The DCCC and ActBlue Hacks
The next day after Trumps begging Russia to hack America the CYBER BEARS complied. On July 28, the Democratic Congressional Campaign Committee announced it was attacked by the CYBER BEARS. The DCCC is focused on raising funds for Democratic congressional campaigns and managing the finances of the senatorial campaign donations. This hack used Typosquatting, building a fake website identical to the DCCC’s where staff and donors sign-in information was stolen. It used spear-phishing techniques to gain entry, and was focused on an effort to gain general information from the DCCC. The CYBER BEARS managed to steal much more personal data about the donors and supporters of the party from the DCCC than the DNC, including information on credit card numbers, personal information, and addresses.34 Since the effort placed so much emphasis on donors, the mission was most likely intended to create doubts about the security of the Democratic Party’s control of financial information and reduce donations.
Reuters announced the attack just before the DNC’s grand evening, the Hillary Clinton Acceptance speech in Philadelphia. On the eve of Clinton’s speech, the DCCC’s spokeswoman said in a statement, “The DCCC takes this matter very seriously. With the assistance of leading experts, we have taken and are continuing to take steps to enhance the security of our network in the face of these recent events. We are cooperating with the federal law enforcement with respect to their ongoing investigation.”35
ActBlue.com is the official site for fundraising that donors thought they were going to when they wound up at ActBlues.com which was a fake watering hole site complete with a malware packaged ready to steal data.36 ActBlues.com was being hosted on a machine with a Netherlands IP address. The site had been registered to a Gmail account, fisterboks@gmail.com, which had registered three other sites used as German cover for Russian spear-phishing campaigns. Cyber security companies ThreatConnect and Fidelis concluded that the Gmail was tied to domains associated with the DNC hack related to “misdepatrment.com.” That domain was registered to frank_merdeux@europe.com and was used as the C2 server in the DNC attack.37 The CYBER BEARS had struck again.
The administrators of the official ActBlue.com site stated they were never hacked and that no information on donors in their systems was compromised.38
The DCCC did not officially disclose what data had been stolen. However, shortly after the leak was announced the account associated with “Guccifer 2.0” claimed responsibility. On August 12, 2016 they published a trove of internal emails, memos and other data. In particular, there was a memo from Troy Perry, a DCCC employee who advised others on how to handle activists in the Black Lives Matters campaign. He suggested to “listen to their concern but do not offer support for concrete policy decisions.”
As a result of publishing the DCCC information, Twitter suspended the Guccifer 2.0 account.39 WordPress too took action… in a way. They stepped in and scrubbed the website of posts related to the DCCC hack and sent a reminder to Guccifer 2.0 of its Terms of Service related to publishing private information. The laughter in the LUCKY-7 Information Warfare Management (IWMC) cell must have been raucous when the sternly-worded letter about monkey-wrenching an entire American election was read aloud.
Clinton Campaign Hack
Trumps wish for Russia to get more data continued apace. On July 29, 2016, Clinton campaign spokesman Nick Merrill said, “Our campaign computer system has been under review by outside cyber security experts. To date, they have found no evidence that our internal systems have been compromised.”40 This was political lingo to say the campaign had been visited by the CYBER BEARS but they hadn’t found the actual hack yet.
In fact the CYBER BEARS did attack the Clinton servers, but their access was limited. The attackers managed to access a server used for the campaign’s analytics program that stores voter analysis. There is no other sensitive data on those machines and the campaign said the internal computer systems had not been compromised. Still, the Russians now knew more about how the Clinton campaign analyzed voter data. Nothing is ever too obscure for cyber theft.
The techniques the CYBER BEARs used to attack were the same as the others. An email was sent to 108 Hillary for America email addresses, containing a short link pointing to a fake Google sign-in. The target enters their Gmail email and password and then—poof!—it belongs to Mother Russia.
SecureWorks determined 213 links were sent. Because SecureWorks could only find just over half of the 108 Gmail accounts, they determined the hackers got the emails from another source.41 The emails were aimed at specific figures that held rank in the campaign. Out of the 213 links generated by the hackers, 20 had been clicked at least once. Eight people clicked the links at least twice; two of those clicked them four times. In addition, 26 personal accounts for Clinton campaign staffers were targeted in 150 short links specifically created to target this group.
The DNC uses dnc.org as its mail server for staff email. SecureWorks reported that sixteen short links were sent to nine specific accounts at the DNC. At least three senior Clinton staff members clicked on these short links. SecureWorks did not link these emails specifically to the DNC hack, but did affirm the same spear-phishing technique was used.42 In its brief on the HillaryClinton.com hack, SecureWorks refers to “TG-4127” and designated it as APT28 COZY BEAR.
Now that their tears of laughter had dried from the stern warning from Wordpress, the CYBER BEARS paid no heed and started to issue more stolen DNC documents, including “DCCC internal docs on primaries in Florida.” However, a telling clue of the releases started to reveal itself. While Guccifer 2.0 released some documents randomly in order to incite Sanders die-hards, others followed a certain parameter, indicating that the Russian IWMC was paying close attention to what the Trump campaign said and then released documents to support Trump’s statements. The most telling was the week long storm the Trump campaign made by claiming that if he didn’t win in Pennsylvania, then the election was stolen. Speaking in Altoona on August 12, he said “We’re going to watch Pennsylvania. Go down to certain areas and watch and study and make sure other people don’t come in and vote five times. If you do that, we’re not going to lose. The only way we can lose, in my opinion—I really mean this, Pennsylvania—is if cheating goes on.” Little more than a week later, Guccifer 2.0 posted “DCCC Docs Pennsylvania.” They would soon be followed up with leak of DNC material from virtually all of the swing states of Florida, Ohio, New Hampshire, Illinois and North Carolina just when Trump needed a boost in the polls.
More evidence of synchronicity was found on the same day that Trump visited Mexico and then lit a barn burner of a speech on immigration. That night Guccifer 2.0 released the documents “DCCC docs from [Nancy] Pelosi’s PC” with discussions on immigration, Black Lives Matters, and other items.43