The Democratic National Committee says the attempted hack on its voter database was actually a "simulated phishing test" -- and not the work of bad actors trying to crack into its networks.
The DNC on Wednesday revealed that unidentified hackers had created a fake log-in page to the DNC's VoteBuilder platform to trick people into giving up their usernames and passwords. The DNC alerted the FBI to the apparent hack attempt, which came two years after Russia's hack on the organization sent shockwaves through the 2016 presidential election and as intelligence officials continue to warn about political interference in the midterms.
Now, DNC Chief Security Officer Bob Lord has updated information. “We, along with the partners who reported the site, now believe it was built by a third party as part of a simulated phishing test on VoteBuilder,” Lord said in a statement provided to my colleague Ellen Nakashima. VoteBuilder houses the Democratic party's voter file.
“While we are extremely relieved that this wasn't an attempted intrusion by a foreign adversary, this incident is further proof that we need to continue to be vigilant in light of potential attacks," he continued.
A person familiar with the incident said this morning that it was a test organized by the Michigan Democratic party, which brought on a group of volunteer white hat hackers, DigiDems, to do ''penetration testing" of the voter file. And they did so without notifying the DNC.
"The test, which mimicked several attributes of actual attacks on the Democratic party's voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors," Lord said.
Mike Murray, the vice president of the cybersecurity firm Lookout, which first uncovered the phishing attempt, had this to say about the test:
The thing about “false alarms” is that you don’t know that they’re false until you’ve showed up to investigate. All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible. https://t.co/Y9zbX1VdrJ— Mike Murray (@mmurray) August 23, 2018
I appreciate various parts of the security ecosystem coming together quickly to tackle this matter. Lots of super dedicated pros like @mmurray and @TheCustos and their teams who reached out to us and worked round the clock with me! https://t.co/94xNvcu2vP— Bob Lord (@boblord) August 23, 2018
Still, the episode offers a potent reminder that “spearphishing” techniques — which involve hackers posing as a trusted source to access private information — are a top concern for political organizations.
Russian hackers used these techniques in 2016 to infiltrate Democratic organizations and the Hillary Clinton campaign, which was compromised after an assistant to campaign manager John Podesta was fooled by a malicious email disguised as a security notification from Google. After two years, it’s cropping up again: in the span of a month we’ve seen a flurry of reports about apparent spearphishing attempts against political institutions and candidates — and there’s no reason to expect hackers will stop using this tried-and-true method any time soon.
“Spearphishing continues to take advantage of the lowest common denominator in cybersecurity today — people,” said Jay Kaplan, a former National Security Agency analyst who now runs the cybersecurity firm Synack.
“There is no silver-bullet solution to protect against these types of attacks, making it one of the easiest and most simplistic attack vectors deployed by malicious actors today,” Kaplan told me. “The DNC can have the most robust security in the world, with bank-level encryption protecting their voter registration data, but if someone with privileged access to that database is compromised, it effectively allows an attack to walk right through the front door.”
Fortunately, the DNC appears to have passed the test carried out against the organization. Lookout picked up the fraudulent DNC log-in page when its detection tool for phishing sites was triggered, and notified the committee within hours, as my colleagues reported.
Still, it was just the latest in a series of worrying reports of such activity ahead of the November midterms.
This week, Microsoft revealed that the Russian government-backed hacking group APT28 had created websites designed to look like political think tanks and U.S. Senate-affiliated pages in what had the trappings of a spearphishing effort. Last week, Rolling Stone reported that a candidate running against Rep. Dana Rohrabacher (R-Calif.), one of the most Russia-friendly members of Congress, had been successfully spearphished by clicking on a malicious email link. And late last month, Microsoft said it helped block spearphishing attacks against three congressional candidates by hackers from Russia’s military spy agency. Sen. Claire McCaskill (D-Mo.) said she was among those targeted.
Even when spearphishing attempts fail, bad actors have no trouble coming back for more. For one thing, it doesn’t cost much to keep trying, said Christopher Scott, chief technology officer and remediation lead for IBM’s X-Force IRIS, which conducts incident response and threat intelligence.
“You’re just trying to get one person to click,” Scott told me. “If I get one person to click and enter credentials, I’ve gotten the capability — and I can throw thousands of messages out to a company.”
Spearphishing is tough to deflect, Scott said, but there are ways to guard against it. Part of the solution is simply a matter of getting people to keep their guard up.
“When we get a message, we want to see what it’s about. We don’t pause and say, ‘Is this suspicious?’” Scott told me. It’s important for organizations to teach users “to ask the question of your security teams, ‘Hey this looks suspicious, can you check it out for me?’”
The test on the DNC came as top national security officials on Wednesday afternoon held a closed-door briefing in the Senate on Russian election interference. “Everything we’ve done on Russia has not worked,” Sen. Lindsey O. Graham told reporters as he left the hearing, per Reuters. Others were underwhelmed. Sen. Bob Corker (R-Tenn.) called the briefing “perfunctory,” and Sen. James Lankford (R-Okla.) said the Trump administration's national security chiefs have been “repetitive” on election security, according to Politico's Martin Matishak.
-- Ellen Nakashima contributed to this report
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Sens. Amy Klobuchar (D-Minn.) and Lankford on Wednesday both said they were “disappointed” that the Senate Rules and Administration Committee postponed a meeting to consider the Secure Elections Act, whose provisions include requiring backup paper ballots for states that want to receive federal election funding to buy voting equipment. The committee's website indicates that a meeting to examine the bill, which would also require post-election audits, has been “postponed until further notice.” (I wrote about the bill last month.)
“Each and every day Vladimir Putin, hostile nations, and criminal forces devise new schemes to muck up our democracy and other infrastructure,” Klobuchar, who has promoted the bill alongside Lankford for several months, said in a statement. “When our nation is under attack from foreign governments there is a federal obligation to act.” Klobuchar blamed Republicans for the postponement of the meeting but praised Lankford and Sen. Roy Blunt (R-Mo.), the committee's chairman, for trying “valiantly to salvage the votes for this bill on the Republican side.” She added that recent changes to the legislation “were made to accommodate the Republican leadership” and said all Democrats on the panel were ready to support the bill.
I’m disappointed that there was yet another delay on the #SecureElectionsAct, but I appreciate @SenAmyKlobuchar @RoyBlunt & the Rules Committee. In the days ahead, I anticipate we will have a markup hearing on this issue & it will move to the Senate floor for final passage. pic.twitter.com/5dotJFtA6E— Sen. James Lankford (@SenatorLankford) August 22, 2018
Speaking on the Senate floor, Lankford expressed dismay about the postponement but said he anticipates that the bill will get a hearing “in the days ahead” and eventually a vote in the full Senate. “Election security is not a partisan issue, it is a democracy issue,” he said. “And we should take the security of our next election seriously, just like we take the security of our infrastructure seriously, our banking system seriously, our power and electrical grid, our water.”
PATCHED: Four members of the Senate Intelligence Committee on Wednesday asked Election Systems & Software, an election equipment vendor, whether the company would commit to supporting independent testing of its election systems. Sens. Kamala D. Harris (D-Calif.), the committee's vice chairman Mark R. Warner (D-Va.),, Susan Collins (R-Maine) and Lankford wrote in a letter that they “are concerned that ES&S and other election system providers may not be prepared for the growing threats to our elections.”
In their letter to ES&S president and chief executive Tom Burt, the senators lamented the company's position on the Def Con security conference's Voting Village where hackers sought to explore vulnerabilities of voting equipment this month. “We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing,” the senators wrote. “We believe that independent testing is one of the most effective ways to understand and address potential cybersecurity risks.” (I wrote here about the Def Con Voting Village.)
Among their questions to Burt, Harris, Warner, Collins and Lankford asked whether ES&S would allow “election agencies to arrange independent, qualified, good faith cybersecurity tests” of its election systems and make the results public. “Election agencies must be able to make informed decisions about what election equipment will help them conduct secure elections, and independent testing helps both election agencies and vendors,” the senators said.
PWNED: An apparent email mishap from the National Association of Secretaries of State on Wednesday showed that the controversy over the Def Con Voting Village has not settled yet. The association sent reporters an email that was meant for secretaries of states asking for input on a request from the Def Con Voting Village's team. The organizers of the village asked secretaries of state whether they'd like to express support for the hacking of election equipment for research purposes during the information security conference in Las Vegas.
“There are several Secretaries of State from around the country who have highlighted the Vote Hacking Village's findings and called for additional independent, third-party testing of voting equipment,” the email from the Voting Village organizers to NASS said. “We plan to release a statement praising these Secretaries of State for their commitment to security in our national election infrastructure. If you would like to be added to this list of Secretaries of State and include a quote, please let us know!”
NASS then wrote to the communication offices of secretaries of state and asked for their reactions to the request from the Def Con hackers. “I’m reaching out because I’m curious if all of you received it, if you are planning to respond and if so how you’ll respond?” Maria Benson, NASS's communications director, wrote in an email. “I know many of you would not provide a quote for a release you have not seen, but I wanted to check in with you all regardless.” Benson later sent another email to reporters to “recall” her previous message. NASS had expressed reservations about the voting village in an Aug. 9 statement, saying that it amounted to an “unrealistic” exercise.
Several reporters took note of the email:
From Politico's Eric Geller:
1. @VotingVillageDC asks secretaries of state to support their work.— Eric Geller (@ericgeller) August 22, 2018
2. @NASSorg gets ahold of their email, asks secretaries if they're responding.
3. NASS accidentally sends that email to reporters.https://t.co/IOcVOyC7Bs pic.twitter.com/MZ97L1KO8K
From BuzzFeed News's Kevin Collier:
A funny thing just happened:— Kevin Collier (@kevincollier) August 22, 2018
1 The DEF CON Voting Village emailed secretaries of state looking for allies
2 The SoS association, which is critical of the VV, incredulously emailed members about it
3 They accidentally sent *that* to their press list instead
4 I'll recall it fondly pic.twitter.com/tjIX0L6yRu
From reporter Kim Zetter:
Is anyone else troubled by the @VotingVillageDC soliciting quotes from government officials and even suggesting the wording of quotes those officials can use to express their support of the village's work? https://t.co/Hdvmq0vUpt— Kim Zetter (@KimZetter) August 22, 2018
— “The federal government is leading major industries in setting up anti-spoofing email security features, according to an industry report released Wednesday,” Nextgov's Joseph Marks reported. “More than 70 percent of federal government email domains are protected by the tool known as Domain-based Message Authentication, Reporting and Conformance, or DMARC, according to the report from the company ValiMail. That’s compared with just about 40 percent of the highest value U.S. tech companies, highest value U.S. banks and companies in the Fortune 500, according to the report.”
— More cybersecurity news from the public sector:
— The Verge published a deep dive into a fraudulent hacking scheme that resulted in more than $100 million in profits. “Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials,” Isobel Koshiw wrote on Wednesday. “Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts.”
— More news about cybersecurity fails:
“Everything was taken away from me”: A year after Harvey, a struggle to rebuild
Then and now: How Congress handled Clinton and Trump impeachment threats
A look at trends from Europe's biggest gaming convention: