Hackers phish for political secrets in midterm campaigns

Campaign 2018: Election Hacking is a weekly series from CBS News about the cyber-threats and vulnerabilities of the 2018 midterm election. Next week: Social media influence campaigns.

The best hacks are always the simplest.

When Russian hackers successfully attacked Hillary Clinton’s presidential campaign chairman John Podesta in 2016, they didn’t need to use crippling ransomware or a complex zero-day exploit. Instead, the Russians used one of the oldest tricks in the hacker playbook: Email phishing.

“Phishing is all about the bad guy — the attacker — sending a malicious email to a victim and fooling that person either to click on a link within the email or open up an attachment,” said hacker and computer security consultant Kevin Mitnick in an interview with CBS News. “When the victim [clicks the link or opens the attachment] their computer ends up being compromised and malware is installed so the bad guy has full control.”

The goal of phishing attacks like those aimed at the Clinton campaign in 2016, says Mitnick, is to swipe sensitive information or to implant malware that will give the attacker access to the entire network. Once inside, hackers can move laterally across the computer system and swipe information from multiple email accounts, copy intellectual property, and cause irreparable damage.

The Russian hackers sent Podesta an email that looked like it was coming from Gmail, prompting him to change his password. When he clicked the button in the email, says Mitnick, Podesta entered his username and password, inadvertently revealing his login credentials to the Russians. “Then the Russians had access to all his email, downloaded it, and gave it over to Julian Assange at WikiLeaks and we know the rest of the story,” says Mitnick.

The rest of the story is articulated in the U.S. Senate Select Committee on Intelligence report on hacking. The March 2017 document provides granular detail about Russian cyber-tactics and states that the GRU, Russia’s military intelligence agency, targeted at least 109 Clinton campaign staffers with 214 unique phishing emails.

Released by WikiLeaks

Politically-motivated cyberattacks rarely end on election day, and intelligence officials warn that state-sponsored hackers have persistently meddled with the U.S. electoral political system. In July, Missouri Democratic Senator Claire McCaskill’s office announced that hackers tied to the GRU attempted unsuccessfully to breach her Senate computer network.

McCaskill, who is in the middle of a tight race for reelection, stated, “While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”

In August, Microsoft revealed that Russian and Iranian hackers were using the company’s Azure cloud platform to set up fake domains to send phishing attacks targeted at political campaigns. To dupe recipients of phishing email, the hackers established realistic-looking websites and misappropriated company trademarks and logos.

“[Phishing is] one of the biggest threats … and it’s still a continuous attack factor,” said Microsoft’s Diana Kelley in an interview at the 2018 Black Hat cybersecurity conference. “I don’t even call [targeted email attacks] spearphishing, I think of them as laser fishing now because they’re so well-crafted.”

To give phishing attacks a veneer of credibility, hackers will often establish deceptive websites and social media accounts. Google recently removed 58 YouTube accounts linked to Iranian hackers targeting academics, journalists, and politicians.

The tech giant uses “a number of robust methods, including IP blocking, to prevent individuals or entities in Iran from opening advertising accounts,” to detect and deter hackers, wrote Google’s senior vice president of global affairs Kent Walker in a blog post.

Phishing attacks can be quite insidious, Mitnick warns, and they aren’t limited to political campaigns. “This is the type of tradecraft that nation-states use, but it’s very commonly used by criminals, hacktivists, and other types of hackers to compromise you as a consumer or to compromise businesses.”

It’s impossible to know if the Russian hack cost Clinton the presidency. But for consumers and businesses, the price tag is undeniably high. For individuals, a simple phishing hack can expose personal details, financial information, intimate conversations, and much more. For enterprise companies, according to IBM, the average cost of a data breach is astronomical, just shy of $4 million. In its 2018 report, released in July, IBM Security estimates that the cost of business hacks is up 6.4 percent from last year.

Mitnick exercises caution with every email that contains a link or an attachment. Despite the simplicity of malicious email hacks, he warns that “phishing attacks are quite sophisticated these days. [Phishing messages] really look like the email is originating from a customer, a supplier, or a vendor. And people fall for it.”

Learn more: