CHAMPAIGN — Early in the summer of 2016, before the public knew about leaked Democratic Party emails or Russian hackers, John Bambenek and other cybersecurity experts were brought in to help confirm the source of the breach.
The company where Bambenek worked, Fidelis Cybersecurity, was one of two private firms enlisted to verify the findings of Crowdstrike, hired by the Democratic National Committee to lead that effort.
The firms all concluded that the trail led back to Moscow, to a group of hackers they called “Fancy Bear,” which had been linked to Russian military intelligence.
Those findings were confirmed — and the hackers identified — on Friday when Deputy Attorney General Rod Rosenstein announced indictments against 12 Russian military officers for conspiring to interfere with the 2016 presidential election.
Bambenek said Friday he was stunned by the hackers’ sloppiness.
The indictment details, for instance, how the hackers used the same pool of the cryptocurrency Bitcoin to buy a private network account and lease a server in Malaysia, then used that server to register the DCleaks.com website to disseminate emails. And the hackers opened the private account from the same server used to hack the Democratic National Committee’s networks.
“That kind of mistake is not viewed favorably in intelligence circles,” he said, where “compartmentalization” — creating different email accounts for everything so they can’t be tied together — is the rule.
“If you’re doing anything substantial on the internet,” Bambenek said, “it is really, really hard to be private, even if you’re an intelligence agency.”
Bambenek had been a threat systems manager at Fidelis for about a year and a half, specializing in intelligence, when the firm got the call from the DNC’s law firm asking it to back up Crowdstrike — also known as “Company 1” in the indictment.
“Because of the political ramifications that are obvious now — maybe even worse than they anticipated — they brought in other companies to verify their findings,” he said. “You can’t just say ‘Russia did it’ and not be sure about it.”
After Bambenek and other experts identified the malware and techniques used by the hackers — the same as those used by the GRU, Russian’s military intelligence arm — he worked on a similar breach at the Democratic Congressional Campaign Committee, or DCCC, to try to figure out who was responsible.
He exchanged a series of Twitter messages with “Guccifer 2.0,” another alias used by the hackers to promote the leaked emails, to see if it would reveal anything about them.
The hackers were looking for ways to disseminate damaging information and had apparently talked to a couple of Republicans “who were corrupt and willing to use that stuff as political advantage,” he said. Friday’s indictment also said a congressional candidate asked the hackers for dirt on his opponent.
Bambenek, a former Republican legislative candidate, asked Guccifer for any information that would be helpful in Illinois. He said he wanted to see if the hackers were savvy enough to identify a swing district, or had documents beyond what was stolen from the two Democratic campaign committees.
But Guccifer sent him documents about Bobby Rush, who had already been the subject of highly publicized ethics investigations.
“For the most part, I didn’t think they had any real granular political understanding. They didn’t have anything other than the DNC or DCCC documents,” he said.
Bambenek said he informed the FBI ahead of time “so nobody thought I was actually being a corrupt Republican,” he said.
Eventually, Guccifer cut off conversations with Bambenek after realizing that his company was investigating the hackers, but it took a couple of months, he said.
“They made various levels of dumb mistakes. One of those was ever talking to me. I made no attempt to hide who I was,” said Bambenek, whose Twitter name now reads “John #GRUHunter Bambenek.”
He said Guccifer was actually multiple people, probably starting with a junior-level operative and later taken over by more senior officers as time went on.
While President Donald Trump and other Republicans criticize the inquiry as a “witch hunt,” Bambenek said GOP lawmakers were also targeted, including in Illinois.
He isn’t convinced the Russians necessarily wanted to get Trump elected and said he hasn’t seen clear evidence of collusion with the Trump campaign.
“Their primary objective is to diminish confidence in our institutions. They want a weaker and infighting America. In that respect, I think they succeeded,” he said.
“I don’t think they have any persistent love for Hillary (Clinton) or Trump. If you wanted a destabilized America, electing Trump, or getting Trump elected, would have sufficed for that objective,” he added. “But I think the Russians would just as much stick it to Republicans. And if they’re engaged in any real efforts in 2018, it’s probably going to be against the Republicans, and certainly in 2020. We’re the party in power. The best way to destabilize a country is to kick it to one extreme and the other.”
Asked if he is a Trump supporter, Bambenek said he wasn’t sure how to classify himself.
“I would put it this way: Around the middle of 2016, I woke up one day realizing I was a moderate, even though I hadn’t changed a single political position,” he said.
Bambenek, who is now vice president for intelligence for California-based Threatstop, is also president of Bambenek Consulting, which provides cybersecurity investigation and intelligence services.