What the Democratic National Committee this week thought was an attempted hack of its valuable voter file turned out to be a security test organized by a state party, unbeknown to the national organization.
The committee on Tuesday alerted the FBI to a fake online portal it thought had been set up as an elaborate attempt to trick DNC staff into giving up their log-in credentials — through a hacking technique known as “phishing” — as a way to gain access to the party’s VoteBuilder database.
Late Wednesday night, DNC Chief Security Officer Bob Lord reversed course. “We, along with the partners who reported the [fake] site, now believe it was built by a third party as part of a simulated phishing test on VoteBuilder,” he said in a statement.
The false alarm raised fears that the DNC was being targeted again by a malicious foreign government, as it came two years after Russian spies hacked its computers and released thousands of emails online, throwing the party into disarray in the midst of a presidential election.
Election security is a hot topic, and the Trump administration is facing criticism that it has not done enough to safeguard the November midterm vote.
The mix-up resulted from a state Democratic organization seeking to test employees’ ability to avoid falling prey to phishing attempts.
The test was conducted at the behest of the Michigan Democratic Party, using “white-hat” security personnel with the group DigiDems, who provided their services to create the mock site, a Democratic official said. The state party did not notify the national committee or NGP, the firm that hosts the voter database, the official said.
“The test, which mimicked several attributes of actual attacks on the Democratic Party’s voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors,” Lord said.
The mock site was discovered by a San Francisco-based security firm, Lookout, which has built a system that scours the Internet for such sites. Lookout contacted DigitalOcean, the firm that hosted the fake site. NGP also was informed. Shortly after midnight Tuesday, Lookout alerted Lord.
After some investigation, all concurred that the site appeared to be a system set up for malicious purposes, a party official said. It did not exhibit features of a phishing test system, the official said. Phishing tests usually have a page that informs users they should not have clicked on a link and an online tutorial on recognizing phishing scams, the official said.
Michigan party officials told the DNC on Wednesday afternoon that they had ordered the test. They were “a little embarrassed, but they did the right thing and told us right away,” said a DNC official, who spoke on the condition of anonymity because the matter remains sensitive. “They didn’t let it linger.”
Lord said he’s not seeking to punish anyone. “I’m not interested in slowing down people who want to do legitimate and appropriate testing,” he said in an interview. But the national party is likely to issue guidance, he said, “which is if you’re building any sort of attack framework, white-hat testing, we need to be aware of that so we can factor that into our decision-making.”