Now, DNC Chief Security Officer Bob Lord has updated information. “We, along with the partners who reported the site, now believe it was built by a third party as part of a simulated phishing test on VoteBuilder,” Lord said in a statement provided to my colleague Ellen Nakashima. VoteBuilder houses the Democratic party's voter file.
“While we are extremely relieved that this wasn't an attempted intrusion by a foreign adversary, this incident is further proof that we need to continue to be vigilant in light of potential attacks," he continued.
A person familiar with the incident said this morning that it was a test organized by the Michigan Democratic party, which brought on a group of volunteer white hat hackers, DigiDems, to do ''penetration testing" of the voter file. And they did so without notifying the DNC.
"The test, which mimicked several attributes of actual attacks on the Democratic party's voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors," Lord said.
Mike Murray, the vice president of the cybersecurity firm Lookout, which first uncovered the phishing attempt, had this to say about the test:
Still, the episode offers a potent reminder that “spearphishing” techniques — which involve hackers posing as a trusted source to access private information — are a top concern for political organizations.
Russian hackers used these techniques in 2016 to infiltrate Democratic organizations and the Hillary Clinton campaign, which was compromised after an assistant to campaign manager John Podesta was fooled by a malicious email disguised as a security notification from Google. After two years, it’s cropping up again: in the span of a month we’ve seen a flurry of reports about apparent spearphishing attempts against political institutions and candidates — and there’s no reason to expect hackers will stop using this tried-and-true method any time soon.
“Spearphishing continues to take advantage of the lowest common denominator in cybersecurity today — people,” said Jay Kaplan, a former National Security Agency analyst who now runs the cybersecurity firm Synack.
“There is no silver-bullet solution to protect against these types of attacks, making it one of the easiest and most simplistic attack vectors deployed by malicious actors today,” Kaplan told me. “The DNC can have the most robust security in the world, with bank-level encryption protecting their voter registration data, but if someone with privileged access to that database is compromised, it effectively allows an attack to walk right through the front door.”
Fortunately, the DNC appears to have passed the test carried out against the organization. Lookout picked up the fraudulent DNC log-in page when its detection tool for phishing sites was triggered, and notified the committee within hours, as my colleagues reported.
Still, it was just the latest in a series of worrying reports of such activity ahead of the November midterms.
This week, Microsoft revealed that the Russian government-backed hacking group APT28 had created websites designed to look like political think tanks and U.S. Senate-affiliated pages in what had the trappings of a spearphishing effort. Last week, Rolling Stone reported that a candidate running against Rep. Dana Rohrabacher (R-Calif.), one of the most Russia-friendly members of Congress, had been successfully spearphished by clicking on a malicious email link. And late last month, Microsoft said it helped block spearphishing attacks against three congressional candidates by hackers from Russia’s military spy agency. Sen. Claire McCaskill (D-Mo.) said she was among those targeted.
Even when spearphishing attempts fail, bad actors have no trouble coming back for more. For one thing, it doesn’t cost much to keep trying, said Christopher Scott, chief technology officer and remediation lead for IBM’s X-Force IRIS, which conducts incident response and threat intelligence.
“You’re just trying to get one person to click,” Scott told me. “If I get one person to click and enter credentials, I’ve gotten the capability — and I can throw thousands of messages out to a company.”
Spearphishing is tough to deflect, Scott said, but there are ways to guard against it. Part of the solution is simply a matter of getting people to keep their guard up.
“When we get a message, we want to see what it’s about. We don’t pause and say, ‘Is this suspicious?’” Scott told me. It’s important for organizations to teach users “to ask the question of your security teams, ‘Hey this looks suspicious, can you check it out for me?’”
The test on the DNC came as top national security officials on Wednesday afternoon held a closed-door briefing in the Senate on Russian election interference. “Everything we’ve done on Russia has not worked,” Sen. Lindsey O. Graham told reporters as he left the hearing, per Reuters. Others were underwhelmed. Sen. Bob Corker (R-Tenn.) called the briefing “perfunctory,” and Sen. James Lankford (R-Okla.) said the Trump administration's national security chiefs have been “repetitive” on election security, according to Politico's Martin Matishak.
-- Ellen Nakashima contributed to this report
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Sens. Amy Klobuchar (D-Minn.) and Lankford on Wednesday both said they were “disappointed” that the Senate Rules and Administration Committee postponed a meeting to consider the Secure Elections Act, whose provisions include requiring backup paper ballots for states that want to receive federal election funding to buy voting equipment. The committee's website indicates that a meeting to examine the bill, which would also require post-election audits, has been “postponed until further notice.” (I wrote about the bill last month.)
“Each and every day Vladimir Putin, hostile nations, and criminal forces devise new schemes to muck up our democracy and other infrastructure,” Klobuchar, who has promoted the bill alongside Lankford for several months, said in a statement. “When our nation is under attack from foreign governments there is a federal obligation to act.” Klobuchar blamed Republicans for the postponement of the meeting but praised Lankford and Sen. Roy Blunt (R-Mo.), the committee's chairman, for trying “valiantly to salvage the votes for this bill on the Republican side.” She added that recent changes to the legislation “were made to accommodate the Republican leadership” and said all Democrats on the panel were ready to support the bill.
Speaking on the Senate floor, Lankford expressed dismay about the postponement but said he anticipates that the bill will get a hearing “in the days ahead” and eventually a vote in the full Senate. “Election security is not a partisan issue, it is a democracy issue,” he said. “And we should take the security of our next election seriously, just like we take the security of our infrastructure seriously, our banking system seriously, our power and electrical grid, our water.”
PATCHED: Four members of the Senate Intelligence Committee on Wednesday asked Election Systems & Software, an election equipment vendor, whether the company would commit to supporting independent testing of its election systems. Sens. Kamala D. Harris (D-Calif.), the committee's vice chairman Mark R. Warner (D-Va.),, Susan Collins (R-Maine) and Lankford wrote in a letter that they “are concerned that ES&S and other election system providers may not be prepared for the growing threats to our elections.”
In their letter to ES&S president and chief executive Tom Burt, the senators lamented the company's position on the Def Con security conference's Voting Village where hackers sought to explore vulnerabilities of voting equipment this month. “We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing,” the senators wrote. “We believe that independent testing is one of the most effective ways to understand and address potential cybersecurity risks.” (I wrote here about the Def Con Voting Village.)
Among their questions to Burt, Harris, Warner, Collins and Lankford asked whether ES&S would allow “election agencies to arrange independent, qualified, good faith cybersecurity tests” of its election systems and make the results public. “Election agencies must be able to make informed decisions about what election equipment will help them conduct secure elections, and independent testing helps both election agencies and vendors,” the senators said.
PWNED: An apparent email mishap from the National Association of Secretaries of State on Wednesday showed that the controversy over the Def Con Voting Village has not settled yet. The association sent reporters an email that was meant for secretaries of states asking for input on a request from the Def Con Voting Village's team. The organizers of the village asked secretaries of state whether they'd like to express support for the hacking of election equipment for research purposes during the information security conference in Las Vegas.
“There are several Secretaries of State from around the country who have highlighted the Vote Hacking Village's findings and called for additional independent, third-party testing of voting equipment,” the email from the Voting Village organizers to NASS said. “We plan to release a statement praising these Secretaries of State for their commitment to security in our national election infrastructure. If you would like to be added to this list of Secretaries of State and include a quote, please let us know!”
NASS then wrote to the communication offices of secretaries of state and asked for their reactions to the request from the Def Con hackers. “I’m reaching out because I’m curious if all of you received it, if you are planning to respond and if so how you’ll respond?” Maria Benson, NASS's communications director, wrote in an email. “I know many of you would not provide a quote for a release you have not seen, but I wanted to check in with you all regardless.” Benson later sent another email to reporters to “recall” her previous message. NASS had expressed reservations about the voting village in an Aug. 9 statement, saying that it amounted to an “unrealistic” exercise.
Several reporters took note of the email:
From Politico's Eric Geller:
From BuzzFeed News's Kevin Collier:
From reporter Kim Zetter:
— “The federal government is leading major industries in setting up anti-spoofing email security features, according to an industry report released Wednesday,” Nextgov's Joseph Marks reported. “More than 70 percent of federal government email domains are protected by the tool known as Domain-based Message Authentication, Reporting and Conformance, or DMARC, according to the report from the company ValiMail. That’s compared with just about 40 percent of the highest value U.S. tech companies, highest value U.S. banks and companies in the Fortune 500, according to the report.”
— More cybersecurity news from the public sector:
— The Verge published a deep dive into a fraudulent hacking scheme that resulted in more than $100 million in profits. “Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials,” Isobel Koshiw wrote on Wednesday. “Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts.”
— More news about cybersecurity fails:
“Everything was taken away from me”: A year after Harvey, a struggle to rebuild
Then and now: How Congress handled Clinton and Trump impeachment threats
A look at trends from Europe's biggest gaming convention: