Written by Chris Bing

Hackers have launched distributed denial-of-service attacks against at least two municipal-level Democratic campaigns in 2018, according to two people familiar with the matter. These incidents, which occurred as the campaigns were focused on primary elections, were publicly unknown prior to this report.

The malicious cyber-activity did not appear random, sources told CyberScoop. The attacks hit specific campaign websites at important moments, including during online fundraising periods. In another case, a website was hit while a candidate was receiving good publicity after a public speaking event.

The sources, who spoke on condition of anonymity to discuss privately held information, say that news of the incidents has already reached the Democrats’ largest campaigning bodies, the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC). Sources said they were told about the attacks by campaign officials and not cybersecurity experts, leaving a gap in their understanding of the events.

Raffi Krikorian, the DNC’s chief technology officer, said he was familiar with the attacks, but the campaigns were unable to provide any technical evidence.

“I have heard about these DDoS cases, but sadly there hasn’t been logs or it isn’t happening when we learn about it,” Krikorian told CyberScoop. “We need to get better at doing post-hoc analysis … like, what do you mean there are no logs?”

Each DDoS appeared to be strategically launched, sources told CyberScoop. Historically, criminal hackers have launched DDoS attacks for myriad reasons, including to extort companies by demanding payment before an attack would cease. In the two incidents, campaigns never received any such message.

It’s not yet clear to what degree the attacks were successful in disrupting the campaigns. The sources declined to provide the affected candidates’ names or the states where they sought office. CyberScoop reached out to over 30 different Democratic campaigns involved in the primaries. Nearly all of them either declined to comment or didn’t respond. The few that did answer had no knowledge of the events.

There has been no evidence to suggest the same types of attacks have hit congressional campaigns.

Experts say the lack of forensic evidence is unsurprising.

“Unlike larger organizations with dedicated IT security staff, smaller organizations are unlikely to have deployed instrumentation that would provide log evidence in the case of a DDoS (or many other types of cybersecurity incidents),” said Jake Williams, a former NSA hacker and the founder of Georgia-based Rendition Infosec.

The incidents are especially concerning because it fits into a pattern that’s becoming increasingly common, where political groups are silenced through a well-timed DDoS.

More than 500 Democratic candidates ran in recent primary elections across the country, including for state senate and house seats. A large number of them were coordinated in some fashion by either the DCCC, DNC or a state party group.

As of late June, information about the DDoS incidents had not yet been shared with the Department of Homeland Security. The department leads the federal government’s ongoing election cybersecurity efforts.

In an interview with CyberScoop at a cybersecurity conference on June 13, Christopher Krebs, the undersecretary for the department’s National Programs and Protection Directorate (NPPD), said he was unaware of any DDoS attacks aimed at the 2018 midterm elections.

There’s no existing law that currently compels political campaigns, which are private and temporary organizations by nature, to disclose when they’ve been breached or targeted by hackers.

“Cybersecurity of campaigns and elections is a bipartisan issue, and we have found that nearly everyone involved is taking it seriously,” said Matt Masterson, a senior cybersecurity adviser with NPPD. “In addition to the work we are doing with state and local officials, DHS has engaged with both major parties and their campaign committees to ensure they’re aware of our services and provide any cybersecurity advice or assistance they request.”

When asked about the attacks, DHS would not comment on any DDoS activity aimed at campaigns. The FBI, DCCC, DNC and Office of the Director of National Intelligence (ODNI) did not respond to a request for comment.

DDoS attacks work by sending large amounts of traffic from computer networks towards certain web domains. Over time, the flood of traffic can cause a targeted website to become unavailable, thereby shutting out normal visitors.

Senior U.S. intelligence officials widely predict that foreign governments will attempt to interfere in future U.S. elections. Experts expect nation-states to employ different techniques, in addition to social media trolls and others bots like what was seen during the 2016 campaign cycle.

One source who spoke to CyberScoop said that the Trump administration’s multiple public denials concerning Russia’s role in hacking into the DNC ahead of the 2016 presidential election left them without hope that the government would fully commit to protecting campaigns.

“Everything we’ve seen, what the [Homeland Security Secretary Kirstjen Nielsen] has said, you know, that she doesn’t believe Russian hackers tried to help Trump, that doesn’t exactly inspire a ton of confidence,” said one person familiar with the DDoS activity. “What makes you think they’d be helpful?”

Although senior U.S. officials continue to claim that they’ve yet to see any concrete threats against the 2018 midterms, a municipal-level primary race in Knox County, Tennessee, was hit with a DDoS attack earlier this year. As CyberScoop previously reported, investigators hired by the Knox County government later said that the DDoS may have been used as a smokescreen for a more covert intrusion. In this other, characteristically similar case, hackers attacked the central election results website, causing a delay in the publication of voting totals.

According to a U.S. official who spoke on condition of anonymity, the FBI is currently investigating the Knox County case.

Krebs said he was not in a position to confirm that the Knox County election disruption was in fact caused by a DDoS attack. The forensic investigation was originally led by a private cyber firm rather than a government agency.

DDoS attacks aimed at political campaigns have been seen outside of the U.S. On June 13, during a televised debate between Mexican presidential candidates, the National Action Party’s website was hit by a DDoS attack, according to Reuters. The website was offline while campaign staff were hoping that voters would research their candidate.

The National Action Party candidate, Andrés Manuel López Obrador, won the election in an landslide.

In May, Google subsidiary Jigsaw announced it was expanding access to a free DDoS-mitigation tool to U.S. political campaigns and other advocacy groups. When installed, the tool would sit on a campaign website’s backend, helping to detect and block artificial internet traffic that’s flooding the domain. The DCCC has been encouraging its campaigns to adopt this tool, known as “Project Shield.”

A Jigsaw spokesperson declined to comment on whether the initiative had already detected or blocked any DDoS attacks aimed at U.S. political campaigns.

In March 2017, Project Shield reportedly helped protect a Dutch voting-information website, Kieskompas, from a DDoS attack during the days leading up to an election. There was never any public information about attribution for that activity.