The Democratic National Committee (DNC), on Wednesday: We’ve been spearphished! The committee called the FBI about what it said was a fake login page designed to intercept usernames and passwords that would get attackers into the party’s voter database.
The DNC, early on Thursday morning: False alarm! It was a test, but we don’t know who’s behind it.
Here’s the statement from DNC chief security officer Bob Lord:
Here's the full statement from the DNC's chief security officer Bob Lord pic.twitter.com/xTdog0BGyo
— Donie O'Sullivan (@donie) August 23, 2018
We have continued to investigate the phishing site reported to the DNC yesterday. We, along with the partners who reported the site, now believe it was built by a third party as part of a simulated phishing test on VoteBuilder. The test, which mimicked several attributes of actual attacks on the Democratic party’s voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors.
The DNC’s voter database contains information on tens of millions of voters. Alarm bells went off when the committee was notified that a fake login page had been created. The DNC initially said that it quickly thwarted the attack by suspending the attacker’s account and that no information was compromised.
But as of Thursday morning, the mystery cleared up. It turns out that what looked like an attempted attack was actually a test from within: specifically, as the Washington Post reported, the Michigan Democratic Party.
The state party officials had invited a group of volunteer white-hat hackers – DigiDems – to conduct penetration testing on the voter database. Unfortunately, they did so without letting the DNC know what it was up to.
As unnerving as the unauthorized (at least, not by the nation-level DNC) test was, the silver lining was that the “spearphishing” attack was spotted and shut down. In other words, the DNC’s cyber security defenses passed the test.
The cybersecurity firm Lookout was the first to have spotted the phishing attempt, the Post reports. Lookout vice president Mike Murray had this to say about the test:
The thing about “false alarms” is that you don’t know that they’re false until you’ve showed up to investigate. All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible. https://t.co/Y9zbX1VdrJ
— Mike Murray (@mmurray) August 23, 2018
The thing about “false alarms” is that you don’t know that they’re false until you’ve showed up to investigate. All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible.
Lord replied by thanking everybody who worked “round the clock” with him to respond to the perceived threat:
I appreciate various parts of the security ecosystem coming together quickly to tackle this matter. Lots of super dedicated pros like @mmurray and @TheCustos and their teams who reached out to us and worked round the clock with me! https://t.co/94xNvcu2vP
— Bob Lord (@boblord) August 23, 2018
The positive result of the unauthorized test is a testament to the DNC having likely learned a thing or two after campaign manager John Podesta’s credentials got phished out of him by a malicious email purporting to be a Google security notice in 2016.
Although this incident had a happy ending, it doesn’t mean that true election meddling attacks aren’t coming in thick and fast.
On Monday night, Microsoft’s Digital Crimes Unit (DCU) reported that it took control of six internet domains that were about to be used by the Russian Fancy Bear hacking group – also known as APT28 – to spoof US political organizations.
They included two domains that were passing themselves off as US think tanks – the International Republican Institute and the Hudson Institute – plus three that appeared to be about to target services connected to the US Senate.
Christopher Scott, chief technology officer and remediation lead for IBM’s X-Force IRIS, which conducts incident response and threat intelligence, told the Post that it’s no skin off hackers’ backs if one spearphishing attempt fails. After all, it doesn’t cost anything to keep throwing attempts at a target until the attacker hits pay dirt:
You’re just trying to get one person to click. If I get one person to click and enter credentials, I’ve gotten the capability – and I can throw thousands of messages out to a company.
Scott says that to fend off attacks, you’ve got to get people to keep up their guards:
When we get a message, we want to see what it’s about. We don’t pause and say, ‘Is this suspicious?’ [It’s important for organizations to teach users] to ask the question of your security teams, ‘Hey this looks suspicious, can you check it out for me?’
Here are more tips to help you recognize, and steer clear of, phishing links.
Will
Not that anything is ever foolproof and spearphishing attacks are certainly some of the most difficult to combat, but I’ve seen anti-phishing training work moderately well on a large scale to minimize these kinds of incidents.
However, the seemingly logical thing to do now that they’re such high value targets is to take advantage of two factor authentication so that even if an attack is successful, they only have one piece of the puzzle.
dukemcawesome
This is why it’s so important to use a reputable company to do stuff like this.
With an x-phishtest header and an account contact logged with the vendor, this would’ve been a 2 minute nonevent.
JeffC
False alarm? No. A “test” by a hostile party certainly is an “attack.” In this case an unsuccessful attack, one hopes.
Jim Gersetich
They aren’t a “hostile party”. It was penetration testers working for one part of the DNC (the Michigan chapter).
JeffC
Quite right. I was confused. Thanks.
ejhonda
There was a story years back about a US city that discovered they’d been breached and then made the call to publicly acknowledge it. Turned out it was part of a regularly scheduled test that the new ISO had not been told about. He walked the plank because of it, and the new ISO was the former police chief. I can’t find the original story or remember what city it happened to. Sound familiar to anyone?
Steve
Yeah… it’s ringing bells for me, but sorry, I can’t fill in the details for you.
Steve
“Last week, Rolling Stone reported that a candidate running against Rep. Dana Rohrabacher (R-Calif.), known as “Putin’s favorite congressman” for his friendliness toward Russia, was successfully spearphished by clicking on a malicious email link.”
Lisa, would you care to explain the relevance of that “known as” bit to the story at hand? Was there some implication of Russian collusion with Rep. Rohrbacher? Otherwise, why don’t you include similar references for the other names in your article? I’m sure there are plenty of them out there to choose from!
Paul Ducklin
Point taken – I removed that bit.
Claude
Self-inflicted hilarity. Love it!