacks — is weird, particularly given the level of detail DOJ released on the FSB-related hack of Yahoo. Given that the tactics themselves are not secret (and have been confirmed by FBI, regardless of what information NSA provided), it seems possible that the government is being so skittish about these details because they don’t actually match what we publicly know. Indeed, at least one detail I’ve learned about the documents Guccifer 2.0 leaked undermines the neat GRU-FSB narrative.

Comey did confirm something I’ve been told about the GRU side of the hack: they wanted to be found (whereas the FSB side of the hack had remained undiscovered for months, even in spite of FBI’s repeated efforts to warn DNC).

COMEY: The only thing I’d add is they were unusually loud in their intervention. It’s almost as if they didn’t care that we knew what they were doing or that they wanted us to see what they were doing. It was very noisy, their intrusions in different institutions.

There is mounting evidence that Guccifer 2.0 went to great lengths to implicate Russia in the hack. Confirmation GRU also went out of its way to make noise during the DNC hack may suggest both within and outside of the DNC the second hack wanted to be discovered.

I have previously pointed to a conflict between what Crowdstrike claimed in its report on the DNC hack and what the FBI told FireEye. Crowdstrike basically said the two hacking groups didn’t coordinate at all (which Crowdstrike took as proof of sophistication). Whereas FireEye said they did coordinate (which it took as proof of sophistication and uniqueness of this hack). I understand the truth is closer to the latter. APT 28 largely operated on its own, but at times, when it hit a wall of sorts, it got help from APT 29 (though there may have been some back and forth before APT 29 did share).

All of which brings me to two questions Elise Stefanik asked. First, she asked — casually raising it because it had “been in the news recently” — whether the FSB was collecting intelligence in its hack of Yahoo.

STEFANIK: Thank you. Taking a further step back of what’s been in the news recently, and I’m referring to the Yahoo! hack, the Yahoo! data breech, last week the Department of Justice announced that it was charging hackers with ties to the FSB in the 2014 Yahoo! data breech. Was this hack done to your knowledge for intelligence purposes?

COMEY: I can’t say in this forum.

STEFANIK: Press reporting indicates that Yahoo! hacked targeted journalists, dissidence and government officials. Do you know what the FSB did with the information they obtained?

COMEY: Same answer.

Again, in spite of the great deal of detail in the indictment, Comey refused to answer these obvious questions.

The question is all the more interesting given that the indictment alleges that Alexsey Belan (who was sanctioned along with GRU in December) had access to Yahoo’s network until December 2016, well after these hacks. More interestingly, Belan was “minting” Yahoo account credentials at least as late as May 20, 2016. That’s significant, because one of the first things that led DNC to be convinced Russia was hacking it was when Ali Chalupa, who was then collecting opposition research on Paul Manafort from anti-Russian entities in Ukraine, kept having her Yahoo account hacked in early May. With the ability to mint cookies, the FSB could have accessed her account without generating a Yahoo notice. Chalupa has recently gone public about some, though not all, of the other frightening things that happened to her last summer (she was sharing them privately at the time). So at a time when the FSB could have accomplished its goals unobtrusively, hackers within the DNC network, Guccifer 2.0 outside of it, and stalkers in the DC area were all alerting Chalupa, at least, to their presence.

While it seems increasingly likely the FSB officers indicted for the Yahoo hack (one of whom has been charged with treason in Russia) were operating at least partly on their own, it’s worth noting that overlapping Russian entities had three different ways to access DNC targets.

Note, Dianne Feinstein is the one other person I’m aware of who is fully briefed on the DNC hack and who has mentioned the Yahoo indictment. Like Comey, she was non-committal about whether the Yahoo hack related to the DNC hack.

Today’s charges against hackers and Russian spies for the theft of more than 500 million Yahoo user accounts is the latest evidence of a troubling trend: Russia’s sustained use of cyber warfare for both intelligence gathering and financial crimes. The indictment shows that Russia used these cyberattacks to target U.S. and Russian government officials, Russian journalists and employees of cybersecurity, financial services and commercial entities.

There seems to be a concerted effort to obscure whether the Yahoo hack had any role in the hack of the DNC or other political targets.

Finally, Stefanik asked Comey a question I had myself.

STEFANIK: OK, I understand that. How — how did the administration determine who to sanction as part of the election hacking? How — how familiar with that decision process and how is that determination made?

COMEY: I don’t know. I’m not familiar with the decision process. The FBI is a factual input but I don’t recall and I don’t have any personal knowledge of how the decisions are made about who to sanction.

One place you might go to understand the relationship between GRU and FSB would be to Obama’s sanctions, which described the intelligence targets this way.

  • The Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU) is involved in external collection using human intelligence officers and a variety of technical tools, and is designated for tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes.
  • The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.


  • Sanctioned individuals include Igor Valentinovich Korobov, the current Chief of the GRU; Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU; Igor Olegovich Kostyukov, a First Deputy Chief of the GRU; and Vladimir Stepanovich Alexseyev, also a First Deputy Chief of the GRU.

Remember, by the time Obama released these sanctions, several FSB officers, including Dmitry Dokuchaev (who was named in the Yahoo indictment) had been detained for treason for over three weeks. But the officers named in the sanctions, unlike the private companies and individual hackers, are unlikely to be directly affected by the sanctions.

The sanctions also obscured whether Belan was sanctioned for any role in the DNC hack.

  • Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain.  Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Again, all of this suggests that the intelligence community has reason to want to obscure how these various parts fit together, even while publicizing the details of the Yahoo indictment.

Which suggests a big part of the story is about how the public story deviates from the real story the IC is so intent on hiding.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

27 replies
    • SpaceLifeForm says:

      I’m not sure if Nunes knew he was there.
      But plenty of others know he was there.
      Book it Dano!

  1. Michael says:

    FireEye states its ground for thinking that that APT 28 & 29 were coordinated, name that this that this is the only case where both were found together. This is obviously extremely feeble. Or did you see some other ground?  The original claims of CrowdStrike last summer strongly suggested that the DNC server was unusually low hanging fruit and that many might have gained access. Many experts at the time, before this became so politicized, suggested that any intelligence service would have been derelict of duty not to take a look.

  2. lefty665 says:

    Odd that the GRU would act recklessly, essentially asking to be discovered.  Is this behavior common in their other activities in recent years?

    Seems curiously more like what CIA might do to set up a false flag using their tools for mis- attribution. Look over here! Here I am! Ruskie Da!

    Happy Birthday to you!



      • lefty665 says:

        Dunno, it seemed strange. I was asking because you seem to have better sources than most, and good sense about what’s real and who’s blowing smoke.  You also suggested you had information that undermined the neat GRU/FSB narrative.

        In addition, Obama’s sanctions had a curious emphasis on seemingly unrelated things like declaring a passel of folks persona non grata and gratuitously closing two R&R sites. That seemed strange too unless he was just tidying up loose ends before he left office and threw it all in the same order.  Sort of  “Oh, and this too”. Or, was there a connection?

        Those of us out here in open lit land have yet to see any actual evidence, so it’s all a crap shoot for us.

  3. SpaceLifeForm says:

    And out of the woodwork…
    (more distraction. Why wait until today?)


    Former vice president Richard B. Cheney became the latest Republican to condemn Russia’s reported meddling in the presidential election, likening the “cyberattack on the United States” to an “act of war.”

  4. tvor_22 says:

    How was the FSB helping apt28 when they hit a “brick wall”? I missed the fact that fireye said there was collaboration. Got a link to that info?

    • emptywheel says:

      That description is not from either contractor–it’s from another source. The idea was they’d be working on lateral movement and get stuck and there’d be some interaction, some resistance, and then some help given from entities within the system.

      Here’s the FireEye description:

      According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

      • tvor_22 says:

        Yeah, I read that bit, but took it to be assumption of author (“which suggests … coordination”)

        But your source says computer says yes…

        *Shines lamp in your face*

        • emptywheel says:

          You saw the comparable CS claim? Clearly, one of the difficult things to explain is why RU would send two intel agencies into a server, if that’s what happened, and it seems these are two competing explanations for what behavior is, per what I’ve been told, somewhere in between.  I don’t think anyone wants to commit too much to an explanation for that bc, like the “Russian” metadata, there’s not an obvious explanation. Then you add in the fact that FSB would have also had redundant access to some of this stuff (if they weren’t using the Yahoo hack for the DNC hack in ways that are not yet public), and there’s a big question abt why certain entities were sent in the way they were.

          GRU hacking DC Leaks, which IMO started off as an anti-Ukraine campaign, makes sense. But the DNC stuff doesn’t (and there’s not clear GRU-related phish evidence for DNC as there is for Podesta).

          • tvor_22 says:

            Yeah. CS doesn’t think the the left hand knew what the right was doing, which is a weirdly subtle conclusion to come to for CrowdStrike.

            It’s like 28 is some kind of inverse reflexive control operation. Active measures 2.0. But it’s like if the ‘little green men’ in the Ukraine were to step up the mind-fuckery and instead of wearing no insignia, wore obviously counterfeit Russian insignia, while still carrying legit Russian hardware. If we entertain that hypothetical scenario would the counterfeit insignia have helped or hindered the uncertainty of officially sanctioned operations? In this case it seems to have been completely ignored, and counter-productive.

            Is it simply the case the GRU has come to the conclusion that this level of cyberwar is ultimately only ever passive-aggressive — to ‘confuse the narrative’ (by exposing truths), and hence able to afford being nose-thumby. I wonder how much of that narrative would have confused Hillary Clinton? Bit-off more than they could chew would be an understatement.

            In the case of Russia I feel the concept of ‘ham-fisted clusterfuck’ is too eagerly replaced by ‘active-measures/reflexive control/3d Chess’ when used to suit the given (mostly random) outcome of business as usual meddling.

              • SpaceLifeForm says:

                Think multi-WAN router. Multiple DNS, different IP addys. Different websites visible.
                A honeypot. Could explain APT28 and APT29 actually arriving at same server via different paths (DHS/IP).

                I’m still not convinced that APT28 or APT29 are really FSB or GRU ops.
                (you know my theory)

  5. b says:

    Sorry, despite your birthday ( I wish you a happy one), this sentence is disqualifying:

    “APT 28 largely operated on its own, but at times, when it hit a wall of sorts, it got help from APT 29”

    ATPs are software suites, collections of computer programs, used to crack into computers and known and available to some people.

    A certain collection of programs or suite once used might be called ATP XY or ATP YX. Only when the suite is not yet known to others can it be used to distinguish a person or group behind a hack that applies the suite. As soon as the suite is known and available others can use it (or fake its use).

    It is, at least for IT security nuts, highly unprofessional to mix up ATPs and actors. An ATP may point to certain actor in its first use (like STUXNET pointed to U.S./Israel) but that does not make any new hack with the same suite attributable. A new STUXNET like attack committed now could be by anyone who copied/analyzed the original STUXNET suite. The new attack would not be attributable to the U.S./Israel without any additional information.

    That one ATP helped the other does not make sense. Actors may have helped each other. Or the same actor used/reused parts of two different suites.


    You seam to see that fact that Obama sanctions certain entries as confirmation that these entries were responsible for hacking. But there is nothing but say-so that makes the connection.  Maybe he did it to hype the “Russia did it” claims even as they may have not been true at all.  That the Guccifer 2.0 figure WANTED , as you write,  to have the fingers pointed at Russia should make you very cautious . This could be an intended misdirection. Why else would she do this?

    It is obvious that the Intelligence Community and its claims are not at all trustworthy in this whole story. Why else are they hiding so much?



    • emptywheel says:

      On the APT point–fine. It’s a bit awkward to refer to these entities w/o endorsing one or another view of them–if anything I’ve endorsed the GRU belief more than I wanted to here. I was told of individual human actors associated with certain behaviors, including the “loudness” (think the digital equivalent of leaving graffiti), interacting with other more polite actors, associated with other behaviors, showing not complete unity of purpose but some willingness to help out.

      I in NO way think sanctions are tied to guilty parties. That was part of my point — that none of the intelligence figures sanctioned will feel the pinch on these sanctions, so they are largely symbolic, particularly those targeted at FSB.


  6. tvor_22 says:

    At “b”

    You mean APT.

    No,sir, not merely a software set at all. Infrastructure and hard traces.

    Lion’s share of assignation to #28 and 29 comes from infrastructure matched with software and behavioral​ fingerprints.

    • b says:

      That’s nonsense too. What infrastructure – a rented server somewhere out of millions available freely for rent in about every country of this world?

      Do you have any idea how easy it is for professionals with the right tools to fake an IP entry in a log?

      “Hard traces” – gal – I’ve been doing IT all my life. Hard traces are soldering marks on a cable or punch holes in 5 1/2 disks? Haven’t seen these in a while.  There ain’t no “hard traces” in soft(!)ware.


  7. b says:


    ATTRIBUTION of cyber attacks is nearly impossible. Please finally get that into your minds. What the claims of “Russia did it” are based on are assumptions and horoscopes propagandized with certain political aims. No hard evidence, NOT ANY, has been presented for the DNC hack claims.

    Here are a bunch of real experts saying so to CSM journalists:




    “The attribution of targeted attacks is complicated, unreliable and subjective – and threat actors increasingly try to manipulate the indicators researchers rely on, further muddying the waters,” said Brian Bartholomew, senior security researcher, Kaspersky Lab. “We believe that accurate attribution is often almost impossible…”


    • SpaceLifeForm says:

      FYI, the csmonitor link has commentary from a TLA front company. The Kaspersky article is quite solid.

  8. Bob In Portland says:

    A couple weeks back wikileaks released documents that said the CIA not only had corralled malware from all over the world to use in its bag of tricks, but had in fact created false flags with malware to blame on others.

    This was not a terribly outrageous leap. This is typical CIA behavior. How many false flags has it created to get the US into the next war?

    When I asked a month or so back what real evidence you had, Marcy, I got nothing. And, in fact, if you found a Russian hack, how do you know it’s not a false flag CIA hack? What magnitude of proof do you have that clears the CIA of any and all guilt in the matter?

    I ask again and again because the “Russian hack-Trump traitor” story appears to me to be another okeydoke for the next war. When examining all the Ukrainian fingerprints in and around this case it is evident that early on this going to be fluffed and inflated by Ukrainians from the DNC to Kiev.

    Is it that you don’t recognize how the CIA works? Is it that you were trained well enough to know not to question Soviet/Russian guilt in all matters?

    I ask again also because justifying a war against Russia with false flags creates a great risk for life on earth. All the various false flags that have pushed the US into wars since WWII are responsible for millions of lives, and billions in profit for American corporations. Do you, like the neos and ultras in the Atlantic Council and the Foreign Policy Research Institute, think that war against Russia is a good idea? Because that is what this blurred, fuzzy, maybe, kinda proof against Russia is turning out to be: a casus belli.

    DNC oppo researcher, “proud Ukrainian American” Alexandra Chalupa, was one of the first to be calling Trump a traitor and the alleged hacking an act of war. She was selected by some inside the Beltway theocrat as being one of the sixteen most influential people in the 2016 election. Maybe she’ll be most influential in creating the next war. Maybe you, too.

Comments are closed.