When Russia’s currency began tumbling under crippling sanctions imposed by the United States and the European Union, Mindiyarov was enlisted in a campaign to post glowing comments on Russian news sites and online magazines. “I was writing that everything was the opposite: how wonderful our life was, how wonderful it is that the ruble was strengthening … that sanctions were going to make us stronger and so on and so forth,” he recalled.
Days at the agency were divided into two twelve-hour shifts, Mindiyarov said, with quotas requiring employees to deliver 135 website comments per shift, 200 characters apiece. “You come in and spend all day in a room with the blinds closed and twenty computers,” he said, adding that he was paid 40,000 rubles, or about $800, a month after Russia’s currency crashed in late 2014. It was decent money at a time when Russia’s economy had been crumpled by Western sanctions.
Mindiyarov said he wasn’t involved in the “Translator Project,” but knew there were other sections of the company aimed at an audience in the United States. An unnamed troll told an independent television station in Russia that Internet Research Agency employees were told to engage with Americans online and “get into an argument in order to inflame it, and rock the boat.” The troll said their orders by 2016 were to specifically attack Clinton. “The main message is: aren’t you tired, brother Americans, of the Clintons, how long have they been around?” the station quoted the troll as saying. To ensure that their use of English was seamless enough for online political debate, employees in St. Petersburg watched the Netflix drama House of Cards, a show about a corrupt American pol who rises to become president.1
As an English speaker, Mindiyarov had been approached to apply for the “Facebook department,” where pay was twice as high. (The employees who emerged from that section for smoke breaks were younger, hipper, with newer phones and better haircuts.) But Mindiyarov was tripped up by the entrance test: his English wasn’t strong enough to pass as native in the rapid-fire encounters of social media, where you had to be fluent even in American idioms. In response to the essay question “What do you think of Hillary Clinton?” he wrote that she seemed to have a strong chance to be the next U.S. president. It was unclear, he reflected later, whether the answer itself was disqualifying or merely the caliber of the English he used to articulate it.
THE WEEKEND OF THE WHITE HOUSE CORRESPONDENTS’ ASSOCIATION Dinner at the start of May was supposed to bring a momentary respite from the pressure of the presidential campaign. Many Washington insiders, including senior officials at the DNC, would be donning gowns or tuxedoes for the annual bash near Dupont Circle. The so-called nerd prom always attracts an influential if eclectic crowd—cabinet secretaries, cable news anchors, and a smattering of Hollywood stars. Five years earlier, with Trump in attendance, Obama had mercilessly taken full advantage of the chance to return fire on the reality TV star who had used his fame to fan a baseless conspiracy about the president’s place of birth. The jokes mocked Trump’s ego and boorishness, and as the audience roared, Obama’s target was visibly annoyed, so much so that some would later wonder whether that moment of humiliation had motivated him to mount his own serious run for the White House.
Saturday night’s event, Obama’s last as president, was expected to have a more valedictory tone for the Democrats, but the prospect of another Democrat in the Oval Office come 2016 also provided reason to celebrate. Preparation for the pre-event parties was already under way on Friday when DNC executive director Amy Dacey learned for the first time around four P.M that the committee’s network had been penetrated. Immediately she picked up the phone and dialed Michael Sussmann at Perkins Coie.
“We’ve had an intrusion,” she told him. The contract IT team first thought they could contain the damage and keep the committee’s systems up and running, she explained, but it seemed obvious they were overmatched, especially if the bureau’s suspicions proved correct and the hackers were Russian. Finally Tamene and his team were getting it: the DNC was in big trouble. “They were mature enough to know that they couldn’t fight the Red Army,” Dacey said.
While still on the phone with Dacey, Sussmann fired off a text to Shawn Henry, a former top cyber official at the FBI who had left the bureau to take a top job with a Silicon Valley cybersecurity firm, CrowdStrike. With his shaved head and dark suits, Henry would never be mistaken for a member of the hacker crowd, but he had been on the front lines of previous election-cycle cyberattacks. In 2008, he was in charge of the FBI cyber division when Chinese officials hacked the computers of the presidential campaigns of John McCain and Barack Obama, looking to steal intelligence that would give them insight into how each man would steer U.S. foreign policy regarding China.
As the White House Correspondents’ Dinner and a weekend of follow-up events got under way in Washington, Sussmann formally moved to enlist CrowdStrike to protect the DNC. The intrusion and the plan to counter it were to be kept secret from most DNC staff. “You can’t let the attackers know you know they’re there,” Sussmann instructed Dacey. “You only have one chance to raise the drawbridge.” If the hackers were tipped off, they could destroy logs and wipe their tracks or worse—steal piles of data while making a scorched-earth retreat. Most Democrats would party in blissful ignorance of the potential nightmare going on back at their national committee headquarters.
For the DNC, the timing was terrible. Half a dozen primaries had just ended, with Clinton taking a commanding lead, but the coming weeks formed a brutal final sprint, with potentially decisive contests in ten states, including Oregon, Indiana, and California. The Democratic National Convention, the committee’s showcase event, was twelve weeks away. The party had picked Philadelphia for the 2016 event, and 50,000 people were expected to attend, including about 5,000 delegates, with millions more watching on television.2 The DNC’s staff was working around the clock planning for the general election. It was also an intense period of political maneuvering. Supporters of Bernie Sanders, the senator from Vermont, were already suspicious that a party apparatus held tightly in the Clinton family grip had sought to deny them the nomination, and the internal debates about candidates, strategies, fundraising, and campaigning were detailed in thousands of internal DNC emails, spreadsheets, and other files—all residing on a computer system that might have been thoroughly compromised by Russia.
“You had staff running full tilt, gathering research on the Republican front-runner, Donald Trump,” Dacey recalled. “You had an intruder inside the system who was interested in that opposition research, and a convention to plan for. It was the perfect storm.”
By Friday, May 6, CrowdStrike had worked with Tamene’s team to install stronger threat detection system software. Immediately it turned up troubling evidence of two Russian hacking teams—the newly discovered, “noisier” intruder as well as the quieter one that the FBI had long warned the DNC was already inside.
U.S. intelligence agencies had for years been reluctant to publicly identify hacking groups by country out of concern that doing so would jeopardize sources as well as run the risk of complicating diplomatic relations. When they wanted to signal publicly that a nation-state was behind a cyber campaign, they adopted the euphemism “advanced persistent threat,” or APT. The term had been coined in 2006 by an Air Force intelligence officer looking for a way to pass information to defense contractors getting hammered by a specific set of foreign hackers, without revealing the classified detail that the country behind the assault was China. It had then spread to cyber firms in the private sector and now was used throughout the industry. A Chinese cell known as People’s Liberation Army Unit 61398 had carried off a string of thefts of intellectual property and commercial secrets from American and European defense contractors, and engaged in espionage against countries including the United States, Canada, India, and Israel as well as against the United Nations. They were so prolific and brazen that like graffiti artists, they sometimes left telltale signs of who they were, lines of computer code that sometimes included nicknames such as “Ugly Gorilla.” Unit 61398 became known as APT1.
The teams rummaging through the DNC machines were known from previous intrusions