Posted on

Adlumin Launches Seamless Turnkey Data Retention Service for Financial Institutions

Adlumin Launches Seamless Turnkey Data Retention Service for Financial Institutions

Snapshot 365 simplifies and automates PCI-DSS-required data storage.


Adlumin has launched an automated service called Snapshot 365 that allows financial institutions to instantaneously comply with data storage requirements. Snapshot 365 answers the need of financial institutios to store their firewall, security, and IT log data for the full 12 months, to comply with PCI-DSS requirements as well as FDIC and NCUA regulations.

Financial institutions face an increasingly alarming security environment in which hackers are breaching consumer data, ransomware attacks, and horror stories abound of data theft by disgruntled or terminated employees.

“Given that the average dwell time for the detection of threats is in excess of 200 days, Snapshot 365 provides a truly revolutionary addition to Financial Sector security and SIEM solution’s” said Adlumin Co-Founder and CEO Robert Johnston. “Snapshot 365 is more than an answer to regulatory requirements, it is a vital piece of a financial institution’s data security arsenal.”

Snapshot 365 gives customers access to three months of “hot” searchable encrypted data and nine months of “warm” encrypted data, all analyzed using Adlumin’s serverless artificial intelligence architecture. Snapshot 365 safely and securely stores data to ensure it is available to the bank or credit union at a moment’s notice.

Snapshot 365 uses a combination of hot and warm storage to lower the overall cost of the service. Typically, institutions can purge the data after a successful audit report is completed, then rely on the audit report to address any compliance questions that arise. In an audit, this kind of consistency can be the difference between passing and failing.

“A lot of banks and credit unions view data storage as a complicated task that they often avoid doing it, despite the regulatory requirements,” said Johnston. “That puts them at extreme risk of fines — or worse — should a breach occur. Snapshot 365 inexpensively automates the data storage process. You turn it on and it just works. No more risk, no more worry, no more hassle.”

Posted on

Adlumin Introduces New Integrations to its Market Leading Cloud-Native AI SIEM Platform

Adlumin Introduces New Integrations to its Market Leading Cloud-Native AI SIEM Platform


Adlumin has raised the bar yet again in helping corporations secure sensitive data, by developing and introducing their first-ever cloud-native AI-powered security information and event management (SIEM) technology that is easy to integrate, easy to use, and very cost effective.

“In today’s threat environment, companies need more than just data. They must be able to track and search a variety of data points simultaneously and in real-time — which is simply not possible relying on human analysis,” explained Johnston. “That’s the beauty of our proprietary serverless SIEM. We combine the power of AI with the efficiency of the cloud to deliver unparalleled user and entity behavior analytics (UEBA) through a single pane of glass.”

Adlumin’s cloud-native AI collects and indexes data feeds from a comprehensive array of sources — including network traffic, web servers, VPNs, firewalls, custom applications, application servers, hypervisors, GPS systems, and preexisting structured databases — then runs sophisticated analytics and machine learning to determine what is anomalous and what is malicious. Adlumin’s SIEM integrations increase the value and efficacy of platforms such as Cisco, Carbon Black, Palo Alto Networks and many others.

“Adlumin makes the power of SIEM technology accessible and affordable,” said Co-Founder and CEO Robert Johnston. “Our cloud data capabilities bring the most cost efficient SIEM to the marketplace, freeing companies to benefit from the technology without needing a Ph.D. on staff to operate it. Even a young college graduate can operate this, because we use AI to do the heavy lifting of comparing across data points.”

This technology is especially needed by medium-sized and enterprise businesses,, which today face a growing array of cyber threats yet often have budget constraints that limit their ability to protect themselves.

About Adlumin
Adlumin was founded literally to “add light” to customers’ cyber security processes by helping them comply, detect, prioritize, and respond in real-time. Adlumin revolutionizes the way corporations secure sensitive data, by providing real-time visibility and analysis using machine learning and industry expertise from the world’s finest investigators and the U.S. intelligence community.

Posted on



In the lead piece in this package, Idaho National Lab’s Andy Bochman puts forth a provocative idea: that no amount of spending on technology defenses can secure your critical systems or help you keep pace with hackers. To protect your most valuable information, he argues, you need to move beyond so-called cyber hygiene, the necessary but insufficient deployment of security software and network-monitoring processes.

ABOVE: Forts like HM Fort Roughs were marvels of defensive engineering at the time: capable of being brought to sea, sunk in place, and fully operational within 30 minutes.

Bochman lays out a framework that requires switching your focus from the benefits of efficiency to the costs. Ideas that were once anathema — unplug some systems from the internet, de-automate in some places, insert trusted humans back into the process — are now the smart play.

But they’re not the only play. Another that’s gaining attention is “active defense.” That might sound like Orwellian doublespeak, but it’s a real strategy. It involves going beyond passive monitoring and taking proactive measures to deal with the constant attacks on your network.

There’s just one problem: As active defense tactics gain popularity, the term’s definition and tenets have become a muddy mess. Most notably, active defense has been conflated with “hacking back” — attacking your attackers. The approaches are not synonymous; there are important differences with respect to ethics, legality, and effectiveness.

Active defense has a place in every company’s critical infrastructure-protection scheme. But to effectively deploy it, you need a proper understanding of what it is — and that’s tougher to come by than you might expect.

We enlisted two of the foremost experts on the topic to help us proffer an authoritative definition of active defense and give you a fundamental understanding of how to deploy it.

Dorothy Denning was an inaugural inductee into the National Cyber Security Hall of Fame. A fellow of the Association for Computing Machinery and a professor at the Naval Postgraduate School, she has written several books on cybersecurity, including Information Warfare and Security. She also coauthored a landmark paper on active defense, which states, “When properly understood, [active defense] is neither offensive nor necessarily dangerous.”

Robert M. Lee is a cofounder of Dragos, an industrial security firm. He conducted cyber operations for the NSA and U.S. Cyber Command from 2011 to 2015. In October 2017 his firm identified the first known malware written specifically to target industrial safety systems — in other words, its sole purpose was to damage or destroy systems meant to protect people. (The malware had been deployed that August against a petrochemical plant in Saudi Arabia, but the attack failed.) When asked about active defense, Lee sighs and asks flatly, “How are you defining it?” You can tell he’s had this conversation before. The number of people co-opting the term seems to have wearied him, and he’s happy to help bring clarity to the idea.

The following FAQ primer draws on interviews with Denning and Lee.

What exactly is active defense, also known as active cyber defense?

It depends on whom you ask. The term has almost as many definitions as it does citations. NATO defines active defense this way: “A proactive measure for detecting or obtaining information as to a cyber intrusion, cyber attack, or impending cyber operation or for determining the origin of an operation that involves launching a preemptive, preventive, or cyber counter-operation against the source.”

A solid working definition can be found in Denning’s paper with Bradley J. Strawser, “Active Cyber Defense: Applying Air Defense to the Cyber Domain:Active cyber defense is a direct defensive action taken to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets.”

That sounds like offense, but Lee and Denning note that it describes a strictly defensive action — one taken in reaction to a detected infiltration. Lee argues that there’s a border distinction: Active defense happens when someone crosses into your space, be it over a political boundary or a network boundary. But Denning says that’s probably too simple, and below we’ll see a case in which the line is blurred. Lee says, “Most experts understand this, but it’s important to point out, especially for a general audience. You are prepared to actively deal with malicious actors who have crossed into your space. Sending missiles into someone else’s space is offense. Monitoring for missiles coming at you is passive defense. Shooting them down when they cross into your airspace is active defense.”

Can you give some other examples?

Denning says, “One example of active cyber defense is a system that monitors for intrusions, detects one, and responds by blocking further network connections from the source and alerting the system administrator. Another example is taking steps to identify and shut down a botnet used to conduct distributed denial-of-service (DDoS) attacks.” It’s the verbs “responds” and “shut down” that make these instances of active defense. An example of passive defense, in contrast, is an encryption system that renders communications or stored data useless to spies and thieves.

Is active defense only an information security concept?

Not at all. Some argue that it dates back to The Art of War, in which Sun Tzu wrote, “Security against defeat implies defensive tactics; ability to defeat the enemy means taking the offensive.” Centuries later Mao Zedong said, “The only real defense is active defense,” equating it to the destruction of an enemy’s ability to attack — much as aggressive tactics in active cyber defense aim to do. The term was applied in the Cold War and, as Denning and Strawser’s paper makes clear, is a core concept in air missile defense. Tactics are tactics; all that changes is where they’re employed.

That seems pretty straightforward. So why the uncertainty around the definition?

As noted earlier, hacking back — also not a new term — has confused matters. Properly used, it refers to efforts to attack your attackers on their turf. But because people often fuse it with active defense, difficult and sometimes frustrating disputes over the merits of active defense have ensued. One research paper went so far as to equate the two terms, starting its definition, “Hack back — sometimes termed ‘active defense’…”

The confusion multiplied in October 2017, when Representatives Tom Graves (R-GA) and Kyrsten Sinema (D-AZ) introduced the Active Cyber Defense Certainty (ACDC) bill, which would allow companies to gain unauthorized access to computers in some situations in order to disrupt attacks. The lawmakers called this active defense. The media called it the “hack back bill.” What it would and would not allow became the subject of hot debate. The idea that companies could go into other people’s infected computers wasn’t welcomed. Some savaged the bill. The technology blog network Engadget called it “smarmy and conceited” and observed, “When you try to make laws about hacking based on a child’s concept of ‘getting someone back,’ you’re getting very far and away from making yourself secure. It’s like trying to make gang warfare productive.” The bill went through two iterations and is currently stalled.

But is hacking back part of active defense?

Probably not. Lee says unequivocally, “Hacking back is absolutely not active defense. It’s probably illegal, and it’s probably not effective. We don’t have evidence that attacking attackers works.” Denning has a somewhat different take. “Hacking back is just one form of active defense,” she says. “It might be used to gather intelligence about the source of an intrusion to determine attribution or what data might have been stolen. If the attacker is identified, law enforcement might bring charges. If stolen data is found on the intruder’s system, it might be deleted. Hacking back might also involve neutralizing or shutting down an attacking system so that it cannot cause further damage.”

But Lee and Denning are defining the term differently. And Denning’s version refers to actions undertaken with proper authority by government entities. When it comes to hacking back on the part of businesses, the two experts are in total agreement: Don’t do it. Denning says, “Companies should not hack back. The Department of Justice has advised victims of cyberattacks to refrain from any ‘attempt to access, damage, or impair another system that may appear to be involved in the intrusion or attack.’ The advice contends that ‘doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability.’”

What’s an example of an aggressive form of active defense that some might consider hacking back?

Denning says, “One of my favorite examples of active defense led to the exposure of a Russian hacker who had gotten malicious code onto government computers in the country of Georgia. The malware searched for documents using keywords such as “USA” and “NATO,” which it then uploaded to a drop server used by the hacker. The Georgian government responded by planting spyware in a file named “Georgian-NATO Agreement” on one of its compromised machines. The hacker’s malware dutifully found and uploaded the file to the drop server, which the hacker then downloaded to his own machine. The spyware turned on the hacker’s webcam and sent incriminating files along with a snapshot of his face back to the Georgian government.

Is that hacking back? I don’t think so. It was really through the hacker’s own code and actions that he ended up with spyware on his computer.”

Note that the actions were taken by a government and occurred within its “borders”; Georgia put the spyware on its own computer. It did not traverse a network to hit another system. It was the hacker’s action of illegally taking the file that triggered the surveillance.

If it’s probably illegal and ineffective, why is hacking back getting so much press?

Companies are weary. “They are under constant attack and working so hard and spending so much just to keep up, and they can’t keep up,” Lee says. “This is a moment when we’re looking for new ideas. That’s why Bochman’s concept of unplugging systems and not always going right to the most efficient solution is starting to be heard. Hacking back feels like another way to turn the tide. Cybersecurity loves a silver bullet, and this feels like one. CEOs are probably thinking, ‘Nothing else has worked; let’s fight.’” Lee has heard many business leaders express these sentiments, especially if their companies have suffered damaging attacks. “This is an emotional issue,” he says. “You feel violated, and you want to do something about it.”

In a paper titled “Ethics of Hacking Back,” Cal Poly’s Patrick Lin captures the sense of utter vulnerability that could lead some to desire vigilante justice:

In cybersecurity, there’s a certain sense of helplessness — you are mostly on your own. You are often the first and last line of defense for your information and communications technologies; there is no equivalent of state-protected borders, neighborhood police patrols, and other public protections in cyberspace.

For instance, if your computer were hit by “ransomware” — malware that locks up your system until you pay a fee to extortionists — law enforcement would likely be unable to help you. The U.S. Federal Bureau of Investigation (FBI) offers this guidance: “To be honest, we often advise people to just pay the ransom,” according to Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program.

Do not expect a digital cavalry to come to your rescue in time. As online life moves at digital speeds, law enforcement and state responses are often too slow to protect, prosecute, or deter cyberattackers. To be sure, some prosecutions are happening but inconsistently and slowly. The major cases that make headlines are conspicuously unresolved, even if authorities confidently say they know who did them.

What are the ethics of hacking back?

For the most part, experts say that hacking back without legal authorization or government cooperation is unethical. And whenever activities leave your boundaries, it’s hard to condone them. The targets are too evasive, and the networks are too complex, traversing innocent systems and affecting the people working with them. In addition, Lee points out that government entities might be tracking and dealing with malicious actors, and hacking back could compromise their operations. “Leave it to the pros,” he says.

Denning stresses that unintended consequences are not just possible but likely. She says, “The biggest risks come when you start messing with someone else’s computers. Many cyberattacks are launched through intermediary machines that were previously compromised by the attacker. Those computers could be anywhere, even in a hospital or power plant. So you don’t want to shut them down or cause them to malfunction.”

What kind of work is under way with regard to ethics?

According to Denning, researchers began wrestling with these issues as early as 2006. Speaking about a workshop she participated in, she says, “I recall discussions about measures that involved tracing back through a series of compromised machines to find the origin of an attack. Such tracebacks would involve hacking into the compromised machines to get their logs if the owners were not willing or could not be trusted to help out.”

A decade later Denning collaborated with Strawser to examine the morality of active defense writ large, using the ethics of air defense and general war doctrine as a guide. They wrote that harm to “non-combatants” — especially and most obviously physical harm — disqualifies an active defense strategy. But they say that “temporary harm to the property of non-combatants” is sometimes morally permissible. (It should be noted Denning is primarily focused on the government use of active cyber defense strategies). Denning cites the takedown of Coreflood — malware that infected millions of computers and was used as a botnet. The Justice Department won approval to seize the botnet by taking over its command-and-control servers. Then, when the bots contacted the servers for instructions, the response was essentially, “Stop operating.” In the instance of Coreflood, as in some similar cases, a judge decided that the actions could proceed because they could shut down major malicious code without damaging the infected systems or accessing any information on them.

“The effect was simply to stop the bot code from running. No other functions were affected, and the infected computers continued to operate normally,” Denning says. “There was virtually no risk of causing any harm whatsoever, let alone serious harm.”

Still, the case may have set a precedent for at least the suggestion of more-aggressive measures, such as the ACDC bill. If the government can take control of command-and-control servers, it can, in theory, do more than just tell the bots to shut down. Why not grab some log files at the same time? Or turn on the webcam, as in the Georgian-NATO case? Oversight is needed in all active defense strategies.

How can I deploy an ethical and effective active defense strategy?

If you have or subscribe to services that can thwart DDoS attacks and create logs, you’ve already started. Denning says that many companies are doing more active defense than they realize. “They might not call it active defense, but what they call it matters less than what they do.”

Cooperating with law enforcement and the international network of companies and organizations combating hacking is also part of an active defense strategy. The more companies and agencies that work together, the more likely it is that active defense strategies like the one that took out Coreflood can be executed without harm. Several such operations have taken place without reports of problems.

Denning recommends A Data-Driven Computer Security Defense: THE Computer Security Defense You Should Be Using, by Roger A. Grimes. (Full disclosure: Denning wrote the foreword. “But the book really is good!” she says.)

As for more-aggressive tactics, like the ones proposed in the ACDC bill, proceed with caution. Work with law enforcement and other government agencies, and understand the risks. Denning says, “It’s all about risk. Companies need to understand the threats and vulnerabilities and how security incidents will impact their company, customers, and partners. Then they need to select cost-effective security defenses, both passive and active.” There are limits, she cautions. “Security is a bottomless pit; you can only do so much. But it’s important to do the right things — the things that will make a difference.”THEBIG IDEA

About the author: Scott Berinato is a senior editor at Harvard Business Reviewand the author of Good Charts: The HBR Guide to Making Smarter, More Persuasive Data Visualizations.

Posted on

ADLUMIN Selected as DCA Live Red Hot Cyber Company

DCA Live Award

Adlumin Selected as DCA Live 2018 Red Hot Cyber Company


(Left to Right) Tim Evans, Senior Vice President, Don McLamb, Director of  Engineering, Rob Johnston, CEO

Next week DCA Live will recognize the most exciting cyber companies in the DC region. These companies are all growing and creating value and jobs in our local tech community. They are also solving important problems and need to be recognized. Join us at Eastern Foundry in Rosslyn, VA next Tuesday – February 27 – for food, drink, and great networking with leaders of the hottest cyber companies in town.


Founders: Robert Johnston and Timothy Evans

Year founded: 2016

Number of employees: 10

Cyber problem you are solving: Why do corporate breaches continue to succeed? Because attackers can steal legitimate credentials and use those credentials to attack your hybrid network undetected. Adlumin helps customers identify and remediate identity based vulnerabilities, before attackers can take advantage, and uses Data Science to monitor identity access to corporate resources to detect attacks in progress, all from a cost efficient cloud delivered solution that deploys in minutes.

DC is the global HQ for the cyber industry because: DC is the HQ because of guys like Tim and I. We come from intelligence backgrounds at the National Security Agency who are now dedicating their professional lives to solving some of the complicated issues in the security space. The knowledge, expertise, and passion for National Security is a fundamental reason why people move to DC, why people join an intelligence agency, and why our products will be the best in the world.

Posted on

Tim Evans, Esq., LL.M. Speaks at NH-ISAC 2017 Conference

Tim Evans esq. LLM Speaking

“Why corporate breaches continue to succeed” – Corporate breaches continue to succeed because attackers can steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware-based attacks to the evolved identity based attacks. Learn how next generation machine learning and analytics can detect and stop these attacks.

Posted on


Cyber Security Blog DNC Hackj Solved

Stephen Voss for BuzzFeed News

He Solved The DNC Hack. Now He’s Telling His Story For The First Time.

Less than a year before Marine Corps cyberwarrior Robert Johnston discovered that the Russians had hacked the Democratic National Committee, he found they had launched a similar attack at the Joint Chiefs of Staff.

Posted on 

At 30, Johnston was already an accomplished digital detective who had just left the military’s elite Cyber Command, where he had helped stanch a Russian hack on the US military’s top leadership. Now, working for a private cybersecurity company, he had to brief the DNC — while it was in the middle of a white-knuckle presidential campaign — about what he’d found in the organization’s computer networks.

Their reaction was “pure shock,” Johnston recalled. “It was their worst day.”

Although the broad outlines of the DNC hack are now well-known, its details have remained mysterious, sparking sharp and persistent questions. How did the DNC miss the hack? Why did a private security consultant, rather than the FBI, examine its servers? And how did the DNC find Johnston’s firm, CrowdStrike, in the first place?

“It was their worst day.”

Johnston’s account — told here for the first time, and substantiated in interviews with 15 sources at the FBI, the DNC, and the Defense Department — resolves some of those questions while adding new information about the hack itself.

A political outsider who got the job essentially at random — the DNC literally called up CrowdStrike’s sales desk — Johnston was the lead investigator who determined the nature and scope of the hack, one he described less as a stealth burglary than as a brazen ransacking. Despite his central role, Johnston has never talked with investigators probing Russian interference, let alone with the media. But to people dealing with the crisis, “He was indispensable,” as a source close to the DNC put it.

Johnston was also largely on his own. The party had hired CrowdStrike essentially in place of the FBI — to this day, the Bureau has not had access to the DNC’s servers. DNC officials said they made the eyebrow-raising choice to go with a private firm because they were worried they’d lose control of their operations right in the middle of the campaign. Not only that, but the FBI was investigating Hillary Clinton’s use of a private email server. Better, the DNC figured, to handle things privately.

It was a decision that would cast a shadow of doubt over the investigation, even though cybersecurity experts have widely accepted Johnston’s main findings.

Debbie Wasserman Schultz.

Mandel Ngan / AFP / Getty Images

Debbie Wasserman Schultz.

In the conference room that day, as he unveiled his findings to Democratic Party officials and lawyers, then-chair Debbie Wasserman Schultz listened in via speakerphone. Johnston told them that their computer systems had been fully compromised — not just by one attack, but by two. Malware from the first attack had been festering in the DNC’s system for a whole year. The second infiltration was only a couple of months old. Both sets of malware were associated with Russian intelligence.

Most disturbing: The hackers had been gathering copies of all emails and sending them out to someone, somewhere. Every single email that every DNC staffer typed had been spied on. Every word, every joke, every syllable.

There was still no warning that Russia might try to interfere on Donald Trump’s behalf. So the DNC officials hammered Johnston with questions: What would happen with all their information? All that stolen data? What would the computer hackers do with it?

Johnston didn’t know. The FBI didn’t know.

The answers would come when the stolen emails were published by WikiLeaks in a series of devastating, carefully timed leaks. And the implications of what Johnston had found would come later, too: The Russian government may have been actively working against Hillary Clinton to help elect Donald Trump.

Robert Johnston.

Stephen Voss for BuzzFeed News

Robert Johnston.

Growing up, Johnston was a jock, not a cybergeek. He wrestled for his high school in Satellite Beach, Florida, in the 165-pound weight class. As a teenager, one of his unusual hobbies was picking locks with paper clips and hairpins.

He had stellar grades, and he was admitted into the Naval Academy in Annapolis, Maryland, in 2004. “I never tinkered with computers,” he said. “I entered the Naval Academy as a wrestler, and that’s all I cared about.”

The only reason he ended up on the front lines against Russian hackers is that during his second semester he was required to choose a major, and he chose computer science because it was “marketable.” At first, he found it boring. Then, during his junior year, he took a computer security class. It changed his life.

“Right then and there I wanted to do anything and everything cyber.”

The discipline of white-hat hacking, he said, was a bit like picking locks, back when he was a teenager. “This was like doing it with computers,” Johnston said. “We would learn how to break into computers, how to investigate, do forensics. It just interested me right away. Right then and there I wanted to do anything and everything cyber.”

Johnston graduated from the Naval Academy in 2008, and was commissioned as a second lieutenant in the Marine Corps, just when some branches of the military started to see cyber as the new battlespace. To “fly, fight and win,” an Air Force mission statement from the time boasted, “in air, space and cyberspace.”

But “the Marine Corps mindset” — with its proud emphasis on aggressive tactics — “hadn’t changed yet,” Johnston said. And that, paradoxically, made it a perfect place for him to learn and gain rank in the cyberworld. “Ascension was easy because nobody wanted to go into these jobs. They didn’t really understand that cyber was a battleground.”

He directed the Marine Corps Red Team, which tries to hack into the Corps computers to test its defenses. He was surprised how many well-trained military personnel fell for fake attacks. Right after the Snowden leaks in 2013, he said, the team sent out to 5,000 people inside the military a test: a phishing email, one that tries to trick recipients into clicking on a link, which installs malware. The subject line was: “SEAL team six conducts an operation that kills Edward Snowden.”

“We actually had to shut down the operation,” he said. “The phishing attack was too successful. The click rate was through the roof.”

The seals of the US Cyber Command, the National Security Agency, and the Central Security Service at the campus the three organizations share in Fort Meade, Maryland.

Chip Somodevilla / Getty Images

The seals of the US Cyber Command, the National Security Agency, and the Central Security Service at the campus the three organizations share in Fort Meade, Maryland.

In the spring of 2015, Johnston was a captain in the Marine Corps leading newly formed Cyber Protection Team 81, based near the NSA in Fort Meade, Maryland, as part of the military’s Cyber Command, or Cybercom.

On a Saturday around 2 a.m., Johnston received a call on his cell phone from his commanding officer. “The major said, ‘How fast can your guys be back in DC?’” Johnson recalled. “‘Tell them to meet at the Pentagon and you’ll find out more there.’”

A malware attack against the Pentagon had reached the unclassified computers of the Joint Chiefs of Staff, the military’s top brass who advise the president. The malware had spread fast — in just five hours, it had compromised all five of the chairs’ laptops and all three of the vice chairs’ laptops and desktop computers.

Soon, Johnston and the others identified the malware. It was associated with APT 29, for “advanced persistent threat,” a hacker group widely believed to be linked to the FSB, Russia’s federal security service.

 “Their operations are very surgical. They might send five phishing emails, but they’re very well-crafted and very, very targeted.”
Johnston said the phishing campaign against the Joint Chiefs stood out. Usually, he said of Russian hackers, “their operations are very surgical. They might send five phishing emails, but they’re very well-crafted and very, very targeted.” But this time it was a broadside. “The target list was, like, 50 to 60,000 people around the world. They hit them all at once.” It’s rare, he said, for “an intel service to be so noisy.”

By “noisy,” he means that the attackers were drawing a huge amount of attention, sending out 50,000 phishing emails, as if they didn’t care that anyone knew what they were doing.

Along with Johnston and his military cyber team, NSA employees, and contractors from McAfee and Microsoft were also on site, working on the hack, wiping the system and rebuilding it. Johnston and his team worked around the clock, in two shifts. “Host forensics guys are finding malware, handing it to the malware reverse engineering team who’s reversing it, finding network indicators, giving it to the network guys,” he recalled. “Network guys are scoping, finding out where else they are, and tracking down all the compromised machines.”

Johnston’s team concluded that the Russian hackers took some nonclassified emails and other information but not a lot. The biggest challenge after containing a breach of this magnitude, he said, is you can never be 100% sure that the hackers have been “kicked out” of the system.

Retired Lt. Gen. Mark Bowman, who oversaw cyber at the Joint Chiefs at the time, worked closely with Johnston on the operation. He told BuzzFeed News, “We had to build the network back from bare metal. Watching Robert and his team do that was unbelievable. That guy flat-out amazed me.”

Still, the mission was a big one for Cybercom, and Johnston felt like he had hit a career “home run.”

He left the Marine Corps as a captain, and in November 2015, he signed up to work for CrowdStrike, a well-known cyberprotection company whose president, Shawn Henry, is a former head of the FBI’s Cyber Division. CrowdStrike declined to comment about Johnston’s work.

Johnston in Washington, DC.

Stephen Voss for BuzzFeed News

Johnston in Washington, DC.

Johnston didn’t know it, but in September 2015 as he was getting ready to leave the Marines, the NSA informed the FBI that DNC computers had likely been hacked, three sources said. An FBI agent then called the DNC’s IT office and said that the organization’s servers had been compromised.

That part of the story has been told — how little was done for seven months. The FBI periodically tried to get in touch with the organization, but the DNC did not believe the threat was real.

Finally, in April, the DNC IT department became convinced that there was a problem, and top Democratic officials became worried. But even then, they didn’t call the FBI. They called the sales desk at CrowdStrike. (Last week, lawyers for BuzzFeed subpoenaed both the DNC and CrowdStrike for information about the hack and the investigation into it. The subpoena was not related to this story but to a libel suit filed by a Russian businessman named in the Trump dossier published by BuzzFeed News in January.)

Got a tip? You can email learn how to reach us securely, go to

At CrowdStrike, the case was assigned to Johnston, new to the company but with battle-tested skills, who soon ended up on the phone with the DNC IT chief.

“The FBI thinks we have a problem, something called ‘Dukes,’” Johnston said the IT employee told him. The Dukes is another name for APT 29, the hackers who Johnston had battled before, at the Joint Chiefs.

Johnston sent the DNC a script to run on all its servers, and then collected the output code. To an outsider it might have looked like a tedious job to examine long strings of data. But within an hour Johnston had it: an unmistakable string of computer code — sabotage — that didn’t belong in the system. It was “executable file paths” — evidence of programs — that didn’t belong there. They stood out like a shiny wrench left in a car engine.

And in fact, Johnston had seen this particular piece of code before, back when he was at the Pentagon. So it was easy to recognize this nemesis. He knew who had sent it by the telltale signatures. “This was APT 29,” he said. Later, when he had spent more time analyzing the DNC hack, he would come to believe that the Democrats had been compromised by the same blast of 50,000 or so phishing emails that had breached the computers of the Joint Chiefs.

From left: Adlumin VP Timothy Evans, lead engineer Dom McLamb, and Johnston.

Stephen Voss for BuzzFeed News

From left: Adlumin VP, Chief of Strategy, Timothy Evans Esq., LL.M., lead engineer Don McLamb, and Robert Johnston.

When he briefed the DNC in that conference room, Johnston presented a report that basically said, “They’ve balled up data and stolen it.” But the political officials were hardly experienced in the world of intelligence. They were not just horrified but puzzled. “They’re looking at me,” Johnston recalled, “and they’re asking, ‘What are they going to do with the data that was taken?’”

Back then, no one knew. In addition to APT 29, another hacking group had launched malware into the DNC’s system. Called APT 28, it’s also associated Russian intelligence. Andrei Soldatov, a Russian investigative journalist and security expert, said it’s not crystal clear which Russian spy service is behind each hacker group, but like many other cybersecurity investigators, he agreed that Russian intelligence carried out the attack.

So, Johnston said, “I start thinking back to all of these previous hacks by Russia and other adversaries like China. I think back to the Joint Chiefs hack. What did they do with this data? Nothing. They took the information for espionage purposes. They didn’t leak it to WikiLeaks.”

“They’re looking at me,” Johnston recalled, “and they’re asking, ‘What are they going to do with the data that was taken?'”

So, Johnston recalled, that’s what he told the DNC in May 2016: Such thefts have become the norm, and the hackers did not plan on doing anything with what they had purloined.

Johnston kicks himself about that now. “I take responsibility for that piece,” he said.

The DNC and CrowdStrike, now working with the FBI, tried to remove all remaining malware and contain the problem. And they decided on a public relations strategy. How could the DNC control the message? “Nothing of that magnitude stays quiet in the realm of politics,” Johnston said. “We needed to get in front of it.” So, Johnston said, in a story confirmed by DNC officials, CrowdStrike and the DNC decided to give the story to the Washington Post, which on June 14, 2016, published the story: “Russian government hackers penetrated DNC, stole opposition research on Trump.” “I thought it was a smart move,” Johnston said.

But it may have backfired.

One day after the Post article, a Twitter user going by the name Guccifer 2.0 claimed responsibility for the hack and posted to the internet materials stolen from the DNC’s server.

Johnston thinks the Washington Post story changed the tactics of the cyberattackers. “We accelerated their timeline. I believe now that they were intending to release the information in late October or a week before the election,” he said. But then they realized that “we discovered who they were. I don’t think the Russian intelligence services were expecting it, expecting a statement and an article that pointed the finger at them.”

A month later, in late July 2016, WikiLeaks began to release thousands of emails hacked from the DNC server. Those leaks, intelligence officials would say, were carefully engineered and timed.

The stolen emails wreaked havoc. Wasserman Schultz, then the chair of the DNC, was replaced by Donna Brazile, who just published a new book, Hacks, about the Russian break-in at the DNC.

“CrowdStrike did a remarkable job helping the DNC remediate our system post hacking. Sadly, we should have known more, but that’s all part of history,” Brazile told BuzzFeed News.

Johnston wrapped up his work with the DNC in July 2016. He also left CrowdStrike and started his own cybersecurity firm, Adlumin, based in Washington, DC.

He’s well aware of the grim fact that it was his analysis that helped lay the groundwork that would eventually lead to the investigation by special counsel Robert Mueller, to multiple probes on Capitol Hill, and to the findings about Russia’s intervention on Facebook and Twitter. If the DNC hack hadn’t been traced to Russia, much that might never have emerged.

Johnston has managed to maintain a low profile for the last year and half, even as Washington has obsessed over Trump and Russia. He hasn’t been in hiding, he said. Over a steak and Scotch at a DC restaurant, he said he just hadn’t talked about it for a simple reason: No one asked him to. ●

Jason Leopold is a senior investigative reporter for BuzzFeed News and is based in LA. Recipient: IRE 2016 FOI award; Newseum Institute National Freedom of Information Hall of Fame. PGP fingerprint 46DB 0712 284B 8C6E 40FF 7A1B D3CD 5720 694B 16F0. Contact this reporter at

Contact Jason Leopold at

Got a confidential tip? Submit it here.


Posted on

Adlumin Sponsors APHSA ISM 2017 Technology Conference

Meet The Team Timothy Evans, J.D, LL.M. APHSA ISM 2017 Technology Conference

Timothy Evans, J.D., LL.M., Co-Founder and Chief of Strategy

Corporate breaches continue to succeed because attackers can steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware based attacks to the evolved identity based attacks. Learn how next generation machine learning and analytics hunting on your network 24/7 can detect intruders and malicious insiders without you hiring a single person.

Posted on

Robert Johnston, CEO, Speaks at EDGESECURITY 2017

Meet The Team Robert Johnston edgesecurity 2017

Identity Based Attacks – Insights on the DNC Hack

Why do corporate breaches continue to succeed? Corporate breaches continue to succeed because attackers are able to steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware based attacks to the evolved identity based attacks. Learn how analytics, deception, and data streams are saving the security industry, or would have at least saved the Democratic National Committee.