How Russian Cyberattackers Infiltrated 3 Political Organizations
The breaches at the Clinton campaign and Democratic Party organizations show just how vulnerable high-turnover enterprises like political campaigns are to some conventional and well-known cyberattack strategies.
July 16, 2018 at 02:46 PM
7 minute read
The cyberattacks on the Clinton Campaign, the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) started, as many do, with a spear phishing attack.
According a July 2018 indictment of 12 Russian military intelligence officials, in March 2016, a member of the Russian military spoofed an email to look like a security notification from Google, then sent it to the Clinton campaign manager “instructing the user to change his password by clicking the embedded link. Those instructions were followed.”
The indictment states that in the ensuing months, the Russian team deployed dozens more spear phishing attacks and successfully exploited the DNC's and DCCC's network vulnerabilities. The group was soon able to monitor computer activity of various political operatives and surreptitiously exflitrate data out of all three organizations. And even when the Russian team's infiltration was discovered, their stranglehold did not let up.
Potentially, it was the most significant compromise of a political campaign in U.S. history. But the way the cyberattackers infiltrated the organizations was hardly novel or surprising, according to cybersecurity experts.
“As set forth in the indictment, the first entry was not that complicated,” said Christopher Ott, partner at Davis Wright Tremaine and a former senior counterintelligence and cyber counsel at the Department of Justice's (DOJ) National Security Division. “Spear phishing with spoofing was involved and they did a good job of it, but it's something non-nation state criminal actors also do at scale.”
Marcus Christian, a partner at Mayer Brown and a former executive assistant U.S. attorney at the U.S. Attorney's Office for the Southern District of Florida, explained that the reason phishing works is because it relies on susceptibility rather than a technical exploit. Cybercriminals “don't only understand how computers work, they understand how people work,” he said.
The initial spear phishing attack on the Clinton Campaign was just the tip of the iceberg. According to the indictment, a few weeks after Russian officials compromised the campaign manager and stole 50,000 of his emails, they sent additional spear phishing emails to another 30 campaign workers. This time, they spoofed the emails to look like they came from a known campaign employee. By July 2016, an additional 76 email addresses related to the Clinton Campaign were targeted.
Alongside their spear phishing on the Clinton Campaign, the cyberattackers were also probing the networks at the DNC and DCCC, looking for openings or connected devices they could easily hack. They succeeded, and managed to install malware programs on the DCCC's network. This included one called “X-agent,” which transmitted screenshots and keystroke logging information from DCCC computers back to a private server owned by Russian intelligence in Arizona.
With a front-row seat to what DCCC employees typed and saw on their computers, the Russian officials uncovered access credentials to DNC's networks, and soon the DNC employees were monitored just as closely. What's more, another malware tool installed on DCCC and DNC computers called “X-tunnel” allowed the cyberattackers to start exporting data from inside the organizations.
Christian noted that the strategy of scanning a network for vulnerabilities and exploiting them “is fairly standard” among cybercriminals. But while it is common for attackers to do this without targeting a specific organization, the cyberattack described in the indictment was different because the hackers had “particular objective with a particular target.”
What also set the attack apart from others were the tools the Russian officials used. “What was actually used to exflitrate the information was X-agent and X-tunnel, two malware tools known in the world to be linked to ATP28, also known as Fancy Bear, which is now linked to Russian military intelligence. That malware was the sophisticated side of it,” Ott said. The tools were not widely available to other cybercriminals and bore the mark of a nation-state cyberespionage operation.
In late May 2016, the Russian officials' intrusion was detected by DCCC and DNC. A security company hired to mitigate the damage did help clean up most of the malware, but according to the indictment, a Linux-based version of X-agent “remained on the DNC network until in or around October 2016.”
Still, the hackers had access to the three political organizations' networks for at least a month before they were uncovered, in large part because they took care to cover their tracks. Such efforts, Ott noted, can be fairly effective. “Even if you regularly look at your [network] logs, those logs may well be overwritten and changed by the malware and the bad actors,” he said.
Yet there are some ways one can tell something is not right, he added, such as if there a spike in usage rates across a network, which may indicate data being transferred out.
Even after they were discovered, however, the cyberattackers were unrelenting. The spear phishing attacks on the Clinton Campaign did not cease, and at one point the Russian officials allegedly used stolen access credentials to modify a DCCC website to redirect traffic to a spoofed website.
In late July 27, 2016, the cyberattackers also attempted to spear phish “email accounts at a domain hosted by a third party provider and used by Clinton's personal office.” In September 2016, they also gained access to DNC computers hosted on a third-party cloud computer service, according to the indictment.
The three political campaigns were under ongoing siege—which, given their structure and operations, was not wholly surprising. Edward McAndrew, partner at Ballard Spahr and a former cybercrime prosecutor in the U.S. Attorney's Office for the Eastern District of Virginia, noted that political organizations have a higher threat level because they have far more staff changes than the average corporation, especially during an election season when part-time or volunteer workers come on board.
He noted that for IT workers in political organizations, “the challenge associated with effectively on-boarding and off-boarding this many network users in a short period of time and then properly training them and monitoring them in terms of their cybersecurity practices is extremely difficult.”
What's more, he said that such organizations are more targeted than others “because of the fact they are running political campaigns,” and they hold sensitive information that may be coveted by state-sponsored cyberattackers.
Joshua Motta, founder and CEO of cyber insurance company Coalition, added that since political organizations need to staff up fairly quickly, it can be difficult to implement cybersecurity standards across such a quickly expanding and diffuse operation. “In many respects, I think of campaigns as startups in a sense. At some level. they are establishing a medium-size corporation in a very confined period of time.”
But while political organizations are more at risk than others, the way the Clinton Campaign, DNC and DCCC were infiltrated should raise concerns for companies across the economy. “What this illustrates is just how easy it is and how very effective it can be even when relatively simplistic techniques are used,” McAndrew said.
“I would hate for anyone to look at this situation and say, well that's a presidential campaign and these are national political party organizations, we don't have to worry about that,” he said. “I think everyone does need to worry about it.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250