The Washington PostDemocracy Dies in Darkness

Documents shed light on Russian hacking of Democratic Party leaders

Former British spy Christopher Steele painted a lurid portrait of a purported alliance between Donald Trump’s presidential campaign and Russia.
Former British spy Christopher Steele painted a lurid portrait of a purported alliance between Donald Trump’s presidential campaign and Russia. (Victoria Jones/AP)

Documents unsealed Thursday in a lawsuit have shed new light on how hackers breached Democratic Party email accounts before the 2016 election.

The documents include a forensic analysis by a former top official in the FBI’s cybercrime division, which concluded that a Web server company owned by a Russian Internet entrepreneur was used by Russian operatives to hack Democratic Party leaders.

The Russian businessman, Aleksej Gubarev, has denied involvement in the hack, and his lawyers argued for months that the forensic analysis should be kept under seal and hidden from public view.

The analysis was completed as part of a federal lawsuit Gubarev filed in Florida against BuzzFeed, the online news outlet. Gubarev argued BuzzFeed defamed him by publishing a dossier written by former British spy Christopher Steele. The dossier alleged that hackers used servers from two of Gubarev’s companies — Webzilla and its parent company XBT Holding.

The Russia probe got its start with a drunken conversation, an ex-spy, WikiLeaks and a distracted FBI. (Video: Meg Kelly/The Washington Post)

The 35-page Steele dossier also alleged that Gubarev played a “significant” role in the hacking operation “under duress” from the Russian security agency FSB. Gubarev has also denied that allegation — and the new forensic analysis, conducted by an expert paid by BuzzFeed as part of the suit, provides no evidence to support the claim that Gubarev was involved.

A federal judge sided with BuzzFeed in the libel suit in December, holding that the dossier had become the subject of an ongoing government investigation and that reporting on that investigation was a matter of public interest.

‘The public has a right to know’: BuzzFeed prevails in Russian tech mogul’s defamation suit over Steele dossier

Gubarev has appealed the decision, but in the meantime the New York Times asked that the judge unseal evidence that had been submitted in the case. U.S. District Court Judge Ursula Ungaro had ordered that the vast majority of material in the case, including legal briefs and depositions from several key players, be unsealed by Thursday.

Steele was hired to research Trump and Russia by Fusion GPS, a Washington political intelligence firm whose work at the time was funded by a law firm representing Hillary Clinton’s campaign and the Democratic National Committee. In court filings, Steele has said the reports represented raw and unconfirmed intelligence gathered from his sources.

The Steele dossier alleged that the Trump campaign was engaged in a broad conspiracy with the Russian government and that the Kremlin held damaging compromising information about Trump. Republicans have characterized the document as a political hit job and said that the FBI took it too seriously.

In an excerpt of a deposition with Steele in London also unsealed Thursday, Steele said he had not intended for the information to be published and had cautioned that it came from human sources. Asked why he offered such caveats, he said “because human intelligence is not a science. It is a complicated set of principles and information which have to be analyzed in an equally complicated and thorough way.”

The forensic analysis was conducted by Anthony Ferrante, global head of cybersecurity at FTI Consulting. He is a former chief of staff of the FBI’s Cyber Division and a former White House cyber official.

The report concluded that technical evidence “suggests that Russian cyber espionage groups used XBT infrastructure to support malicious spear phishing campaigns against the Democratic Party leadership” that resulted in the theft of emails from Clinton’s campaign chairman, John Podesta.

The report also said that “technical evidence” suggests that Fancy Bear, a Russian military spy group that has been linked to the hack of the Democratic National Committee, has used an XBT-owned Internet address in the past.

Podesta was hacked when he or an aide clicked on a malicious link in an email. The link was created on a server belonging to Root S.A., which is owned by XBT.

“FTI cannot definitively state that the [link] . . . was ever sent to or received by John Podesta,” Ferrante wrote in the report. But, he added, technical evidence shows the link was created “with the intent” to steal Podesta’s email credentials as part of the campaign against the Democratic Party leadership.

In a deposition conducted as part of the libel suit, also unsealed Thursday, Ferrante testified that “the malicious cyber activity described in the Steele dossier was facilitated by using their (XBT Webzilla) infrastructure.”

Although the infrastructure probably was used repeatedly, Ferrante testified that he could not show the company was aware of how it was being used, indicating he had “no evidence of them actually sitting behind a keyboard.” Ferrante declined to comment Thursday.

Hero or hired gun? How a British former spy became a flash point in the Russia investigation.

An attorney for Gubarov, Evan Fray-Witzer, ridiculed the report.

“Having spent $4.5 million and not being able to substantiate the allegations made in the dossier, they pivoted to try and show that our networks might have been used — and they didn’t even prove that conclusion.”

Fray-Witzer said the idea that Webzilla could be held responsible for others using its infrastructure to conduct malicious activity was absurd.

“Trying to blame XBT for this is like trying to blame Verizon for everything bad that happens on the Internet because they happen to own some of the fiber cables,” he said.

Fray-Witzer also said that Gubarev has been willing to cooperate with special counsel Robert S. Mueller III’s inquiry in to the Russian hacking of Democratic Party leaders but has never been contacted.

“I think the government understood from the get-go that he had nothing to do with it,” he said.

A cyber expert hired by Gubarev, Eric Cole, said in a dueling forensic report that Ferrante’s analysis failed to provide “actual supporting evidence” for the defendants’ claim that botnets and porn traffic hosted by XBT or its companies facilitated the email theft of the Democratic Party leadership.

Cole said Ferrante’s finding that an IP address owned by an XBT company was used to create a malicious link did not provide proof of complicity. “IP addresses of many large companies have been used in attacks unbeknownst to the company that owns the IP address,” he wrote.

Put another way, he said, “Is a local post office liable for the intent and content of the mail it transports” out of its office?

Alice Crites contributed to this report.