How Powell's and Podesta's E-mail Accounts Were Hacked

It was a phishing attack.

Posted on October 27, 2016 at 6:20 AM • 38 Comments

Comments

JimOctober 27, 2016 7:29 AM

People (well, the DNC and Hillary) keep blaming the Russian government. I will grant that perhaps they are privy to some intel that the general public will never see, so it's possible they do know the Russian government is involved. But think about this - Russian and Eastern European hackers have been at this for quite some time, stealing credentials, hacking emails, etc. Much of it has been for their own profit, but some has been for doxing and other purposes. Is the Russian government behind all that, too? I doubt it, I think it's independent hackers acting on their own. So why couldn't these hacks be the work of independent actors not tied to the Russian government? What do they gain? Notoriety in the hacking world and profits from selling the emails to Wikileaks or a related organization.

Besides, you would think that the Russian government is smart enough to know that western civilization is falling apart on its own, they don't need to help the process along. Don't believe me? Look who the two main contenders for the presidency are, that should tell you all you need to know. That combined with the public's fascination with the Kardashian's.

ThothOctober 27, 2016 7:43 AM

@all
It's about time for people to secure their accounts with FIDO U2F 2FA method. It's essentially a smart card with unique signing keys and thus make a suitable "What You Have" security to accompany with your password.

If troubled by the possibility of something taking your U2F token and coercing passwords, then use the UAF authentication method from the FIDO portfolio as the UAF method is exactly how smart card login works just that it is re-packaged again where typically you need a PIN to unlock the UAF smart card token to enable your signing key to operate.

Boris and NatashaOctober 27, 2016 8:10 AM

In which we learn that Fancy Bear is everybody on earth who uses bog-standard methods to phish for helpless chumps, and that TG-4127 is everybody who gets blamed for something.

It didn't occur to anybody that Fancy Bear's 'gravest mistake' might simply be one way leaderless anons collaborate.

Stone is preening in the mirror in his puce zoot suit at the fatuous idiocy of partisan security hacks.

TedOctober 27, 2016 8:17 AM

Research at Google
The War Against Spam: A report from the front line

Abstract
“Fighting spam is a success story of real-world machine learning. Despite the occasional spam that does reach our inboxes, the overwhelming majority of spam — and there is a lot of it — is positively identified. At the same time, the rarity with which users feel the need to check their spam box for false positives demonstrates a high precision of classification. This paper is an overview of Google’s approach to fighting email abuse with machine learning, and a discussion of some lessons learned.” (2007 paper)

From an Economist article on neural networks: A deep-learning system can be trained using a technique called "supervised learning" to sort through a labeled-set of examples and adjust the weights inside its neural network to improve its accuracy in assessing spam and malware. Another technique, "unsupervised learning," involves exposing neural networks to a huge number of examples, but without telling it what to look for. The network learns to recognize features and cluster similar examples, thus revealing hidden patterns within the data.

TimHOctober 27, 2016 10:21 AM

@Brandon - You clearly haven't been warned about the new negative phishing approach. The payload is installed if you don't click the link. Only by clicking the link will you prevent the nefarious takeover of your machine!

Clive RobinsonOctober 27, 2016 10:41 AM

@ Will, Jim,

... the common explanation is that the state utilises large numbers of patriotic criminal hackers to deliberately muddy the water and avoid attribution.

Not realy, that's neither simple or cost effective.

A more likely explanation is that of "turning a blind eye" to the criminal activity that is prevelent in Russia and previous Russian "buffer nations".

Where "patriot types" have been used it is very technicaly unskilled individuals acting as trolls and using simple tools. In a similar way Anonymous tricked / persuaded individuals to down load the Low Orbit Ion Cannon back in 2012.

http://gizmodo.com/5877719/heres-the-tool-anonymous-is-tricking-the-internet-into-using

HacknNutnOctober 27, 2016 11:00 AM

How does clicking on a link with ones email address in it (encoded or not) open their email account to hackers ?

Or did he proceed to follow instructions on the page and change his password at the random site pointed to by the link ?

albertOctober 27, 2016 12:02 PM

Those pesky Russians! Hacking our patriots. What nerve. How dare they try to influence US elections, in the last bastion of democracy in the world. Interfering with our institutions and exposing our secrets. Shame on you Russia!

[cue "America the Beautiful"]

It won't be long, Russia, before God sheds his grace on us, and fire and brimstone on you. We're a Christian nation, united to fight and destroy heathens like you and your cohorts. You have been warned! We're doing Gods work; making the 'world safe for democracy'*

[cue "Political Science" (Randy Newman)]

The Great Day of Reckoning comes when we 'drop the big one'.

Bye bye!

-----------
*https://www.youtube.com/watch?v=wyW-B8VZJIY

WillOctober 27, 2016 12:11 PM

@Clive you are disagreeing with the article, not with me :) ?

The way I imagine it working would be:

Country has plenty of hackers.

Hackers are ignored by the police as their victims are abroad and there is little incentive. Intelligence services can trivially find them and quietly reach out to them to recruit them etc. (Not so different from how MI6 and the rest work, approaching brits abroad and saying "if you come across anything interesting, let us know" kinda thing.)

Hackers are out for what they can get. When they get credit cards etc they sell them. When they get into political accounts its to peddle them to the intelligence services. Intelligence service contacts might even quietly give the hackers ideas about what kind of direction they are interested in, and what kind of stuff they pay for.

The hackers probably start getting pressured into doing more and more intelligence hacks because the intelligence services have the dirty on the criminal activity and use that as leverage. (A lot like Howard Marks being approached by MI6 who said they knew what business he was in and would turn a blind eye if...)

HMOctober 27, 2016 12:16 PM

Perhaps what's needed is a password manager/browser integration, such that the browser won't let you submit your google.com password to any website other than google.com (or subdomains)? Likewise for banks and other "restrict to domain" passwords.

2FA for critical domains is also useful of course.

ab praeceptisOctober 27, 2016 12:19 PM

All those who doubt the statements of killary "bombing for fun" clintons and of the administration of barrack "yes, we can wanton attack by using terrorists" obama must be just plain stupid.

How much more prove do you want? The Russians wrote russian stuff into their evil stuff. Plus, killaries elections fraudsters said it, too. Plus, you bet that evil Putin even confessed it; but smart crook that he is, his confession is in Russian so we can't understand it. Evil Russians!

Plus the Russian kill gays. Or no, wait, that was the saudis, our terrorist managers. Uhm, isis. Yep. Them kill gays, too, ergo Russian == isis!

Plus them evil Russians had the impertinence to not only survive our sanctions but to actually turn them into something positive for their development. Evil Russians.

And just in case you don't trust your wonderful government and your super-honest killary, it's not just them who said that Putin and the Russians are evil. Hitler said it, too.

SpookyOctober 27, 2016 1:39 PM

And once again, the safest email is still plain text (preferably 7-bit ascii, but ruthlessly sanitized UTF-8 could be made palatable); no mark-up, no formatting, no links (yes, client-defined behavior, but still...), no attachments, etc. Ah, but you still have the joys of upper- and lowercase! You should be so lucky. All of the pleasures of textual information exchange with none of the risk. Phishing could be categorically eliminated. Worth it? You bet. Party like it's 1999...


Cheers,
Spooky

DaveOctober 27, 2016 1:51 PM

The research papers by Eset and FireEye both give you a glimpse into why the NSA thinks Russia is behind the recent hacks.

Reading the papers clearly "This Group" is targeting specific people.

NATO
DNCC
The White House
The German Parliament
A French TV Network
World Anti-Doping Agency
Bellingcat

What all these targets have in common is they are groups who pissed off the Russians. Now that said to think there is a direct link between the Russian Government and the hacks is still a stretch. The first three 0-days that the group used were just modified from the code leaked online from the Hacking Team release. If you are fully state sponsored you would think they would be bought or developed in house. Another 0-day was a POC 0-day from Black Hat, suggesting strong ties to the hacking community, maybe even a hacker for hire.

If you directly worked for the FSB that probably wouldn't be the case. Now that doesn't mean the FSB, at the direction of say Putin didn't pay a cutout to carry out this attack. Actually given the targets and International Law on Cyber Warfare, paying a third party to give you plausible deniability makes sense.

Now we all talk about the act, what about the motivation?

I think the more interesting question is why? What provoked Russia into thinking it was a good idea to very publically go after one specific political party? I just don’t think that kind of move happens in a vacuum. All intelligence is capital, and someone decided it was better to show they were holding pocket aces to the world rather than slow play a hand that came at a significant investment.

Mossack Fonseca or maybe another operation we have yet to hear about?


albertOctober 27, 2016 3:24 PM

@Dave,

The fix is in, and HRH will be the next Prez. Russia probably knows that, and may even have proof, so no point in dealing with Trump. Given my assumption (arguable) that all great powers know more then we think they know, it may be impossible to ascertain exactly what their motivations are.

Notice the reaction of the public to the DNC emails. Yawn. [crickets chirping] Bernie and Trump set the stage, and Wikileaks was a tiny blip on the political radar, where in a rational universe, Hil'ry and her entire camp would be facing criminal charges.

China, and to a lesser extent, Russia are known for playing the long game. That is, or should be, clear from their actions. 'We' (the USG) have a long game as well, but we (the people) have so many trees in our face, that we have trouble seeing the forest. I suspect it's even worse in R. and C.

Ignorance may not be bliss, but knowledge ain't no joyride either.

. .. . .. --- ....

peterOctober 27, 2016 4:01 PM

Amazing that there are still typos in the phishing email. If Google sends you a link but the footer says the company is from "Amphithaetre Parkway" in "Montain View" you probably should not click it. A little more scrutiny shows they used the wrong address and the wrong ZIP Code, but that's harder to spot.

Black LuigiOctober 27, 2016 4:55 PM

@TimH

You owe me a coffee refill, a new keyboard and some nosewipes. Thanks, man.

NeiHuemOctober 27, 2016 6:02 PM

The linked text: WTF?

The text mentions "data linking a group of Russian hackers" and "growing heap of evidence pointing toward the Kremlin" - with the keywords "data" and "evidence" showing up six resp. seven times, and "A Smoking Gun?", ”They don’t want to understand the evidence” as big bold section headers somewhere.

But the only data it actually shows is the simple technique that was used for DC Leaks / Powell / Podesta alike (from which it is fair to assume that it was the same group or individual).

But re Russia? Only "[some statement], according to SecureWorks" plus "intelligence community says it is so, but they won't tell why". No data, let alone evidence.

The SecureWorks report that is linked in the text [1] states that SecureWorks researchers "assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government". "Moderate confidence" is defined in the report's footnotes: "...generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence" (emphasis mine).

I mean, the phishing part is really informative. But overall, the article is pretty much cold war conditioning. Burn "Data! Evidence! Russia!" into the readers' mind, no matter how.

For good measure, doubters are put into the Donald Trump camp - see penultimate paragraph. "Just believe. You don't need more information. If you're not with us, you're with Trump!" Ouch.

[1] https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign

Sancho_POctober 27, 2016 6:17 PM

@NeiHuem

Well, that seems obvious:
When you again and again throw dog shit over the fence to your neighbor,
any broken window at your home was your neighbor, isn’t it?

zelmOctober 27, 2016 8:26 PM

> Amazing that there are still typos in the phishing email. If Google sends you a link but the footer says the company is from "Amphithaetre Parkway" in "Montain View" you probably should not click it. A little more scrutiny shows they used the wrong address and the wrong ZIP Code, but that's harder to spot.

Also note the 1-digit minute values. In English, timestamps universally include a leading 0 for minutes/seconds less than 10, whether generated by humans or computers.

I'd expect Google's geolocation to include a city, not just "New York, United States", even if such precision were totally bogus (cf. the Maxmind glitch).

But these are all fairly subtle things. It's pretty common for large companies to use multiple domains, like how Google owns a "google" domain in every (maybe?) country code, plus all kinds of other domains like gmail.com (do they also own gmail and such in every country code?). Google employees are well aware that DNS is hierarchical, but if they can't be bothered to manage it as such, how do we expect less savvy people to figure out what URLs are supposed to look like?

It's also common for official pages to contain grammatical errors or sloppiness; for example, bit.ly has 3 buttons on the homepage: "Login", "Sign up", and "Shorten". ("Login" should be "Log in" because "login" is a noun and the other two are verbs; it's a common mistake and often missed in copyediting, if copyediting even happens. It's odd they didn't make that mistake with "signup".)

Schwach GeheimOctober 28, 2016 7:57 AM

@albert, re long game, just compare the puerile partisan gotcha that Politico gets from Wikileaks with the use Russia makes of the disclosures.

https://www.rt.com/usa/363743-clinton-obama-greece-austerity/

Having detached Turkey and the Philippines from their servile US satellite orbits, Russia is now publicizing the back-channel pressures that the US applied to Greece, to subject them to asset-stripping and deprivation of the means of life. In public statements the US played the good cop, whining, Why can't we all get along? But Clinton with his bags of dictator money got sent to twist arms behind the scenes and make CIA's US-educated agents sell Greece out. Greece is NATO's loyal doormat, starving its population to buy arms it can't afford. It's the logical next domino to fall.

TJOctober 28, 2016 11:45 AM

Just like all the celebrity hacks years back, DOD attacks, Weapon contractor attacks, RSA attacks etc..

Before anyone criticizes realize that at least 60% of malware propagation uses no code execution exploits and spreads through email. JUST LIKE THE 80s!!

CallMeLateForSupperOctober 28, 2016 2:23 PM

I have several Gmail accounts, one of which gives me access to the rest (a backup, in case I forget a passphrase). That one account drives me to distraction because, more often than not, I find a new email from the Gmail Team each time I log in:

This account was accessed via Linux and Firefox on [date, time]
from this IP: (blah blah)
If you don't recognize this access......
(blah etc,)

The flagged access is *always* me logging in a few seconds previous. What up wi' dat?! I have no idea, and it's been happening for years. I cannot ask Google because apparently there are no humans there.

Each of these messages includes the same line at the bottom that appears in the screen grabs in the article (except there are no misspellings in mine). I had not noticed the line before reading the article. First, it's at the very bottom. Second, it's in tiny, tiny typeface. And third, it's light-gray print on a white background. I could just barely read it with a magnifying glass.

Bottom line (no pun): I would be too harsh on others who missed all those "clues".

Clive RobinsonOctober 28, 2016 3:09 PM

@ CallMeLateForSupper,

Bottom line (no pun): I would[n't] be too harsh on others who missed all those "clues".

The thing is the IT industry is becoming as bad as certain jokes.

You've probably noticed some jokes that beigin with the likes of "An Englishman..." or other nationality are "superiority" jokes. That is some minority is portrayed as being stupid / idiotic / gauche / etc compared to those telling or listening to the joke. Mostly those jokes are not funny but people laugh because it makes them feel superior.

Thus quite a number of people feel moraly superior when they hear of others misfortunes, especialy when the unfortunate like the two people in this pages title are "prominent citizens". These people don't do as they should do which is say "That's unfortunate, there's a leson there I can learn from, for my own sake", instead they scoff etc.

The question is though how will they feel when they get taken in? Will they even talk about it?

NicolaOctober 28, 2016 4:48 PM

So, you're charged with managing illegal emails and you click on obscured links? Wtf??
0bac-0ba8-t000-y34e
df83-78h8-2231-azar
2021-hi92-54df-6783

CallMeLateForSupperOctober 29, 2016 1:43 PM

@Clive
I would[n't] be too harsh...

Yes, that is what I meant. Thanks. Momentarily eschewed contractions but neglected to type "not".

Uncle Joe StalinOctober 29, 2016 4:27 PM

Latest pawns of Putin conspire to interfere in USA election: Rep. Wiener, FBI Director Comey. Will they release the emails?

SkepticalOctober 30, 2016 5:39 AM


@Schwach: Having detached Turkey and the Philippines from their servile US satellite orbits, Russia is now publicizing the back-channel pressures that the US applied to Greece, to subject them to asset-stripping and deprivation of the means of life.

RT began as a program to improve Russia's image in the world - and has since become a dreary outlet of anti-democratic, anti-Western, anti-American, propaganda. The above is all the more ridiculous as Turkey clamors to join US led operations in Syria, and indeed in Iraq, while Syria/Russia bomb Turkish-sponsored rebels - but allow me to point out a salient comparison:

The Ukraine tilts westward. In response, Russia poisons its leaders, annexes its territories, invades and destabilizes the rest. It regularly attempts to intimidate the Baltic States, and Sweden moves closer to joining NATO by the year - indeed, it is practically a de facto member - while the rest of Eastern Europe clamors for a stronger NATO.

Russia's influence is almost entirely coercive, and its effect on the behavior of other nations reflects as much.

Yet the Philippines can talk with China, can threaten to renegotiate its military relationship with the US - and can do so without fear that the US will invade, or destabilize it. Indeed it can do so with a US military presence in its country, while the US advises on the defeat of a stubborn Islamist insurgency - and can do so without fear.

Unlike Russia, the US is allies with those countries it fought during WW2. The US seeks allies, common cause, mutual respect, and brings with it an unfailing faith in the progress of humanity.

Incidentally, the Philippines receives huge sums of aid and assistance from the US in times of crisis; US military cooperation is vital to the security of the Philippines; and US trade is more important to the Philippines than any other country. Indeed, US favorability ratings are high in the Philippines.

Eastern Asia has turned to the US because they trust the US to respect their sovereignty, their rights, their self-determination, while knowing too well that the PRC will not. And the US, having been deeply intertwined in East Asia for more than a century, having bled and died on battlefields from the steaming jungles of Guadalcanal and Palau to the frigid outposts of the Aleutians, from tactical defeat at Pearl Harbor to audacious victory at Midway to the hard-won defeat of fanatical resistance at Okinawa, from precarious bases in Manchuria with Chinese allies to harrowing landings at Inchon with Korean allies, quite determined to ensure the various disagreements among those countries be resolved peacefully, in a framework of mutually guaranteed security and aid.

The US has stood ready to assist South Korea - or Japan - or the Philippines - and elsewhere across the globe - at terrible cost should those nations be attacked. It has been the indispensable source of strength in East Asia (and elsewhere) for those democracies that would retain their territorial rights, and in some cases their independence or survival.

Russia, by contrast, has been the indispensable source of strength for Assad.

US allies understand that they can disagree without fear of such coercion. There are norms that govern relationships between Western allies which do not exist between Russia and its former imperial dominions. There certainly are crimes in US history, particularly during the Cold War, when the US sometimes believed it had to walk with the devil to cross a particular bridge - but one must understand them in the broader context of US policies and history.

This is what some circles in Russia - and elsewhere - fail to grasp. Truly fail to grasp. US policy actually takes the long view that a world of democracies, each with self-determination, is the best future for us all. It's a belief that underpins the beliefs of neoconservatives, and of liberal internationalists (though they differ sharply on the means to achieve it).

In the short to medium term, US foreign policy is tempered by reality (frequently, anyway, though not always). Stable democracy is not always an option. Change in some nations must come slowly, organically, as a gradual evolution of internal forces.

As to Russia - there is more than one vision of Russia. Imperialistic, paranoid, brutal, insular - or progressive, dynamic, and despite great misfortune, resilient and beautiful.

Should those with influence in Russia discover the truth - that to preserve Russian power in the world, Russia ought cooperate more, to demonstrate its place among great nations as a nation which, while defending its interests, can simultaneously achieve good in concerted international efforts - then the future will be brighter for everyone.

I'm not sure Putin is capable of such a pivot. But some of the brightest in Russia must see, through the smoke of state propaganda, that there is more to the world than a choice between corrupt anarchy and corrupt authoritarianism, that while all human endeavors are imperfect, marred with failures and hypocrisies, yet some are worthier, and better, and hold for us all that which has driven humanity forward from the darkest times of our existence to the present: the will not simply to survive, but the hope and the promise of a better future.

SkepticalOctober 30, 2016 6:05 AM

@Dave: I think the more interesting question is why? What provoked Russia into thinking it was a good idea to very publically go after one specific political party? I just don’t think that kind of move happens in a vacuum. All intelligence is capital, and someone decided it was better to show they were holding pocket aces to the world rather than slow play a hand that came at a significant investment.

Four reasons - all mere guesses:

1 - Putin and close advisors genuinely believe that the US interferes with their politics via NGOs, criticism of certain of their policies, etc. If those are viewed as information operations by Russia, perhaps this was not viewed as such a leap.

2 - Russia has been engaged in a long campaign to undermine the moral standing of democracy in the world. It is an ideology viewed as dangerous to an established order, and one which endows the US - despite a fair amount of hatred towards the US that exists in the world - with a surprising amount of soft power. The leaks of these emails are intended to further undermine US moral standing - they are a piece of a larger strategic initiative - in which the objective is to diminish the power of certain principles and ideas, rather than to accomplish the election of a particular candidate.

3 - Trump as candidate is embarrassing for the US, and would be disastrous as President. Using these emails in an information operation to dirty the Clinton campaign is a way to simultaneously undermine US moral standing by showing both candidates to be morally lacking, or the product of a corrupt establishment, while just possibly increasing the odds that Trump might win - or come close to winning - both of which would damage US standing in the world.

4 - Because of Clinton's remarks in the past concerning Russia and Putin in particular, and because of Clinton's harder view regarding US policy in the ME and Eastern Europe, it's possible that personal enmity played a role, if only unconsciously, in the calculus.

As to pocket aces... were they? They seem to have divulged no sophisticated cyber capabilities, nor any intelligence that would become less valuable by virtue of becoming public.

I view this as an immense blunder - it amounts to an invitation to the US to undertake similar information operations, and this is a space in which all the asymmetries favor the US. That Russia is indulging in absurd 4-day civil defense drills reminiscent of the Cold War seems to indicate they realize that they've made a wrong turn.

TJNovember 1, 2016 6:40 AM

@Uncle Joe Stalin: It's probably one out of like eighty-thousand people from most NATO nation populations who get the feeling Russia is now, and probably was during the "iron curtain" era, given wwwaaaayyyy more credit than is due and is typically just used as cover for domestic operations and economic warfare..

I'm not saying Russia doesn't have a lot of poor but educated people writing malware, criminal ran government, and a tenancy to wipe their feet on neighboring countries, but I believe, for example, if FSB or some Russian team was involved in the Trump stuff it'd be more like zero-days and persistence on voting infrastructure and not just kinda-classified or lightly-protected leaks probably from phishing leverage..

Russia probably knows they are not going to persuade all the freeloaders and people who pretend to care about minorities to support conservatism and objectivity and philosophy with force or showing them that Hilary was doing the opposite of her public policy for years as part of the "establishment"..

Randy StegbauerNovember 2, 2016 11:12 AM

From the article: "The hackers created them [the URLs] with with two Bitly accounts in their control, but forgot to set those accounts to private".

How would an experienced hacker like Fancy Bear is supposed to be make a mistake like that? And *encode* the email addresses so that we can see who is being hacked?

Doesn't this imply that they either *wanted* to be discovered or it's some kind of misdirection?

Clive RobinsonNovember 2, 2016 5:29 PM

@ Randy Stegbauer,

Doesn't this imply that they either *wanted* to be discovered or it's some kind of misdirection?

You are not the first and almost certainly not the last to think that ;-)

When you play in the land of smoke and mirrors, you will see yourself dimly every where you are not, and not where you are, friend and foe alike will stand both together and apart, your mind will spin as the truth you try to pin.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.