The digital ink was barely dry on Ars IT and National Security Editor Sean Gallagher’s feature, “How they did it (and will likely try again): GRU hackers vs. US elections,” when the Daily Beast reported yesterday’s bombshell: Claire McCaskill, among the most vulnerable Senate Democrats facing re-election this year, was one of three candidates in the 2018 midterm election targeted by the highly determined Russian intelligence agency.
According to the post, McCaskill’s office received one or more fake notifications claiming the target’s Microsoft Exchange password had expired and advising it be changed. Targets who clicked on a link were directed to a counterfeit version of the US Senate’s Active Directory Federation Services login page, which would send any passwords the targets entered to the people behind the fake page. McCaskill has been highly critical of Russia and is considered one of the most vulnerable Senate Democrats facing reelection this year. She represents Missouri, a state where Donald Trump defeated Hillary Clinton by almost 20 points in the 2016 election.
McCaskill’s office was one of three candidates that was targeted. The Daily Beast went on to report that the Senate phishing campaign sent each target a different link that caused the fake password-change webpage to display users’ individual email address when they arrived. The customization made the site more convincing.
If the ruse sounds familiar, it’s probably because it replicates many of the techniques used in 2016 to steal the Gmail passwords of Clinton Campaign Chair John Podesta, former Secretary of State Colin Powell, and a number of other individuals connected to the Clinton campaign and the White House. US intelligence agencies have since concluded that the 2016 hacks were the work of the GRU hackers, who go by a variety of names including Fancy Bear, Sednit, and Pawn Storm.
Domain name seized
Thursday’s Daily Beast article doesn’t just rely on similarities. It cited statements Microsoft VP Tom Burt made last week when he said the company’s seizure of a fake Microsoft domain disrupted a Russian-sponsored hacking campaign that targeted three candidates in the 2018 election. The Daily Beast said the domain was adfs.senate.qov.info, which was used in the spear-phishing emails targeting McCaskill and other Senate staffers. The identities of the other two candidates have yet to become public.
Last August, around the time of the attempted spear phishing on McCaskill’s office, President Trump visited Missouri and chided the senator, telling a crowd to “vote her out of office.” On Thursday in response to the Daily Beast report, McCaskill issued a statement that read in part: “I will continue to speak out and press to hold [Russia] accountable. While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”