If you haven’t read the Mueller Report, spoiler alert: the phish that netted the Clinton campaign was not sophisticated. As you may know, neither was the campaign’s phishing defense (understatement). All of which spells probable doom for the 2020 presidential candidates, despite the news that campaigns have looked at offers, some free, from cyber-security firms.
The 2016 Podesta Spear Phish Was Amateur Hour—and It Worked
The news has heated up about the role spear phishing will play in the 2020 election. Recently, the lawyers for the Federal Election Commission (FEC) advised the commission to block a request by a Silicon Valley company to provide free or discounted services to help 2020 candidates combat cyber-threats, including spear phishing. Long story, but the offer has run into FEC regulations governing which campaigns would qualify for free or low-cost services, under rules defining political donations.
Here’s my point: in the case of John Podesta and the 2016 election, it wouldn’t have mattered if the FEC allowed free or discounted cyber security services because he was using his personal email account. Not his hillaryclinton.com email address. And not a DNC.org or a DCCC.org address. He was using his personal Gmail account to conduct campaign business.
In the 2018 documentary, Active Measures, Podesta further explains/confesses that in fact he was using his personal email to conduct campaign business AND he gave his password to a “couple of [my] coworkers.
Oy. How can you have a robust cyber strategy if you’re working with people using personal devices and accounts? And not just a handful of volunteers, but one of the brightest, most experienced political operatives in the world?
Here’s What Mueller Says about the Most Infamous Spear Phish Ever
Let’s recap the now infamous Podesta phish, which was described in Mueller’s report. In Robert Mueller’s words:
“Members of Russia’s GRU military unit sent hundreds of spear phishing emails to the work and personal email accounts of Clinton Campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, unit 26165 appears to have sent approximately 90 spear phishing emails to email accounts at hillaryclinton.com. Starting on March 16, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.org accounts.”
“The GRU spear phishing operation enabled it to gain access to numerous email accounts of Clinton Campaign employees and volunteers, including campaign chairman John Podesta, junior volunteers assigned to the Clinton Campaign’s advance team, informal Clinton Campaign advisors, and a DNC employee. GRI officers stole tens of thousands of emails from spear phishing victims, including various Clinton Campaign-related communications.”
What did the Podesta phish look like? Here it is, with my commentary:
Figure 1: This is the phish that changed an election and the world.
To repeat, there is nothing sophisticated about this email. It’s a (poorly) Gmail-branded phish, with a Bitly link to a credential-stealing phony website. Everything about this is basic and amateurish.
This is not what an advanced spear phish looks like. There is nothing sophisticated or unique about it. This phish, frankly speaking, is a rushed, slapped-together, tired variant of your basic Gmail credential stealer, something that most junior hackers could pull off by watching a YouTube tutorial.
The fact that an elite military unit arguably changed the outcome of an election with something this primitive speaks volumes about how unprepared the campaign was. And it makes me extremely pessimistic that the 2020 election will survive phishing attacks. From my perspective, if the 2020 candidates haven’t fully absorbed the painful lessons inflicted by a junior varsity phish, they’re unprepared to deal with phishing and will be thoroughly compromised (if they aren’t already.)
In other words, if they haven’t nailed the basics, they’re probably dead already.
To learn more about spear phishing and other email attacks, including truly sophisticated techniques threat actors are using, view the Cofense Phishing Threat and Malware Review 2019.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.