The Marines have fought in every clime and place where they could take a gun. But it turns out they’re pretty good at doing “the cyber,” too.
Just take former Marine Capt. Robert Johnston: U.S. Naval Academy wrestler and comp sci major, organizer of the Marine Corps’ Red Team of counter-hackers, veteran of U.S. Cyber Command — and, in May 2016, the leader of the private security team that investigated the hacking of the Democratic National Committee’s servers and concluded with certainty that Russian intelligence did the deed.
Johnston, a former investigator with the security firm CrowdStrike, spoke openly for the first time about his work in an interview Nov. 8 with BuzzFeed national security reporter Jason Leopold, characterizing the DNC hack as more of a “brazen ransacking” than a “stealthy burglary.”
“Johnston has managed to maintain a low profile for the last year and half, even as Washington has obsessed over Trump and Russia,” Leopold explains. “He hasn’t been in hiding, he said… he just hadn’t talked about it for a simple reason: No one asked him to.”
Johnston’s work isn’t political: He’s just really, really good at spotting, exploiting, and eliminating weaknesses in vital systems. You know, like a Marine.
— Robert Johnston (@dvgsecurity) May 19, 2015
How was Johnston sure that the Russians were behind the DNC hack? Because he’d seen their malicious code before: In 2015, while working at Ft. Meade, the Marine was assigned to investigate a phishing virus that had rapidly infected the computers of the Joint Chiefs of Staff:
Soon, Johnston and the others identified the malware. It was associated with APT 29, for “advanced persistent threat,” a hacker group widely believed to be linked to the FSB, Russia’s federal security service.
Johnston said the phishing campaign against the Joint Chiefs stood out. Usually, he said of Russian hackers, “their operations are very surgical. They might send five phishing emails, but they’re very well-crafted and very, very targeted.” But this time it was a broadside. “The target list was, like, 50 to 60,000 people around the world. They hit them all at once.” It’s rare, he said, for “an intel service to be so noisy.”
While still puzzling over the Russians’ methods, Johnston helped the JCS firm up its security measures. “We had to build the network back from bare metal,” retired lieutenant general Mark Bowman, then the joint chiefs’ top cyber officer, told Buzzfeed. “Watching Robert and his team do that was unbelievable. That guy flat-out amazed me.”
Today is my last day. It's been a good ride. Off to the next adventure. pic.twitter.com/bgOJYs2ve5
— Robert Johnston (@dvgsecurity) October 28, 2015
By mid-2016, Johnston was off active duty and working for CrowdStrike when the DNC called asking for help with a security breach. The FBI had told the political committee its servers had been compromised, but rather than bringing in the feds, its leadership reached out to CrowdStrike, which is run by former FBI cyber chief Shawn Henry. It didn’t take long for CrowdStrike’s former Marine to assess the situation:
Johnston sent the DNC a script to run on all its servers, and then collected the output code. To an outsider it might have looked like a tedious job to examine long strings of data. But within an hour Johnston had it: an unmistakable string of computer code — sabotage — that didn’t belong in the system. It was “executable file paths” — evidence of programs — that didn’t belong there. They stood out like a shiny wrench left in a car engine.
And in fact, Johnston had seen this particular piece of code before, back when he was at the Pentagon. So it was easy to recognize this nemesis. He knew who had sent it by the telltale signatures. “This was APT 29,” he said. Later, when he had spent more time analyzing the DNC hack, he would come to believe that the Democrats had been compromised by the same blast of 50,000 or so phishing emails that had breached the computers of the Joint Chiefs.
What had the Russkies stolen, and what were they going to do with it? It wasn’t clear at the time. But when pilfered DNC emails started appearing on Wikileaks in July 2016, they made a big splash in an already topsy-turvy U.S. election cycle.
Johnston’s work stands as a pretty compelling rebuke to Americans, many of them service members, who flatly deny Russia was behind the DNC hack and assemble elaborate conspiracy theories to make their case.
In fact, the most dramatic and disturbing part of Buzzfeed’s profile of Johnston isn’t DNC-related at all: It’s about his work on that Marine Corps Red Team, where he learned that some of America’s toughest, bravest warriors are also the easiest to hack with dumb “fake news” emails:
He was surprised how many well-trained military personnel fell for fake attacks. Right after the Snowden leaks in 2013, he said, the team sent out to 5,000 people inside the military a test: a phishing email, one that tries to trick recipients into clicking on a link, which installs malware. The subject line was: “SEAL team six conducts an operation that kills Edward Snowden.”
“We actually had to shut down the operation,” he said. “The phishing attack was too successful. The click rate was through the roof.”
The first rule of cyber is: Don’t click that chain email, dude, no matter how much you want Edward Snowden to end up perforated by operators.