Photo: Shutterstock

The cyberattacks on the Clinton Campaign, the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) started, as many do, with a spear phishing attack.

According a July 2018 indictment of 12 Russian military intelligence officials, in March 2016, a member of the Russian military spoofed an email to look like a security notification from Google, then sent it to the Clinton campaign manager “instructing the user to change his password by clicking the embedded link. Those instructions were followed.”

The indictment states that in the ensuing months, the Russian team deployed dozens more spear phishing attacks and successfully exploited the DNC's and DCCC's network vulnerabilities. The group was soon able to monitor computer activity of various political operatives and surreptitiously exflitrate data out of all three organizations. And even when the Russian team's infiltration was discovered, their stranglehold did not let up.

Potentially, it was the most significant compromise of a political campaign in U.S. history. But the way the cyberattackers infiltrated the organizations was hardly novel or surprising, according to cybersecurity experts.

“As set forth in the indictment, the first entry was not that complicated,” said Christopher Ott, partner at Davis Wright Tremaine and a former senior counterintelligence and cyber counsel at the Department of Justice's (DOJ) National Security Division. “Spear phishing with spoofing was involved and they did a good job of it, but it's something non-nation state criminal actors also do at scale.”

Marcus Christian, a partner at Mayer Brown and a former executive assistant U.S. attorney at the U.S. Attorney's Office for the Southern District of Florida, explained that the reason phishing works is because it relies on susceptibility rather than a technical exploit. Cybercriminals “don't only understand how computers work, they understand how people work,” he said.

The initial spear phishing attack on the Clinton Campaign was just the tip of the iceberg. According to the indictment, a few weeks after Russian officials compromised the campaign manager and stole 50,000 of his emails, they sent additional spear phishing emails to another 30 campaign workers. This time, they spoofed the emails to look like they came from a known campaign employee. By July 2016, an additional 76 email addresses related to the Clinton Campaign were targeted.

Alongside their spear phishing on the Clinton Campaign, the cyberattackers were also probing the networks at the DNC and DCCC, looking for openings or connected devices they could easily hack. They succeeded, and managed to install malware programs on the DCCC's network. This included one called “X-agent,” which transmitted screenshots and keystroke logging information from DCCC computers back to a private server owned by Russian intelligence in Arizona.

With a front-row seat to what DCCC employees typed and saw on their computers, the Russian officials uncovered access credentials to DNC's networks, and soon the DNC employees were monitored just as closely. What's more, another malware tool installed on DCCC and DNC computers called “X-tunnel” allowed the cyberattackers to start exporting data from inside the organizations.

Christian noted that the strategy of scanning a network for vulnerabilities and exploiting them “is fairly standard” among cybercriminals. But while it is common for attackers to do this without targeting a specific organization, the cyberattack described in the indictment was different because the hackers had “particular objective with a particular target.”

What also set the attack apart from others were the tools the Russian officials used. “What was actually used to exflitrate the information was X-agent and X-tunnel, two malware tools known in the world to be linked to ATP28, also known as Fancy Bear, which is now linked to Russian military intelligence. That malware was the sophisticated side of it,” Ott said. The tools were not widely available to other cybercriminals and bore the mark of a nation-state cyberespionage operation.

In late May 2016, the Russian officials' intrusion was detected by DCCC and DNC. A security company hired to mitigate the damage did help clean up most of the malware, but according to the indictment, a Linux-based version of X-agent “remained on the DNC network until in or around October 2016.”

Still, the hackers had access to the three political organizations' networks for at least a month before they were uncovered, in large part because they took care to cover their tracks. Such efforts, Ott noted, can be fairly effective. “Even if you regularly look at your [network] logs, those logs may well be overwritten and changed by the malware and the bad actors,” he said.

Yet there are some ways one can tell something is not right, he added, such as if there a spike in usage rates across a network, which may indicate data being transferred out.

Even after they were discovered, however, the cyberattackers were unrelenting. The spear phishing attacks on the Clinton Campaign did not cease, and at one point the Russian officials allegedly used stolen access credentials to modify a DCCC website to redirect traffic to a spoofed website.

In late July 27, 2016, the cyberattackers also attempted to spear phish “email accounts at a domain hosted by a third party provider and used by Clinton's personal office.” In September 2016, they also gained access to DNC computers hosted on a third-party cloud computer service, according to the indictment.

The three political campaigns were under ongoing siege—which, given their structure and operations, was not wholly surprising. Edward McAndrew, partner at Ballard Spahr and a former cybercrime prosecutor in the U.S. Attorney's Office for the Eastern District of Virginia, noted that political organizations have a higher threat level because they have far more staff changes than the average corporation, especially during an election season when part-time or volunteer workers come on board.

He noted that for IT workers in political organizations, “the challenge associated with effectively on-boarding and off-boarding this many network users in a short period of time and then properly training them and monitoring them in terms of their cybersecurity practices is extremely difficult.”

What's more, he said that such organizations are more targeted than others “because of the fact they are running political campaigns,” and they hold sensitive information that may be coveted by state-sponsored cyberattackers.

Joshua Motta, founder and CEO of cyber insurance company Coalition, added that since political organizations need to staff up fairly quickly, it can be difficult to implement cybersecurity standards across such a quickly expanding and diffuse operation. “In many respects, I think of campaigns as startups in a sense. At some level. they are establishing a medium-size corporation in a very confined period of time.”

But while political organizations are more at risk than others, the way the Clinton Campaign, DNC and DCCC were infiltrated should raise concerns for companies across the economy. “What this illustrates is just how easy it is and how very effective it can be even when relatively simplistic techniques are used,” McAndrew said.

“I would hate for anyone to look at this situation and say, well that's a presidential campaign and these are national political party organizations, we don't have to worry about that,” he said. “I think everyone does need to worry about it.”