Hackers targeting Clinton aides struck across US
Hackers targeting Clinton aides struck across US
By MICHAEL RILEY, JORDAN ROBERTSON | Bloomberg | Published: June 18, 2016
The Russian hackers who hit the Democratic National Committee and Hillary Clinton's campaign burrowed much further into the U.S. political system, sweeping in law firms, lobbyists, consultants, foundations and the policy groups known as think tanks, according to a person familiar with investigations of the attacks.
Almost 4,000 Google accounts were targeted in an elaborate "spear phishing" campaign -- intended to trick users into providing access so that information could be gleaned from personal and organizational accounts -- from October through mid-May, according to the person, who asked not to be identified discussing confidential information.
The sweeping scope of the spying on the U.S. political establishment suggests an information dragnet far larger than previously reported and one meant to gather a near-encyclopedic understanding of the next president and those who will influence his or her thinking. Based on data now being analyzed, various security researchers believe the campaign stems from hackers linked to Russian intelligence services and has been broadly successful, extracting reams of reports, policy papers, correspondence and other information.
"These foreign governments are negotiating machines" with much to gain from a U.S. politician's priorities and weaknesses, said John Prisco, chief executive officer of Rockville, Maryland-based security company Triumfant. "Understanding the possible next president at the depth that the DNC does will help them enormously if they have to deal" with the winner in the White House.
In the past week, the Democratic National Committee disclosed that hackers had gained access to its servers, and CrowdStrike, the cybersecurity firm hired to combat that intrusion, said that groups it linked to the Russian government had managed to steal opposition research on Republican candidate Donald Trump. Then, SecureWorks, another cybersecurity firm, said it had evidence that Russian hackers had targeted aides in Clinton's campaign, although the campaign said it saw no sign that its system had been compromised.
On Saturday the hacker released a second set of documents purporting to be personal and financial information on DNC donors, fundraising spreadsheets and internal strategy memos.
"I absolutely rule out any possibility of any government or government structures' involvement in it," Dmitry Peskov, spokesman for Russian President Vladimir Putin, said of the DNC hacking.
The data thefts are similar to a wave of attacks that preyed on high-level U.S. officials, military officers and spouses last summer. The newest wave includes some far-flung targets -- ambassadors and staff members at embassies around the world -- in addition to political figures in the U.S.
Among the policy groups targeted was the Center for American Progress, which has ties to Clinton and the Obama administration. "We are constantly reviewing our security and operations to prevent and thwart unauthorized activity," Liz Bartolomeo, a spokeswoman for the center, said in an emailed statement. "We have reviewed our systems and we believe our security measures have prevented unwanted access to our systems."
Researchers were able to detail the thousands of individuals attacked after reconstructing the techniques used by the hackers to hit Google-hosted accounts. Trump's campaign probably has been targeted as well, investigators say. However, since his campaign emails are hosted on Rackspace, a different cloud provider, a different technique would have to be used to recover evidence of those hacks, the person said.
In hitting candidates, their advisers and lawyers, hackers are extracting political data and exploiting systems that are more vulnerable in the time before security layers are added in a new presidential administration. Despite years of warnings and similar attacks, the political parties and their candidates aren't sufficiently protecting their confidential information, according to cybersecurity specialists who work with the campaigns.
Candidates and parties are most at risk of being hacked in the window of time between when they become their parties' presumptive nominees -- as Clinton and Trump have -- and when one of them takes office, said Tony Lawrence, a former U.S. Army cyber specialist who is now CEO of Hanover, Maryland-based security company VOR Technology.
While cybersecurity professionals have blamed Russian hackers for the attacks on the DNC and Clinton campaign, Trump has said the DNC orchestrated the leak of documents attacking him. Other nations, including China, have been cited as being behind earlier infiltrations, including those in the 2008 presidential race.
Data stolen through hacking can be used for a variety of purposes, including leaks as a weapon to influence foreign policy and even elections.
Personal and financial information such as credit card and bank account numbers could be used by spies, diplomats or criminals. Personal email addresses and mobile phone numbers for outside advisers help map out personal relationships and enable further attacks.
Perhaps most important are voluminous "briefing books" of questions and answers to prepare candidates and their advisers on major issues, said Peter Singer, a consultant for the U.S. government on defense issues and a senior fellow at the New America policy center. These books help shape candidates' publicly stated positions and contain lengthy narratives reflecting advisers' private thinking about the issues, he said.
In 2008, Democrat Barack Obama and Republican John McCain's campaigns were hacked, and the events delivered this memorable anecdote: Randall Schriver, one of McCain's foreign policy advisers on Asia, told NBC News that Chinese officials complained to him about the contents of a letter from McCain supporting Taiwanese military expansion that the candidate had drafted but not yet sent. Schriver didn't respond to a message from Bloomberg News. In 2012, Obama and Mitt Romney's campaigns were targeted.
"Everybody has to assume they're coming after you, especially if you're talking about politics and presidential elections," said Joe DeTrani, a former senior adviser to the U.S. director of national intelligence who's now president of Daniel Morgan Academy, a national security graduate school in Washington. "There are so many critical issues, and if it's touching the Russians -- it's not just Crimea, Ukraine and now the Middle East -- maybe they just want to prepare accordingly, given the two presidential contenders and what they're likely to confront. In some ways it's very logical."
The Russian hacking groups that CrowdStrike says were behind the DNC attacks operate independently and in unusual ways, often targeting personal accounts and private computers as a rich source of intelligence about their owners. The groups have been behind breaches of the White House, the State Department, the House of Representatives and a reporter at the New York Times.
"Any of the standard Russian hacking teams and protagonists would be happy to do this kind of thing for fun or a small fee," said Gunter Ollmann, chief security officer at San Jose, California-based Vectra Networks. "A high-profile U.S. target with juicy data that could be leaked or sold, and never under the risk of Russian law enforcement, is easily justified."
The first group, called APT 28 -- APT is cyber-security lingo for "advanced persistent threat" -- is believed by some private security experts to be a specialized unit of the FSB, the Russian state security agency. It has been linked to hacks of President Vladimir Putin's domestic opponents, including the rock group Pussy Riot.
It's been around since at least 2007 and has been among the most active nation-state-linked hacking groups in the world, said Vikram Thakur, a former senior attack investigations manager for Symantec. In the early years, its targets were primarily Eastern European militaries, embassies and defense contractors, but as detection grew, its tools were used more broadly and targets have expanded to Western countries and private entities with data of strategic interest to Russia, Thakur said.
The hacking of the Warsaw Stock Exchange in 2014, which was followed by leaked data and claims of responsibility by Muslim militants, was viewed as a smokescreen. Polish investigators interpreted it as a warning from Russia against a member of the North Atlantic Treaty Organization, which was intent on driving a strong response to Russia's aggression in eastern Ukraine, according to three people familiar with the investigation. Private security experts attributed the attack to APT 28.
In a sign of sophistication and resources, APT 28 uses more "zero day" vulnerabilities than almost any other group, exploiting more than half a dozen previously unknown flaws in Office, Java and Flash software, among others, in 2015, Thakur said.
The second, more advanced group linked to the DNC hack, called APT 29, appeared in 2014 and was at first very selective, infecting only a few targets all year, but in 2015 "they went ballistic," infecting hundreds of European and U.S. organizations, Thakur said. The group has a signature move: It infects lots of computers, sending thousands of emails and going alphabetically through big groups of targets, a distraction as they steal data from one or two computers of high value, Thakur said.
There are signs of cooperation.
In early 2015, multiple Western European military customers of Symantec reported infections of APT 29 followed within a week or two by an infection by APT 28, possibly indicating a handoff, Thakur said. In most cases, they were the only two infections on a given machine, he added.
"You can clearly make out that whoever's behind all of this has no qualms about the repercussions that could come if someone found out whoever they are," he said. "These people are not the types who go around hiding their tracks so the victim doesn't know they've been compromised. They're very noisy, they come in and steal whatever they want. Eventually any network administrator will know they're there."
Nafeesa Syeed also contributed to this report.