The campaign organization for House Republicans was the victim of a cyberattack that exposed email accounts to an unknown intruder during the 2018 election cycle, people familiar with the matter said.
It wasn’t known whether a foreign government was behind the intrusion into the computer networks of the National Republican Congressional Committee, a person familiar with the case said. But the intruder was “sophisticated, based on their tactics and methods,” and the intrusion “was clearly designed to hide the tracks of who it was,” this person said, speaking on the condition of anonymity because the matter is under investigation.
The intrusion was first reported by Politico, which said senior House Republicans, including Speaker Paul D. Ryan (R-Wis.), as well as rank-and-file members weren’t told of the breach until the news organization inquired about the episode with the committee on Monday.
“The NRCC can confirm that it was the victim of a cyber intrusion by an unknown entity,” said Ian Prior, a committee spokesman.
“The cybersecurity of the committee’s data is paramount, and upon learning of the intrusion, the NRCC immediately launched an internal investigation and notified the FBI, which is now investigating the matter. To protect the integrity of that investigation, the NRCC will offer no further comment on the incident,” Prior said.
A spokeswoman for the FBI declined to comment.
The committee discovered the breach in April, said a person familiar with the case. Officials conducted an internal investigation, contacted the bureau within days and “gave the FBI everything they asked for,” the person said.
CrowdStrike, a cybersecurity firm, already had been retained by the committee.
The breach was discovered by a different company that was providing “managed security services” to monitor the network for breaches, the person said.
The committee did not publicize the breach because, the person added, officials were trying to shield the investigation and not tip off the intruders. “It gets out and becomes harder to investigate,” the person said.
It’s unlikely the breach involved personal information, such as Social Security and credit card numbers, because that would have required victim notification under state law, said Michael Sussmann, a cybersecurity lawyer with Perkins Coie who handled the response to the Democratic National Committee breach during the 2016 election. All 50 states and the District of Columbia require notice within 30 days upon discovery of a breach of personal data, he said, noting that, had that happened, the story likely would have surfaced sooner.
The NRCC intrusion bears similarities to the DNC breach in 2016, in which Russian hackers stole emails of senior committee officials.
But in that case, the Russians gave the emails to WikiLeaks, which published them ahead of the Democratic National Convention. The emails revealed that committee leaders had supported Hillary Clinton as the likely nominee, even though they had publicly claimed not to have a preferred candidate.
There is no indication that any NRCC emails were made public.
One security expert said the committee may have erred in not disclosing the breach.
“The information extracted from this operation could have been of extremely high value for foreign intelligence services,” said Brett Bruen, a National Security Council official in the Obama administration who is now president of the Global Situation Room, a crisis communications firm. “It would provide them with critical insights into the plans, weaknesses and interests of key GOP officials and candidates. By not being transparent about this clear vulnerability to our democracy, the NRCC placed the interests of party over those of the country.”