Presidential hopeful Hillary Clinton declared from the debate stage on Wednesday night that 17 intelligence agencies had determined that – in efforts to influence the upcoming presidential election – the Russian government was behind hacks into American websites and personal accounts.
Now comes proof from a private security research team that the account of John Podesta, the chairman of Hillary Clinton’s presidential campaign, was hacked by the GRU, the top military foreign-intelligence service of the Russian Federation, according to the New York Times.
The GRU achieved this, the Times reported, with a phishing attack that last March duped him into clicking on a phony Google login page that led to his volunteering his digital credentials.
The hackers had access to his email for months and subsequently shared his correspondence with WikiLeaks where it was published online early this month.
This news followed a claim by James Clapper Jr., the director of national intelligence, that Russians were behind a hack into the Democratic National Committee.
Evidence had been lacking to tie the two incidents together, but security researchers have concluded the two groups were indeed hacked by the same Russia-based attackers.
Dell SecureWorks, an Atlanta-based security company, was tracking GRU activity for more than a year, the Times reported, and detected that the hackers were using a popular URL-shortening site, Bitly, as they sent out their malicious links in phishing campaigns intended to get targets to click on fake Google login sites to dupe them into providing their email credentials.
But, a misstep by the GRU – exposing a number of their Bitly accounts – allowed the SecureWorks researchers, between October 2015 and May 2016, to monitor 9,000 of the intelligence service’s links to 4,000 Gmail accounts. And, among those were 100-plus email addresses tied to the Clinton campaign. A number of high-ranking Clinton staff members, including Podesta, were targeted by the ploy.
Update: In a followup call with SecureWorks, a spokesperson clarified that the company doesn’t have any insight into whether Podesta actually clicked through on the phish.
“SecureWorks only has insight into the Bitly links which were created and included in the reported spearphishing emails, which were being directed at a variety of Hillary Clinton campaign staffers as well as DNC staffers, etc. and it is the Bitly service which provides details as to if the links were clicked,” the spokesperson told SCMagazine on Friday. “What we DO NOT have insight into is whether once a link was clicked, if any of the recipients of the links actually provided any of their Gmail credentials.”
SecureWorks did confirm it did see that there were short links created to target Podesta’s Gmail account and those short links were created by a Bitly account which was registered by the Fancy Bear group, which it said it believed is working out of Russia. “We cannot say whether those short links were clicked by Mr. Podesta or who clicked them, and if any credentials were entered once the links were clicked.”
Regardless, the same bit.ly URL likely used to dupe Podesta was, according to the Times, also used in hacking attempts of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), former Secretary of State Colin Powell and other Democrats. The URL has been coupled with the hacker group Fancy Bear, also known by various other names like APT 28 or Tsar Team (SecureWorks refers to the group as Threat Group -4127). While not much is known about the group other than that it is based in Russia, the group reportedly gets its orders from the top tier of the Russian government and, according to a White House statement last week, its activities “are intended to interfere with the U.S. election process.”
In a report SecureWorks published in June, it explained how the hack worked:
“The Russian hackers targeted the Google email accounts of the DNC and Clinton Campaign workers, sending the staffers a spear-phishing email, which included shortened Bitly links which actually led to a fake Google login page. The page which appears was prepopulated with the victim’s google username and asked for the email user’s credentials, claiming that theirs had expired. If the credentials were entered by the target, the Russian hackers could log into the victim’s Google account and ultimately steal all of their email and anything they had associated with their Google account.”
Despite the reporting in the New York Times article, SecureWorks told SCMagazine.com on Friday that its CTU security researchers do not have evidence that the DNC spearphishing emails are connected to the DNC network compromise that was revealed on June 14 by Crowdstrike. “A coincidence seems unlikely, and CTU researchers suspect that TG-4127 used the spearphishing emails or similar techniques to gain an initial foothold in the DNC network.”
“The new public data confirming the Russians are behind the hack of John Podesta’s email is a big deal,” Jake Sullivan, senior policy adviser to Hillary for America, said in a statement on Thursday. “There is no longer any doubt that Putin is trying to help Donald Trump by weaponizing WikiLeaks.”