Advertisement

SKIP ADVERTISEMENT

Reporter's Notebook

How We Identified the D.N.C. Hack’s ‘Patient Zero’

Times Insider delivers behind-the-scenes insights into how news, features and opinion come together at The New York Times. In this article, the Pulitzer Prize-winning investigative reporter Eric Lipton details how he and his Times colleagues David E. Sanger and Scott Shane constructed a chronological narrative of one of the most famous hacks in history.

Image
The Democratic National Headquarters building in the Capitol Hill neighborhood of Washington, D.C.Credit...Justin T. Gellerson for The New York Times

Epidemiologists, at the outbreak of any major disease, are sent out to the field to find patient zero — the first victim, which helps explain how the contagion began. As David Sanger, Scott Shane and I set out in late November to reconstruct the events surrounding the hacking of the Democratic Party during the 2016 election campaign, we too wanted to understand, among all factors, how and where this story started.

The Times had extensively covered the remarkable story of Russia’s effort to influence the election — with David Sanger and our colleague Eric Schmitt first breaking the news back in late July that the hack was almost certainly the work of Russian operatives (after David and Nicole Perlroth had explored how the Russians were casting the Democratic convention into chaos). That was followed in August with an article about suspicions that the N.S.A. itself was hacked by the Russians and in October with analysis of President Obama’s options for retaliation.

But we had never taken the opportunity to look back and tell the story as a single, extended narrative, chronicling the people who got swept into one of the most famous hacks in history. Kitty Bennett, our news researcher extraordinaire, helped start the effort by building a chronology of events — based on as many primary source documents as we could find.

We then set out to interview every major figure involved in the episode: the executives and staffers at the Democratic National Committee, the Democratic Congressional Campaign Committee and Hillary Clinton’s campaign; the private sector investigator at CrowdStrike, a cybersecurity firm, and Perkins Coie, a law firm, both of which were hired by the D.N.C. and the D.C.C.C.; the government investigators from the Federal Bureau of Investigation, the director of National Intelligence and the White House officials who advised President Obama on how to respond. We talked to members of Congress and other congressional candidates, and to intelligence officials who, of course, would not speak on the record. And that was just the beginning.

We also reached out to WikiLeaks — and its editor in chief, Julian Assange — and tried, though without much success, to engage individuals in the Russian government, as well as Guccifer 2.0 and DCLeaks, the Russian-linked websites that dumped many of the Democrats’ emails and other documents.

In each of these interviews, we asked the principal players not only to tell their stories, from start to finish, but also to provide us with primary source documents, such as emails or memos, even if they shared them on the condition that we could not reproduce them. Documents are better than human memory: They nail down names and days and times — some of the last captured emails offered windows into how various email accounts were cracked open — and sometimes give us a sense of contemporaneous reactions. The Democratic Party officials were surprisingly open to telling this story, as they almost all felt that the media had focused far too much on the content of the stolen emails themselves and not nearly enough on how the 2016 election had been disrupted by a Russian plot. The White House didn’t want to discuss the topic.

Kitty Bennett’s original chronology grew in length, as we filled it in based on our interviews and collected documents, ultimately reaching more than 10,000 words: a 28-page compilation of people and events that served as the core of our narrative.

It was while doing all these interviews that we first heard the story of Yared Tamene, the tech-services consultant at the D.N.C. who had fielded a call in September 2015 from an F.B.I. special agent named Adrian Hawkins — who contacted the D.N.C. to disclose that federal officials had evidence that the D.N.C. computer system had already been hacked. But Mr. Tamene did not believe he was talking to a real F.B.I. agent, so he didn’t move definitively to find and shut down this intrusion.

Even after Special Agent Hawkins repeatedly called Mr. Tamene and finally met with him in person last January, he remained skeptical, describing their encounter this way in an internal D.N.C. memo: “During this meeting, SA Hawkins showed his FBI badge to us, and shared his business card, lending some credence to his claim about working for the FBI.” This was five months after the F.B.I. had first contacted the D.N.C. But Special Agent Hawkins’s superiors took no steps to independently reach out to the committee’s leaders to persuade them to take seriously what appeared to be a Russian government attack. Between the passivity of the F.B.I. and the passivity of the D.N.C., almost no progress had been made to identify and lock out the hackers.

Mr. Tamene never agreed to speak with us, although we happened to run into him during one of our visits to D.N.C. headquarters. But based on documents we reviewed — including an internal D.N.C. account of his dealings with the F.B.I. that Mr. Tamene himself had written — we were confident we had found our patient zero. Our story would start in September 2015, when this first warning call had come in from the FBI.

When you do reporting like this, you begin to hear the same stories over and over again, told by different players who experienced the same events. These accounts might seem redundant. But for reporters, they’re vital stuff, because each person fills in different tidbits — or pieces of color, as we call them. These overlapping stories help increase your confidence that the version of events you’re piecing together is fair and true, particularly when backed up with emails and other documents.

While I was focused on the D.N.C., David was busy pressing Obama administration officials to explain how they responded to the cyberattacks — a time-consuming process because of the difficulty of getting access to them and, in some cases, because of their reluctance to talk. David is perhaps the best-sourced cybersecurity reporter in the United States: He was the guy who broke the story of the most sophisticated cyberattack in history, the American-Israeli attack on Iran’s nuclear facilities. (That tale recently became a documentary.) Eventually the White House began to tell its story, and it’s no surprise that when President Obama gave his news conference on Friday, his version of events echoed what we had already reported.

While David worked, Scott Shane, one of the top intelligence reporters in Washington, focused on the F.B.I. and on a group we called “the facilitators,” which included players like WikiLeaks that posted the hacked emails in a public place. He also spent a large chunk of time examining the evidence investigators had gathered as proof that the Russian state was involved in the hack — we went into this project determined to evaluate it on our own rather than base our work on an assumption that this was Russian espionage.

Image
Hillary Clinton’s campaign chairman, John D. Podesta, talking with reporters on Mrs. Clinton’s campaign plane en route to Raleigh, N.C., in late September.Credit...Doug Mills/The New York Times

What is often most fascinating when you do so-called narrative reconstructs like this is how seemingly minor events can in retrospect have such enormous consequences. Consider the case of Charles Delavan, an aide to Hillary Clinton’s campaign, who in March 2016 was forwarded the phishing email that had been sent to John D. Podesta, the chairman of the Clinton campaign. Mr. Delavan had been asked to advise Mr. Podesta if this was a real email from Google, asking him to change the password on his personal Gmail account, or a hoax, trying to hack into Mr. Podesta’s account.

The Clinton campaign, simultaneously, was the target of an aggressive cyberattack that relied in large part on near replicas of this same fake Google email, urging recipients to change their password. So Mr. Delavan, in an interview, said he immediately knew this was a fake. And to me, as a reporter, that was a plausible statement.

But somehow — and this action by Mr. Delavan remains inexplicable — he wrote back that the fake Google email was “legitimate,” leading Mr. Podesta or one of his aides to fall for the ruse. This opened up to the Russian hackers a decade’s worth of Mr. Podesta’s emails (60,000 in total), including those that contained copies of speeches Mrs. Clinton had given on Wall Street, as well as hundreds of private exchanges he had had with other close aides. All of these became public, causing a distraction to Mrs. Clinton’s campaign in its critical final month.

The mistake, Mr. Delavan said in the interview, is “the worst thing that ever happened in my life.” He has become a target of threats via Twitter, email and telephone, with one person even coming to his house in Brooklyn before the election to tell him, “You are going to make us lose the election.” It is a burden he will carry with him for the rest of his life.

As we moved toward wrapping up our reporting, the history almost overtook us.

Image
Police surround the Washington, D.C., pizza restaurant Comet Ping Pong after a man with an assault rifle opened fire there on December 4.Credit...Jim Lo Scalzo/European Pressphoto Agency

During one of these weekends, I happened to be at Politics and Prose, a popular Washington bookstore, interviewing a former D.N.C. staffer. At the same time, a gunman entered Comet Ping Pong, a pizza restaurant a few doors down, and fired his weapon. He was there to check out a fictional story suggesting that this pizza place was somehow the center of a child-trafficking ring. This conspiracy had been inspired — with no justification in reality — by the same set of emails stolen from John Podesta. The narrative of the Russian hacks we were reporting had driven right into this bookstore coffee shop. I wondered as I continued the interview, with police officers in body armor holding rifles right outside the window, should I crouch down under the table or keep talking? (Ultimately, I called the weekend editor in our Washington Bureau and wrote a breaking news story on the incident.)

The doorstopper-size history books we read make it seem like much of what happens as the pages turn is a matter of fate. It all had to happen that way, right? My impression is quite different. History, as this story once again illustrates, is marked by a lot of happenstance — small but consequential acts that ricochet out into the world, writing the narrative in real time as the events unfold.

Advertisement

SKIP ADVERTISEMENT