Democratic presidential candidate Hillary Clinton speaks at a rally in San Francisco, California on May 26, 2016. (Photo: JOSH EDELSON/AFP/Getty Images)
Hillary Clinton’s private email server has attracted the attention of foreign hackers and American regulators alike. But now her campaign crew’s Google email has been targeted by hackers thought to be working for the Russian government, security experts told FORBES today.
In the last three months, the same group that allegedly breached the Democratic National Committee in April has been trying to take control of Gmail accounts of staff working for Clinton’s 2016 presidential campaign, according to researchers from security firm SecureWorks. Targets included those running Clinton’s communications and organizing her travel, which FORBES believes includes Kristina Schake and Nick Merrill, as well as the director of speechwriting Dan Schwerin. Policy advisers and campaign finance managers were also on the Russians’ list.
In March, SecureWorks witnessed new activity from the hacker group, known by many names, including APT28, Fancy Bear, Pawn Storm, Sofacy and Sednit. The hackers, widely thought by US security researchers to be sponsored by the Russian government, had started creating links shortened with Bitly to forward on to Clinton’s campaign staff. Cybercriminals and government spies like to use Bitly to hide the true web address – often subtly different from the site they spoofed – that they attempt to trick targets into opening. But inside the Bitly links used by APT28 were encoded strings, which, once decoded, contained the target email addresses, revealing details of the hackers’ plans.
Once clicked, those links appeared to take the target through to a fake Google login page. As soon as the they provided the login credentials, the Russian crew would log in and access all the data in the Google account.
Online records for hillaryclinton.com indicated the official Clinton campaign used Google Apps, which lets organizations use Gmail as their main email client, SecureWorks noted. Clinton’s staff would, therefore, have signed into their email via a Google login looking much like the spoofed pages.
It’s not yet clear whether the hackers managed to actually break into the Clinton group’s Google accounts, though SecureWorks said the links had been clicked, possibly indicating successful attacks. The firm’s researchers saw the APT28 group spin up 213 short links targeting 108 email addresses on the hillaryclinton.com domain. As Bitly reveals which short links were opened, the researchers quickly determined 20 of those 213 had been clicked. And those Bitly link creations were associated with email addresses used by the APT28 hackers.
Clinton’s communications have been barraged with cyberattacks in recent months. Earlier this year, Clinton’s personal email accounts, found to have been used without the right permissions for official business, were also allegedly targeted by hackers in separate attacks. A Romanian going by the name of Guccifer claimed to have compromised the private Clinton server. In May, he pled guilty to numerous hacking crimes, though there was no official word on whether he broke into the server, itself the focus of an FBI probe.
DNC breached
CrowdStrike, a U.S. security company that assisted the DNC with its post-breach recovery, had not determined how the Democrat governing body was initially compromised. But SecureWorks believes the DNC was targeted in much the same way as Clinton’s campaign. Between mid-March and mid-April, the APT28 hackers created 16 short links targeting nine dnc.org email accounts, including those belonging the DNC’s secretary emeritus and communications director. Four of those 16 links were clicked, again leading to Google logins.
DNC does not currently use Google Apps, internet records indicated. But SecureWorks, which recently went public after spinning off from Dell, believes DNC likely did so before the breach this month, as the Russian crew was building up malicious links targeting Google systems at the committee.
The Clinton campaign and the Department of Justice did not respond to repeated requests for comment. The Russian embassy in Washington had not responded to FORBES’ contact, though a spokesperson for the Kremlin in Moscow had previously denied involvement in the DNC breach.
Tom Finney, a security researcher with SecureWorks, said APT28 had created similar malicious links to target organizations in Ukraine and individuals who would have been of interest to the Russian government. “They target anyone who has a voice with a difficult opinion that the Russian government has a problem with,” Finney told FORBES. “It has got a Russian flavour to it.” SecureWorks has published a blog on its findings.
The second coming of Guccifer?
Despite the claims of CrowdStrike and SecureWorks, a hacker going by the name of Guccifer 2.0 yesterday claimed they were responsible for the DNC breach. Having leaked files to Gawker and The Smoking Gun, Guccifer 2.0 publicly disseminated documents, including a 200-page file allegedly stolen from the DNC giving a full account of all Donald Trump’s failings as the Democrats saw them.
The report slammed Trump as a “misogynist in chief” and accused the Republican presidential candidate of building a campaign on racism for his comments about banning Muslims from America. Much of the document is based on already-public material, with added commentary from the DNC.
ATLANTA, GA – JUNE 15: Republican presidential candidate Donald Trump walks on stage after signing autographs during a campaign stop at The Fox Theatre on June 15, 2016 in Atlanta, Georgia. Trump and Democratic presidential candidate Hillary Clinton continue to speak out on national security and immigration issues in the wake of the mass shooting in Orlando, Florida. (Photo by Branden Camp/Getty Images)
But Guccifer 2.0, who has adopted the moniker of the Romanian hacker currently on trial, claimed to have thousands of other documents, up to 100GB worth of data extracted over a two-year period. On a WordPress page, they published donor information, appearing to contradict the claims of DNC chairwoman Debbie Wasserman Schultz, who previously told the Washington Post no financial data had been stolen. A national security and foreign policy file was also leaked.
The hacker claimed to have passed all the files to Wikileaks, adding some comments about CrowdStrike’s attribution: “CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by ‘sophisticated’ hacker groups,” Guccifer said. “I’m very pleased the company appreciated my skills so highly… But in fact, it was easy, very easy.
“I guess CrowdStrike customers should think twice about company’s competence.” Wikileaks had not responded to a request for comment, though it had tweeted Guccifer’s claims.
But CrowdStrike emailed a statement to FORBES in which it stood by its research. “Whether or not this posting is part of a Russian intelligence disinformation campaign, we are exploring the documents’ authenticity and origin. Regardless, these claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community.”
Don Smith, from SecureWorks Counter Threat Unit, stood by his team’s findings too: “We saw what we saw, we trust it and it’s very reliable. CrowdStrike are also not novices at this game. If they say they saw Sofacy on the network, they did.”
And a DNC spokesperson told media the body was confident of Russia’s participation in the attack on its infrastructure: “Our experts are confident in their assessment that the Russian government hackers were the actors responsible for the breach detected in April, and we believe that today’s release and the claims around it may be a part of a disinformation campaign by the Russians… We’ve deployed the recommended technology so that today our systems are secure thanks to a swift response to that attack and we will continue to monitor our systems closely.”
Trump had his own outlandish conspiracy theory: that the Democrats had staged the breach just to “distract from the many issues facing their deeply flawed candidate and failed party leader.”
NEW – Trump statement on Gawker report of alleged DNC oppo file – “we believe DNC did the ‘hacking” pic.twitter.com/Euwlko9Fex
— John Santucci (@JTSantucci) June 15, 2016
Hillary Clinton
Google
Google account
SecureWorks
Democratic National Committee