False Alarm: Phishing Attack Against DNC Was Just a TestUnannounced Exercise Stoked Voter Database Hacking Fears
A website that appeared to be part of a phishing campaign designed to gain access to the Democratic National Committee's voter database has turned out to be part of an uncoordinated security exercise. The false alarm has highlighted the benefits of actively monitoring for election interference efforts.
At first, the DNC believed that the phishing site was designed to steal access credentials for its cloud-based voter database.
On Thursday, however, the DNC said it had traced the fake site's creation to the Michigan Democratic Party, which hired a third-party contractor to conduct a phishing test, the Washington Post reports. But that branch of the party failed to notify the national DNC, which swiftly reported the phishing site to the FBI after it was discovered.
The bogus website mimicked the login page for a web-based service used by the DNC called Votebuilder, which is maintained by a progressive-leaning technology company, NGP VAN. It contains the DNC's database of voters.
The discovery of the bogus website put many on edge because of the information-stealing campaign Russia began waging two years ago ahead of the 2016 U.S. presidential election (see How Should US React to Alleged Hacks by Russia?).
U.S. intelligence agencies concluded that Russia created bogus login pages for services such as Gmail and Yahoo to commandeer the email accounts of top Democratic officials, as part of a wide-ranging interference campaign that also employed social media.
Officials have repeatedly warned this year that Russia continues to target the U.S. - including election infrastructure and politicians - ahead of the Nov. 6 midterm elections (see Russia Will Meddle in US Midterm Elections, Spy Chief Warns).
DNC: Not A Bad Test, Actually
At first glance, the lack of coordination between DNC headquarters and its Michigan chapter might seem embarrassing. But security experts say this was a perfect tabletop exercise designed to test alert mechanisms and response times.
"Ignore the smug and partisan sniping-to-come [regarding the] attempted DNC hack: a mock red-team attack that is closely held and quickly discovered is exactly what you want to happen," writes Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies, on Twitter. "This is probably a good thing."
Ignore the smug and partisan sniping-to-come re: attempted DNC hack: a mock red-team attack that is closely held and quickly discovered is exactly what you want to happen. This is probably a good thing. https://t.co/wdnsepJWAb— Thomas Rid (@RidT) August 23, 2018
In a tweet, Bob Lord, CSO of the DNC, said actions will be taken to ensure the organization isn't caught off guard again. Even so, he believes that in this discovery of an alleged phishing campaign, "some things went really well."
While we're going to implement guardrails so we're informed of advanced security testing, some things went _really_ well: The security community gathered and made some tough calls quickly. Also, the internal the flow of information was fast within the DNC, and to state parties.— Bob Lord (@boblord) August 23, 2018
Kudos for the discovery of the fake DNC voter database login page goes to mobile security firm Lookout. Mike Murray, who leads San Francisco-based Lookout's security intelligence group, says the company has built a system to quickly detect potential phishing sites before attackers can send out emails with links to the bogus pages.
Murray says his team discovered the phishing site within 30 minutes of it going live.
Lookout continued to monitor the site as it was under development, noticing that within an hour a username and password field had also been added, Murray writes. Eventually, the site evolved into a site "meant to phish someone who would typically access the NGP VAN site on a laptop or mobile device," he writes.
Lookout reached out to the DNC, NGP VAN and DigitalOcean, which hosted the site, and it was taken down within hours, Murray says.
"The thing about 'false alarms' is that you don't know that they're false until you've showed up to investigate," Murray says in a postmortem comment on Twitter. "All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible."
Too Late to Save Midterms?
Phishing was one of the primary methods used by foreign actors to attack the DNC in 2016. Top Democratic officials were sent links to fake login pages that asked for their credentials for services such as Yahoo and Gmail.
Subsequently, some officials - most notably Hillary Clinton's campaign chairman John Podesta - saw their stolen emails and documents get released through WikiLeaks, on a WordPress site run by Guccifer 2.0, as well as on a site called DCLeaks. Security experts believe the latter two are the work of a hacking group called Fancy Bear - aka APT28, among other names - which has been tied to Russia's GRU military intelligence agency.
The GRU's dumping of stolen material, combined with coordinated social media campaigns designed to amplify existing divisions in U.S. society and to stir discontent, stands as one of most dramatic uses of internet technology designed to interfere with an election that has been seen to date.
While the U.S. is now aware of the complications and scale of the problem, Facebook's former CSO, Alex Stamos, contends that it may be too late to implement significant changes, at least in time for this year's U.S. midterm elections (see Secure 2018 US Elections: It's Too Late).
(Executive Editor Mathew Schwartz also contributed to this story.)