Julian Assange said "a 14 year old could have hacked Podesta" - why was DNC so careless? Also said Russians did not give him the info! — Donald J. Trump (@realDonaldTrump) January 4, 2017 Source: twitter.com

In a report released Friday afternoon, the United States intelligence community claimed that Russian president Vladimir Putin was responsible for ordering a campaign to undermine public faith in the 2016 United States presidential election in general and Hillary Clinton’s campaign in particular. The declassified version of the report does not include the full supporting evidence that the government agencies relied on to make their assessment.

But what if you’d rather not take the government’s word for it? Reports released last summer by information security companies provide some publicly available evidence about the source of the attacks.

Phishing for Podesta

During the month leading up to the United States presidential election, WikiLeaks published daily releases of thousands of emails from Mr. Podesta’s Google account. One of the emails published by WikiLeaks in late October is a “spear phishing” email that could have been used by hackers to learn the password for Mr. Podesta’s email account.

​Spear phishing is a term used to describe a type of hack that often uses an official-looking email that includes personal information like a name or photograph and appears to be sent by a person or business with whom the target is familiar. The email contains an attachment that it asks the target to download, or a link to be clicked.

Sоmeоne has yоur passwоrd Hi John



Someone just used your password to try to sign in to your Google Account john.podesta@gmail.com.



Details:

Saturday, 19 March, 8:34:30 UTC

IP Address: 134.249.139.239

Location: Ukraine

Google stopped this sign-in attempt. You should change your password immediately.



CHANGE PASSWORD



Best,

The Gmail Team You received this mandatory email service announcement to update you about important changes to your Google product or account. Source: wikileaks.org

In Mr. Podesta’s case, the message looks nearly identical to the alarming security emails Google sends to users of its email service when it thinks a password may have been compromised by someone in a different city or country trying to log in. But the “CHANGE PASSWORD” link in this email doesn’t go to Google’s account security page. Instead, it’s a Bitly link.

https://bit.ly/1PibSU0

Bitly is a public link shortening service popular for turning long, awkward web addresses into short links that can be easily typed into a phone, or shared on social media. In this case, the Bitly link served as a mask, hiding the real destination of the address from careful scrutiny, and potentially from Google’s automatic anti-phishing defenses.

The short Bitly link expands into a longer one pointing to a page on com-securitysettingpage.tk, a web domain set up by the hackers.

http://myaccount.google.com-securitysettingpage.tk/

security/signinoptions/password?

e=am9obi5wb2Rlc3RhQGdtYWlsLmNvbQ==

&fn=Sm9obiBQb2Rlc3Rh

&n=Sm9obg== …

What appear to be garbled letters and numbers in the link are actually straightforward encodings of Mr. Podesta’s personal information.

http://myaccount.google.com-securitysettingpage.tk/

security/signinoptions/password?

e=john.podesta@gmail.com

&fn=John Podesta

&n=John …

The remainder of the expanded link contains the address to the public photograph for Mr. Podesta’s Google account, and a unique identifier that could be used to track this particular email and phishing attempt.

Source: googleusercontent.com

The hackers’ link is no longer active, but earlier last year it displayed the fake login page seen below. To further persuade a target, that malicious page could have been filled in with the name and photograph from the Bitly link to create a nearly perfect reconstruction of what the target would normally see when logging in to a Google account. The only obvious hint that something was amiss would be the com-securitysettingpage.tk domain in the address bar.

If Mr. Podesta had entered his password on that page, he would in effect be giving it directly to the hackers, enabling them to get access to his email account. And if he had reused that password to log into any other system, like the Clinton campaign’s network, the hackers would have been able to get access to that system as well.

The joint Federal Bureau of Investigation and Department of Homeland Security report on Russian malicious cyberactivity issued on Dec. 29 illustrates a strikingly similar process executed against a United States political party, in which an adversary uses an email containing a malicious link to recover a password, giving the hackers access to a targeted system. The report claims that the fake login page was hosted on a domain controlled by Russian intelligence services.

Who were the targets?

The attackers made a mistake. Until May of last year, the Bitly website provided a little-used feature that allowed anyone to look up a list of all of the links shortened by a particular account. A team at SecureWorks, an information security company, noticed a large-scale spear phishing campaign being conducted against Google accounts using Bitly links in mid-2015.

By checking Bitly every day for new short links being posted by the account, SecureWorks’ Counter Threat Unit team was able to watch the hackers target their victims as it happened. Alarmed, the team began to work with United States law enforcement agencies.

At first, from mid-2015 until March 2016, the team observed the hackers as they used this tactic to target roughly 1,800 Google accounts belonging primarily to individuals in Russia and states formerly in the Soviet Union, although government, diplomatic and military targets in the United States and Europe were targeted as well. The press officer for the prime minister of Ukraine was targeted, as were political and military leaders in Ukraine and Georgia, Russian dissidents and Syrian rebel leaders.

Between March 2016, when the United States primary elections were in full swing, and May, when a redesign of the Bitly site removed the feature that was allowing SecureWorks to track the attacks, the hackers began to target Mrs. Clinton’s presidential campaign and the Democratic National Committee.

In that time period, the hackers sent 213 malicious Bitly links to 108 Google email addresses associated with the Clinton campaign. Twenty of those links were clicked.

The hackers sent 16 Bitly links to nine official email addresses at the D.N.C., and four of those links were clicked. Also targeted were 26 other personal Gmail.com addresses associated with the Clinton campaign, the D.N.C. or national politics.

In a statement, Rob Platzer, the chief technical officer of Bitly, said, “spammers and phishers create new bad domains at a high rate, and they’re not on our radar until they’ve been flagged by our sources,” and that the company had blocked the links and accounts related to this attack as soon as they were informed of them.

Over the course of a year, the SecureWorks team watched as over 5,000 Google accounts — mostly in Russia and states formerly in the Soviet Union — were targeted in the same manner. By searching for online profiles associated with the email addresses that had been attacked, the team was able to identify roughly half of the targets. They found that of the targets outside the former Soviet Union, most were government or military personnel, aerospace professionals, political activists, authors and journalists.

Professions of targets outside former U.S.S.R. Military Authors and journalists Government N.G.O. employees Aviation and Aerospace Political Activists 41% 22% 16% 10% 7% 4% Military Writers Government N.G.O. Aerospace Activists 41% 22% 16% 10% 7% 4% Source: SecureWorks Counter Threat Unit

The government and military personnel in that group mostly served the United States, NATO and European countries.

Nation or organization of government and military targets United States NATO United Kingdom Europe Syria China South Korea United Arab Emirates United Nations 64% 14% 6% 4% 4% 2% 2% 2% 2% U.S.A. NATO U.K. Europe Syria China South Korea U.A.E. U.N. 64% 14% 6% 4% 4% 2% 2% 2% 2% Source: SecureWorks Counter Threat Unit

The journalists and authors in that group mostly wrote about Russia, Ukraine and global affairs, or were the spouses of military personnel.

Authors and journalists areas of expertise Russia Military spouses Ukraine Global affairs Aerospace Northeast Asia 31% 22% 22% 17% 4% 4% Russia Military spouses Ukraine Global affairs Aerospace Northeast Asia 31% 22% 22% 17% 4% 4% Source: SecureWorks Counter Threat Unit

Mr. Trump has his doubts

In the first presidential debate against Mrs. Clinton, Mr. Trump said:

“I don’t think anybody knows it was Russia that broke into the D.N.C. She’s saying Russia, Russia, Russia, but I don’t — maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, O.K.?”

In a Tuesday interview on Fox News, Julian Assange, the founder of WikiLeaks, reasserted his claim that Russia did not give Mr. Podesta’s emails to WikiLeaks, saying: “We can say and we have said repeatedly, over the last two months, that our source is not the Russian government and it is not a state party.”

Testifying before the Senate Armed Services Committee on Thursday, James R. Clapper Jr., the director of national intelligence, was dismissive of Mr. Assange’s credibility and said that “our assessment now is even more resolute” that Russian intelligence was behind the attacks on the Clinton campaign and the D.N.C.