John Shinkle/POLITICO DNC: Alleged hacking attempt was only a ‘test’

UPDATE:

DNC chief security officer Bob Lord said just before midnight Wednesday that the phony website that created fears of a new cyberattack was in fact just part of a "simulated ... test," and was created by an unnamed "third party."


The test "mimicked several attributes of actual attacks on the Democratic Party's voter file," Lord added in a statement, but it did not compromise sensitive data.

"There are constant attempts to hack the DNC and our Democratic infrastructure, and while we are extremely relieved that this wasn't an attempted intrusion by a foreign adversary, this incident is further proof that we need to continue to be vigilant in light of potential attacks," he added.



PREVIOUS STORY:

The Democratic National Committee was the target of a new hacking attempt, this time aimed at its massive voter database.

The unknown attackers set up a fake version of a login page made to look like it belonged to the Democratic data firm NGP VAN. It was intended to trick people with access to the committee's voter file into handing over their passwords, according to the DNC and the security firm Lookout.

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

“This attempt is further proof that there are constant threats as we head into midterm elections and we must remain vigilant in order to prevent future attacks,” DNC Chief Security Officer Bob Lord said in a statement. “While it’s clear that the actors were going after the party’s most sensitive information — the voter file — the DNC was able to prevent a hack by working with the cyber ecosystem to identify it and take steps to stop it.”

The fake login page for the data firm's VoteBuilder tool was the first stage of a "spearphishing" campaign. Next, hackers would have emailed Democrats with access to VoteBuilder and encouraged them to log into the fake site, at which point they would have captured their usernames and passwords.

“It was an exact copy,” Mike Murray, vice president of security intelligence at Lookout, told POLITICO in an interview. “If you looked at the two sites side by side, I don’t think you could tell the difference.”

Russian government hackers used the same technique to hack Hillary Clinton campaign Chairman John Podesta during the 2016 presidential race, according to an indictment from special counsel Robert Mueller. That breach led to a months-long political nightmare for the Democratic Party, including the exposure of internal documents that widened the rift between the party's Clinton and Bernie Sanders wings, as well as a daily release of Podesta's emails just as Donald Trump's White House hopes were threatening to tank.

Earlier this week, Microsoft said it detected a similar scheme that set up phony websites for the Senate and two conservative think tanks.

Lookout has not yet identified any foreign government or other actor as the culprit behind the latest spearphishing site, Murray said.

“We believe that this was the beginning of a sophisticated attempt to hack into our voter file and we are treating it as such,” said a Democratic official, speaking on background to discuss an active investigation. The DNC immediately notified law enforcement.

“No bad actors were able to access VoteBuilder or change or delete any of our voter file information,” the official said.

Almost immediately after the fake website went online on Monday evening, one of Lookout’s artificial intelligence monitoring systems automatically flagged it for researchers. Several hours later, Lookout contacted Lord, NGP VAN and DigitalOcean, the hosting company where the hackers had set up the page.

"On early Tuesday morning, DigitalOcean became aware of a potential threat to the DNC originating from its platform,” Chief Security Officer Josh Feinblum said in a statement. “We began taking immediate steps to address the threat. We are continuing to partner with the DNC and appropriate law enforcement agencies on this issue.”

Lookout said in a statement that DigitalOcean removed the site “within hours.”

“Now that we’ve detected this site, we’re taking what we can learn from it and retraining our AI engine to detect more things like this,” Murray told POLITICO.

Lookout researchers don’t yet know how their system caught this nascent attack. “The work to figure out why [an artificial intelligence system] makes decisions in the way it makes them is often relatively long,” Murray said.

The AI platform catches approximately 4,000 phishing campaigns every month, Murray said. Most of them are based on generic software available for purchase on the dark web, but “this one was relatively customized.”

He praised the DNC and the tech companies for their quick and efficient coordination. “We all got on the phone, worked really quickly, and worked really well together, to make sure this didn’t turn into one of those bad stories,” he said.

Lord briefed state party leaders about the incident during a conference of the Association of State Democratic Committees in Chicago, according to the Democratic official.

The FBI and the Department of Homeland Security declined to comment.

"These threats are serious and that’s why it’s critical that we all work together, but we can’t do this alone,” Lord said. “We need the [Trump] administration to take more aggressive steps to protect our voting systems. It is their responsibility to protect our democracy from these types of attacks.”

