Politics

Claire McCaskill Hackers Left Behind Clumsy Evidence That They Were Russian

Missouri Democrat’s staff mail was targeted

Sen. Claire McCaskill, D-Mo., was the target of a phishing attack by Russian intelligence agency GRU. (Tom Williams/CQ Roll Call)

The hackers who tried to infiltrate Sen. Claire McCaskill’s staff email network left behind a trail of evidence that bolsters experts’ assessment that they were from the Russian group responsible for the 2016 cyberattacks on the Democratic National Committee.

Staffers for the Missouri Democrat were targeted earlier this year by a password phishing scam. Hackers sent staffers an email telling them they needed to create new passwords for their Microsoft Exchange email accounts and directed them to a webpage that mimicked the U.S. Senate’s Active Directory Federation Services (ADFS) log-in page, the Daily Beast reported in July.

The attack ultimately was unsuccessful. Analysts concluded that Russia’s GRU intelligence agency directed it.

“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” McCaskill said at the time of the Daily Beast report. “While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”

New outside research shows how the experts who traced the attack back to GRU came to their conclusion, TechCrunch reported.

When the hackers created the fake Senate email log-in page, they lifted code from the legitimate page that staffers use to access their network. That code contained a link of the legitimate webpage the hackers copied.

The language marker at the end of that link was “.ru,” strongly suggesting that the hackers were in Russia when they created the fake page.

When users access the internet in the U.S., the language markers at the end of links are the familiar “.com,” “.org,” “.edu” and others. In the U.K., it’s “.en,” and in France, it’s “.fr.”

In Russia, the language marker is “.ru.”

When hackers create a fake page, they generally do not begin from scratch, but simply copy and paste code from the original page, RiskIQ threat researcher Yonathan Klijnsma told TechCrunch.

The saved language markers “can be a crucial clue in connecting operators with their malicious campaigns,” Klijnsma said.

Hackers often forget to scrub their code of these language markers, which was the case in the McCaskill phishing attempt.

The cyberattack against McCaskill forced senators to reckon with their security measures.

While House staffers are required to take a training course on cybersecurity, their colleagues in the Senate are not.

The Senate Sergeant at Arms’ office is in charge of many of the technology support services and offers regular cyber awareness trainings to staff in lawmakers’ offices, on committees and back home in the states. Sergeant-at-Arms Michael Stenger said in May the SAA had hosted 52 such seminars since the start of 2017.

But there are thousands of users with access to the Senate networks, and policies vary among offices. Turnover, including thousands of interns cycling through each year, makes enforcement of a blanket security policy a challenge.

Both Republicans and Democrats indicated last month they have work to do to ensure attacks like the thwarted one against McCaskill are not successful in the future.

“The cybersecurity threat is very real, and frankly we haven’t stepped up and done what I think we should do to deal with it — which should be an all government response,” Senate Majority Whip John Cornyn of Texas said in July.

Watch: McConnell Warns Russians to Keep Out of Elections, Schumer Wants More Than Words

Katherine Tully-McManus contributed to this report.

Get breaking news alerts and more from Roll Call on your iPhone or your Android.