Ashcroft calls report of Russian hackers targeting McCaskill 'a whole lot of nothing'

Missouri's top election official is questioning the potential damage from Sen. Claire McCaskill's reported targeting by Russian hackers while assuring Missourians that wanna-be election meddlers will not succeed under his watch.

"In a sense, this is a whole lot of nothing," Secretary of State Jay Ashcroft said Monday.

The Daily Beast, a U.S. news website, reported last week that McCaskill, D-Missouri, was targeted by the same Russian hacking group that successfully obtained emails from the Democratic National Committee and promoted lies on social media in 2016.

More: Jay Ashcroft offers overview of election security measures

Hackers fabricated an email sign-on page purportedly for a staffer with an official McCaskill Senate email address, according to the Daily Beast. This type of trickery is similar to the hacking that duped John Podesta, campaign chairman for Hillary Clinton, in 2016.

"I bet there have been countless attempts in the last year," said Ashcroft, a Republican. "It's important that we defend against it, but it's happening all the time."

The Daily Beast reporters noted they checked statements a Microsoft official made at a cybersecurity conference and independently discovered evidence McCaskill was targeted. Ashcroft questioned why the story was being made public roughly a year after the attempt and said he was concerned about "strictly partisan political purposes" that might dissuade people from getting involved in the process.

"I want to be polite to our sitting senator. She's in a race, but why do you bring up something that happens multiple times a day to anyone?" Ashcroft wondered.

He added that he hadn't spoken with McCaskill or her office about the incident but would be happy to assist: "We'd be glad to help her investigate it and make sure her staff were well trained."

McCaskill's office declined to comment beyond her previous public statements to news outlets in St. Louis and her statement last week after the news broke.

More: Jay Ashcroft doesn't think foreign hackers could mess with Missouri elections.

Speaking to KMOV-TV, McCaskill said her office knew about the attack "for some months" prior to the Daily Beast's report because Microsoft contacted U.S. Senate personnel.

"Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable," McCaskill said in a statement last week. "While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, (Russian President Vladimir) Putin is a thug and a bully."

Ashcroft also said he had not communicated with Attorney General Josh Hawley's office regarding the Russian hacking attempt. Hawley is the front-running Republican challenging McCaskill, who is seeking a third term.

Previously, Hawley's campaign had responded to a question about President Donald Trump's unwillingness to acknowledge Russian interference in the 2016 elections by saying it was "time for Democrats and the media to move on." On Monday, Hawley's spokeswoman took a firmer stance.

"Russia is a bad actor and we should not tolerate or ignore their attempts to disrupt either American commerce or democracy," Hawley campaigns spokeswoman Kelli Ford said. "Senator McCaskill is fortunate that her staffer did not click on the link and give away her personal information and passcodes. This is an important reminder that scam emails and malicious phishing can target anyone."

Ashcroft reiterated that he believes Missouri's election infrastructure is secure, consistent with his message six months ago when a News-Leader reporter asked him about the prospect of foreign interference.

More: Blunt, McCaskill condemn Trump for siding with Putin. Hawley brings up Hillary

"The people of the state should know: Their election is not going to be changed by Russians or Serbians or Chinese or people from Arkansas," Ashcroft said.

The attack variant used in the McCaskill and Podesta incidents is known as phishing, in which fraudsters aim to deceive targets into providing sensitive information or access by sending them a deceitful email, link or attachment. Phishing with individual targets is known as spear-phishing.

"I couldn't even begin to tell you how many phishing or suspected phishing emails we get at our office," Ashcroft said. "Everyone that has an email account has gotten a phishing email at one point or another."

As a result, "there is a lot of training that we do to make sure people recognize phishing or spear-phishing," he said. Additionally, the Missouri secretary of state's office has software that "helps to strip away potential concerns" and regulates outbound traffic, he said. "We block far more than just web traffic."

Greene County Clerk Shane Schoeller said his office does its own spear-phishing training and said local election officials take steps to safeguard the voting machines themselves, too.

None of the voting machines are ever connected to the internet and the flash drives that contain voting results are protected by a "heavy layer of encryption," Schoeller said. The machines themselves are guarded by physical seals, which election judges inspect before polls open, he said.

After voting, results are uploaded to a computer that is not connected to the internet; the results are then saved to another, encrypted storage device, Schoeller said, uploaded to another computer connect to the internet, and the results are uploaded from there.

and Schoeller both projected voter turnout at the Aug. 7 elections to be up to 25 percent. Ashcroft noted that turnout could be higher in Greene County because of the "somewhat heated" Republican primary for presiding commissioner.

MORE: McCaskill confirms attempted hack by Russians

How to protect yourself

Spear-phishing is "kind of lazy" and unsophisticated, said Tanner Johnson, a senior cybersecurity analyst living in Springfield. But it can be effective if just one person makes a mistake and clinks a shady link.

"It bypasses all those high-tech counter-measures, simply because of user error," Johnson said.

"Digital vigilance" were Johnson's watch-words when the News-Leader asked what folks could do to stay safe from phishers:

Maintain and regularly update software to have the latest version and added protections against the newest vulnerabilities

Change passwords regularly, use a unique password for each service, and use a password management tool to automatically generate random passkeys

Check whether an email address you use has been compromised in a major data breach; tools like haveibeenpwned.com are free to use to gauge your exposure

When possible, use multi-factor authentication for services you use

You'll want to secure your phone with a passcode, and you'll also want to make sure your mobile devices aren't stolen

MORE: Missouri AG warns of phone, email scams seeking tax info