One late morning in May 2016, the leaders of the Democratic National Committee huddled around a packed conference table and stared at Robert Johnston. The former Marine Corps captain gave his briefing with unemotional military precision, but what he said was so unnerving that a high-level DNC official curled up in a ball on her conference room chair as if watching a horror movie.
At 30, Johnston was already an accomplished digital detective who had just left the military’s elite Cyber Command, where he had helped stanch a Russian hack on the US military’s top leadership. Now, working for a private cybersecurity company, he had to brief the DNC — while it was in the middle of a white-knuckle presidential campaign — about what he’d found in the organization’s computer networks.
Their reaction was “pure shock,” Johnston recalled. “It was their worst day.”
Although the broad outlines of the DNC hack are now well-known, its details have remained mysterious, sparking sharp and persistent questions. How did the DNC miss the hack? Why did a private security consultant, rather than the FBI, examine its servers? And how did the DNC find Johnston’s firm, CrowdStrike, in the first place?
Johnston’s account — told here for the first time, and substantiated in interviews with 15 sources at the FBI, the DNC, and the Defense Department — resolves some of those questions while adding new information about the hack itself.
A political outsider who got the job essentially at random — the DNC literally called up CrowdStrike’s sales desk — Johnston was the lead investigator who determined the nature and scope of the hack, one he described less as a stealth burglary than as a brazen ransacking.
(A spokeswoman for the DNC, Xochitl Hinojosa, said DNC attorneys had called Crowdstrike's president, not the sales desk.)
Despite his central role, Johnston has never talked with investigators probing Russian interference, let alone with the media. But to people dealing with the crisis, “He was indispensable,” as a source close to the DNC put it.
Johnston was also largely on his own. The party had hired CrowdStrike essentially in place of the FBI — to this day, the Bureau has not had access to the DNC’s servers. DNC officials said they made the eyebrow-raising choice to go with a private firm because they were worried they’d lose control of their operations right in the middle of the campaign. Not only that, but the FBI was investigating Hillary Clinton’s use of a private email server. Better, the DNC figured, to handle things privately.
It was a decision that would cast a shadow of doubt over the investigation, even though cybersecurity experts have widely accepted Johnston's main findings.
In the conference room that day, as he unveiled his findings to Democratic Party officials and lawyers, then-chair Debbie Wasserman Schultz listened in via speakerphone. Johnston told them that their computer systems had been fully compromised — not just by one attack, but by two. Malware from the first attack had been festering in the DNC’s system for a whole year. The second infiltration was only a couple of months old. Both sets of malware were associated with Russian intelligence.
Most disturbing: The hackers had been gathering copies of all emails and sending them out to someone, somewhere. Every single email that every DNC staffer typed had been spied on. Every word, every joke, every syllable.
There was still no warning that Russia might try to interfere on Donald Trump’s behalf. So the DNC officials hammered Johnston with questions: What would happen with all their information? All that stolen data? What would the computer hackers do with it?
Johnston didn’t know. The FBI didn’t know.
The answers would come when the stolen emails were published by WikiLeaks in a series of devastating, carefully timed leaks. And the implications of what Johnston had found would come later, too: The Russian government may have been actively working against Hillary Clinton to help elect Donald Trump.
Growing up, Johnston was a jock, not a cybergeek. He wrestled for his high school in Satellite Beach, Florida, in the 165-pound weight class. As a teenager, one of his unusual hobbies was picking locks with paper clips and hairpins.
He had stellar grades, and he was admitted into the Naval Academy in Annapolis, Maryland, in 2004. “I never tinkered with computers,” he said. “I entered the Naval Academy as a wrestler, and that’s all I cared about.”
The only reason he ended up on the front lines against Russian hackers is that during his second semester he was required to choose a major, and he chose computer science because it was “marketable.” At first, he found it boring. Then, during his junior year, he took a computer security class. It changed his life.
The discipline of white-hat hacking, he said, was a bit like picking locks, back when he was a teenager. “This was like doing it with computers,” Johnston said. “We would learn how to break into computers, how to investigate, do forensics. It just interested me right away. Right then and there I wanted to do anything and everything cyber.”
Johnston graduated from the Naval Academy in 2008, and was commissioned as a second lieutenant in the Marine Corps, just when some branches of the military started to see cyber as the new battlespace. To “fly, fight and win,” an Air Force mission statement from the time boasted, “in air, space and cyberspace.”
But “the Marine Corps mindset” — with its proud emphasis on aggressive tactics — “hadn’t changed yet,” Johnston said. And that, paradoxically, made it a perfect place for him to learn and gain rank in the cyberworld. “Ascension was easy because nobody wanted to go into these jobs. They didn’t really understand that cyber was a battleground.”
He directed the Marine Corps Red Team, which tries to hack into the Corps computers to test its defenses. He was surprised how many well-trained military personnel fell for fake attacks. Right after the Snowden leaks in 2013, he said, the team sent out to 5,000 people inside the military a test: a phishing email, one that tries to trick recipients into clicking on a link, which installs malware. The subject line was: “SEAL team six conducts an operation that kills Edward Snowden.”
“We actually had to shut down the operation,” he said. “The phishing attack was too successful. The click rate was through the roof.”
In the spring of 2015, Johnston was a captain in the Marine Corps leading newly formed Cyber Protection Team 81, based near the NSA in Fort Meade, Maryland, as part of the military’s Cyber Command, or Cybercom.
On a Saturday around 2 a.m., Johnston received a call on his cell phone from his commanding officer. “The major said, ‘How fast can your guys be back in DC?’” Johnson recalled. “‘Tell them to meet at the Pentagon and you'll find out more there.’”
A malware attack against the Pentagon had reached the unclassified computers of the Joint Chiefs of Staff, the military’s top brass who advise the president. The malware had spread fast — in just five hours, it had compromised all five of the chairs’ laptops and all three of the vice chairs’ laptops and desktop computers.
Soon, Johnston and the others identified the malware. It was associated with APT 29, for “advanced persistent threat,” a hacker group widely believed to be linked to the FSB, Russia’s federal security service.
Johnston said the phishing campaign against the Joint Chiefs stood out. Usually, he said of Russian hackers, “their operations are very surgical. They might send five phishing emails, but they're very well-crafted and very, very targeted.” But this time it was a broadside. “The target list was, like, 50 to 60,000 people around the world. They hit them all at once.” It’s rare, he said, for “an intel service to be so noisy.”
By “noisy,” he means that the attackers were drawing a huge amount of attention, sending out 50,000 phishing emails, as if they didn’t care that anyone knew what they were doing.
Along with Johnston and his military cyber team, NSA employees, and contractors from McAfee and Microsoft were also on site, working on the hack, wiping the system and rebuilding it. Johnston and his team worked around the clock, in two shifts. “Host forensics guys are finding malware, handing it to the malware reverse engineering team who's reversing it, finding network indicators, giving it to the network guys,” he recalled. “Network guys are scoping, finding out where else they are, and tracking down all the compromised machines.”
Johnston’s team concluded that the Russian hackers took some nonclassified emails and other information but not a lot. The biggest challenge after containing a breach of this magnitude, he said, is you can never be 100% sure that the hackers have been “kicked out” of the system.
Retired Lt. Gen. Mark Bowman, who oversaw cyber at the Joint Chiefs at the time, worked closely with Johnston on the operation. He told BuzzFeed News, "We had to build the network back from bare metal. Watching Robert and his team do that was unbelievable. That guy flat-out amazed me."
Still, the mission was a big one for Cybercom, and Johnston felt like he had hit a career “home run.”
He left the Marine Corps as a captain, and in November 2015, he signed up to work for CrowdStrike, a well-known cyberprotection company whose president, Shawn Henry, is a former head of the FBI’s Cyber Division. CrowdStrike declined to comment about Johnston's work.
Johnston didn’t know it, but in September 2015 as he was getting ready to leave the Marines, the NSA informed the FBI that DNC computers had likely been hacked, three sources said. An FBI agent then called the DNC’s IT office and said that the organization’s servers had been compromised.
That part of the story has been told — how little was done for seven months. The FBI periodically tried to get in touch with the organization, but the DNC did not believe the threat was real.
Finally, in April, the DNC IT department became convinced that there was a problem, and top Democratic officials became worried. But even then, they didn't call the FBI. They called the sales desk at CrowdStrike. (Last week, lawyers for BuzzFeed subpoenaed both the DNC and CrowdStrike for information about the hack and the investigation into it. The subpoena was not related to this story but to a libel suit filed by a Russian businessman named in the Trump dossier published by BuzzFeed News in January.)
At CrowdStrike, the case was assigned to Johnston, new to the company but with battle-tested skills, who soon ended up on the phone with the DNC IT chief.
“The FBI thinks we have a problem, something called ‘Dukes,’” Johnston said the IT employee told him. The Dukes is another name for APT 29, the hackers who Johnston had battled before, at the Joint Chiefs.
Johnston sent the DNC a script to run on all its servers, and then collected the output code. To an outsider it might have looked like a tedious job to examine long strings of data. But within an hour Johnston had it: an unmistakable string of computer code — sabotage — that didn’t belong in the system. It was “executable file paths” — evidence of programs — that didn’t belong there. They stood out like a shiny wrench left in a car engine.
And in fact, Johnston had seen this particular piece of code before, back when he was at the Pentagon. So it was easy to recognize this nemesis. He knew who had sent it by the telltale signatures. “This was APT 29,” he said. Later, when he had spent more time analyzing the DNC hack, he would come to believe that the Democrats had been compromised by the same blast of 50,000 or so phishing emails that had breached the computers of the Joint Chiefs.
When he briefed the DNC in that conference room, Johnston presented a report that basically said, “They’ve balled up data and stolen it.” But the political officials were hardly experienced in the world of intelligence. They were not just horrified but puzzled. “They're looking at me,” Johnston recalled, “and they're asking, ‘What are they going to do with the data that was taken?’”
Back then, no one knew. In addition to APT 29, another hacking group had launched malware into the DNC’s system. Called APT 28, it’s also associated Russian intelligence. Andrei Soldatov, a Russian investigative journalist and security expert, said it’s not crystal clear which Russian spy service is behind each hacker group, but like many other cybersecurity investigators, he agreed that Russian intelligence carried out the attack.
So, Johnston said, “I start thinking back to all of these previous hacks by Russia and other adversaries like China. I think back to the Joint Chiefs hack. What did they do with this data? Nothing. They took the information for espionage purposes. They didn’t leak it to WikiLeaks.”
So, Johnston recalled, that’s what he told the DNC in May 2016: Such thefts have become the norm, and the hackers did not plan on doing anything with what they had purloined.
Johnston kicks himself about that now. “I take responsibility for that piece,” he said.
The DNC and CrowdStrike, now working with the FBI, tried to remove all remaining malware and contain the problem. And they decided on a public relations strategy. How could the DNC control the message? “Nothing of that magnitude stays quiet in the realm of politics,” Johnston said. “We needed to get in front of it.” So, Johnston said, in a story confirmed by DNC officials, CrowdStrike and the DNC decided to give the story to the Washington Post, which on June 14, 2016, published the story: “Russian government hackers penetrated DNC, stole opposition research on Trump.” “I thought it was a smart move,” Johnston said.
But it may have backfired.
One day after the Post article, a Twitter user going by the name Guccifer 2.0 claimed responsibility for the hack and posted to the internet materials purportedly stolen from the DNC’s server.
Johnston thinks the Washington Post story changed the tactics of the cyberattackers. “We accelerated their timeline. I believe now that they were intending to release the information in late October or a week before the election,” he said. But then they realized that “we discovered who they were. I don't think the Russian intelligence services were expecting it, expecting a statement and an article that pointed the finger at them.”
A month later, in late July 2016, WikiLeaks began to release thousands of emails hacked from the DNC server. Those leaks, intelligence officials would say, were carefully engineered and timed.
The stolen emails wreaked havoc. Wasserman Schultz, then the chair of the DNC, was replaced by Donna Brazile, who just published a new book, Hacks, about the Russian break-in at the DNC.
“CrowdStrike did a remarkable job helping the DNC remediate our system post hacking. Sadly, we should have known more, but that’s all part of history,” Brazile told BuzzFeed News.
Johnston wrapped up his work with the DNC in July 2016. He also left CrowdStrike and started his own cybersecurity firm, Adlumin, based in Washington, DC.
He’s well aware of the grim fact that it was his analysis that helped lay the groundwork that would eventually lead to the investigation by special counsel Robert Mueller, to multiple probes on Capitol Hill, and to the findings about Russia’s intervention on Facebook and Twitter. If the DNC hack hadn’t been traced to Russia, much of that might never have emerged.
Johnston has managed to maintain a low profile for the last year and half, even as Washington has obsessed over Trump and Russia. He hasn’t been in hiding, he said. Over a steak and Scotch at a DC restaurant, he said he just hadn’t talked about it for a simple reason: No one asked him to. ●
This story was updated with the DNC's response.
Jason Leopold is a senior investigative reporter for BuzzFeed News and is based in LA. Recipient: IRE 2016 FOI award; Newseum Institute National Freedom of Information Hall of Fame. PGP fingerprint 46DB 0712 284B 8C6E 40FF 7A1B D3CD 5720 694B 16F0. Contact this reporter at firstname.lastname@example.org
Contact Jason Leopold at email@example.com.
Got a confidential tip? Submit it here.