In two influential articles in June 2016 (June 16 here and June 26 here), SecureWorks purported to link the then recently revealed DNC hack to Russia via a gmail phishing campaign which they had been monitoring since 2015 and which they attributed to APT28 (Fancy Bear). They had observed multiple phishing targets at hillaryclinton.com, dnc.org and personal gmail accounts of campaign officials and surmised that one of these targets at DNC must have been tricked by the phishing campaign, from which APT28 obtained access to the DNC server.
Their argument was quickly accepted by computer security analysts. In an influential article in October 2016, Thomas Rid, a prominent commentator on computer security, stated that this argument was the most important evidence in attribution of the DNC hack to Russia – it was what Rid called the “hackers’ gravest mistake”.
However, the connection of the DNC hack to the gmail phishing campaign, as set out in the SecureWorks article, was very speculative, even tenuous. In addition, subsequent evidence in the DNC emails themselves conclusively refuted even this thin connection. To be clear, the issues pertaining to the DNC hack are distinct from the Podesta hack – which, though unknown at the time of the June 2016 SecureWorks’ article, can be convincingly attributed to gmail phishing accompanied by bitly link-shorteners.
In today’s post, I’m going to look at the narrow issue of the connection between the gmail phishing campaign and the DNC hack and whether it contributes to Russian attribution of the DNC hack.
SecureWorks reported that they studied “8,909 Bitly links that targeted 3,907 individual Gmail accounts and corporate and organizational email accounts that use Gmail as a service” from May 2015 to mid-May 2016, looking for patterns in the targets. Included among the target email addresses were 213 links to 108 email addresses on the hillaryclinton.com domain from mid-March to mid-May 2016; 16 links targeting nine dnc.org accounts; and 150 links to gmail accounts of individuals linked to the Hillary for America campaign, the DNC, or other aspects of U.S. national politics. Ironically, while they identified a couple of individual officials (by title) whose personal gmail had been hacked, Podesta was not among them.
They determined that there had been 20 clicks from hillaryclinton.com targets to the credentials page, four clicks from dnc.org targets and 40 clicks from the gmail accounts, but were unable to determine whether any credentials had been entered.
The destination page in a gmail phishing campaign is a webpage on a malicious site which reproduces a Google log-in page sufficiently to deceive the target into entering their credentials. After entering the credentials, the target is transferred to his actual Google page so that he is unaware of that his credentials have been harvested. An example of a phishing page is shown below (from here, taken from a source cited in the SecureWorks article).
It’s one thing to trick someone in regard to a personal email account, but how is this scam supposed to work on someone with a hillaryclinton.com or dnc.org email? And why would a gmail scam phish non-gmail addresses? Here SecureWorks begins to arm-wave.
In respect to the hillaryclinton.com domain, they observed that they appeared to have used gmail as their “organizational mail solution”:
An examination of the hillaryclinton.com DNS records shows that the domain’s MX records, which indicate the mail server used by the domain, point to aspmx.l.google.com, the mail server used by Google Apps. Google Apps allows organizations to use Gmail as their organizational mail solution.
It would be mildly interesting to know whether their hillaryclinton.com email sign in page was the generic Gmail sign-in page or whether it had campaign logos. However, this issue is moot since the Wikileaks DNC hack consists of dnc.org emails (not hillaryclinton.com emails, except for very few and incidental emails, none from Hillary, Huma or other principals of the campaign).
This theory, such as it is, doesn’t work for dnc.org as SecureWorks themselves conceded:
As of this publication [June 16, 2016], dnc.org does not use the Google Apps Gmail email service.
To overcome this seemingly insurmountable obstacle, they arm-waved:
However, because dnc.org email accounts were targeted in the same way as hillaryclinton.com accounts, it is likely that dnc.org did use Gmail at that time and later moved to a different service. [my bold]
At the time, SecureWorks didn’t know of the very restricted effective time range of the Wikileaks DNC archive: from April 19, 2016 to May 25, 2016. (There are a very very small number of emails with an apparently earlier timestamp, but these are convincingly argued by steemwh1sks to have been transferred during the above window. Steemwh1sks1 also pointed out that DNC had a 30-day retention policy and convincingly argued that the Wikileaks archive was exfiltrated between May 19 and May 25, 2016.) On SecureWorks’ theory, it is necessary to show that it is likely that DNC was using gmail up to May 25, 2016, switching only a few days prior to their article on June 16 – something that seems implausible on its face.
Against this intuitively implausible theory, there is also direct evidence in the Wikileaks DNC emails themselves. On May 17, a response from the IT helpdesk shows that the DNC was using (Microsoft) Outlook for email – not Google Apps Gmail.
Conclusion
It is bewildering that attribution is made on such shallow reasoning. There was no basis at the time for SecureWorks’ assertion that it was “likely” that DNC had used gmail and subsequently changed. This was pulled out of thin air. None of the many computer security analysts opining on attribution bothered to confirm this hypothesis with DNC themselves or else they would have found out the opposite. Nor do the analysts appear to have checked this hypothesis against information from the Wikileaks DNC archive itself. If they had, they would have seen that it was untrue. Nonetheless, the attribution of the DNC hack to gmail phishing has been more or less universally adopted as a line of evidence supposed pointing squarely to Russia and Putin personally e.g. Rid cited above.
While the Podesta hack can be convincingly attributed to gmail phishing (as can related hacks of William Rinehart, Colin Powell and others published at DCLeaks), this is not the case for the hack of the Wikileaks DNC emails. Attribution of this hack must stand or fall on other lines of evidence.
Nor am I arguing that this shows that DNC credentials could not have phished some other way e.g. clicking malware on a phishing email or a non-gmail credential theft (dnc.org login), only that the nexus between the hack and phishing dnc.org email addresses is worse than flimsy.
Postscript
Neither SecureWorks nor other contemporary analysis discussed the democrats.org server, which is the website for the Democratic Party, while dnc.org is the website for the Democrat National Committee. The two are closely related, but not the same. In comments today, Jaap observed that, on April 29, 2016, a subdomain (factivists.democrats.org) of democrats.org was hacked
At 5:33 pm, she reported that they were locked out again. The situation seem to have settled by 7:52 pm when she again distributed password. democrats.org, according to MX information on DNStrails, presently uses Google Apps email, while dnc.org does not.