The Democratic National Committee said Wednesday that it reportedly disrupted an attempt to compromise its voter database – apparently the latest in a series of malicious efforts designed to harvest credentials belonging political targets or influence the electorate ahead of the November midterm elections.
An unnamed Democratic source told CNN that the DNC was alerted on Tuesday to the presence of a spoofed log-in page designed to mimic Votebuilder – a platform used by Democratic Party officials and campaigns across the country to manage the Democratic registered voter database. The alarm was raised by security researchers at Lookout and a cloud provider, the source said, adding that the page was a very close facsimile of the service’s legitimate access page. Clearly, the site was designed to trick users into filling in their authentication details, which would arm the attackers with an open door into the database. Bad actors would likely have lured users to the spoofed site using targeted spear-phishing emails.
Lookout confirmed the incident, with Mike Murray, the company’s vice president of security intelligence, telling CNN that it was a well-designed effort.
“It was very convincing,” Murray said. “It would have been a very effective attack.”
Updated at 9:47 a.m. Eastern: On Thursday, news broke that the “attempted hack” was actually just an unauthorized security test, rather than a malicious attack.
Fancy Bear Strikes
This is the latest in a series of influence and hacking attempts making use of false accounts or pages. Earlier in the week, Microsoft said that, using legal authority, its Digital Crimes Unit (DCU) took down six websites allegedly built by the notorious Fancy Bear gang (a.k.a. Sofacy, Strontium or APT 28), a Russian intelligence-backed group that has been widely linked to the election meddling spotted ahead of the 2016 presidential election.
The adversaries had created doppelganger pages for three websites belonging to the U.S. Senate, two conservative think-tanks (the Hudson Institute and the International Republican Institute), and, somewhat oddly, Microsoft’s OneDrive cloud storage service, all in an effort to phish credentials.
“Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit,” said Microsoft president Brad Smith, in a blog post earlier this week. He added that the disruption is not a one-off event: Microsoft has shut down 84 fake websites in 12 court-approved actions over the past two years.
“We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections,” Smith said.
Faisal Razzak, senior security engineer at Venafi, told us that there are several potential goals of this kind of campaign.
“First, to collect intelligence on targeted groups,” he said, via email. “Second, to spread misinformation in order to control and manipulate the liberal vs. conservative narrative. Third, to create and division among the targeted groups that can be exploited for political gain. And fourth, to collect personal information about political candidates and their constituents, which can be used later to spread malicious spread information.”
Facebook Disrupts Influence Campaign
Facebook meanwhile said yesterday that it made a 652-page dent in a sizable alleged Iran-backed influence campaign that stretches back to 2017, with some pages in operation since 2013. Following up on a tip from FireEye, the social network continued its efforts to clean house on fake users, and removed a passel of pages, groups and accounts for “inauthentic behavior.” The accounts were active on both Facebook and Instagram, where the bad actors were using false social media personas to promote a mix of both original content, memes and news articles appropriated, and sometimes altered, from other sources.
“This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,” FireEye researchers noted in an analysis yesterday. “These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal (JCPOA).”
The perpetrators were seen creating “networks of accounts to mislead others about who they were and what they were doing,” according to Nathaniel Gleicher, head of cybersecurity policy at the social network. He said in a posting Tuesday that Facebook started with a fake group calling itself the “Liberty Front Press,” and from that one string unraveled a veritable sweater of influence campaigns, all going back to the Iranian government.
“We are able to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP addresses and Facebook Pages sharing the same admins,” he noted. “For example, one part of the network, Quest 4 Truth, claims to be an independent Iranian media organization, but is in fact linked to Press TV, an English-language news network affiliated with Iranian state media….Accounts and pages linked to Liberty Front Press typically posed as news and civil society organizations sharing information in multiple countries without revealing their true identity.”
Aside from the Iranian network, Facebook also said that it took down a number of fake-persona pages, groups and accounts originating in Russia.
An Ongoing Concern
No evidence has emerged that the DNC voter file was accessed or altered, or that the mirror websites were able to gather anything useful, according to those involved – Microsoft for instance said that it seized the impacted domains before any damage was done.
However, even without direct impact, the attacks carry weight and have negative effects, according to Kenneth Weinstein, president and CEO at the Hudson Institute.
“Even when unsuccessful, these attacks—by Russian, Chinese, Iranian and North Korean intelligence services and their formal or informal networks of hackers—impose a cost on those targeted,” he said in a column yesterday. “They are a drain on staff and administrative resources and can have a chilling effect on your work, even when Microsoft has your back, as in our case.”
Facebook’s Cleicher also noted that the fight against outside influence is a complex one, requiring a coordinated answer.
“It’s an ongoing challenge because the people responsible are determined and well-funded,” he said. “We constantly have to improve to stay ahead. That means building better technology, hiring more people and working more closely with law enforcement, security experts and other companies. Their collaboration was critical to our investigation since no one company can fight this on their own.”
U.S. Sen. Mark R. Warner (D-Va.), Vice Chairman of the Senate Select Committee on Intelligence, said in a media statement that signs point to a growing problem regarding multiple foreign adversaries.
“While I’m encouraged to see Facebook taking steps to rid their platforms of these bad actors, there’s clearly more work to be done.”