Security researchers on Thursday unveiled a link they say ties Russian hackers with the compromise that led to WikiLeaks publishing the personal emails of John Podesta, the chairman of Hillary Clinton’s presidential campaign.
The link — a clickable hyperlink purportedly leading to a Google log-in page – was included in a malicious email sent to Mr. Podesta’s Gmail account on March 19, 2016, according to researchers at SecureWorks, an Atlanta-based IT firm. At some point afterwards he opened the email, clicked the link and landed on a website where he was asked to re-enter his password. Instead of giving that information to Google, however, he typed his credentials on a website that SecureWorks has tied to the Russian government.
This particular “spear-phishing” operation — and specifically its use against the Hillary for America presidential campaign — were discussed in a SecureWorks report published three months after the actor they call Threat Group-4127 acquired Mr. Podesta’s credentials, and four months before WikiLeaks began releasing the contents of his email account on Oct. 9.
Now less than two weeks later and following the publication of more than 23,000 of Mr. Podesta’s personal emails, a source close to an investigation into the breach told Motherboard on Thursday that the chairman’s account was compromised during the course of Threat Group-4127’s campaign.
Also known by names including “Fancy Bear” and “APT28,” SecureWorks says the group is a branch of the Russian government. And by making a rookie mistake, the hackers may have offered researchers the best evidence yet linking the Podesta email leak to the Kremlin and other campaigns.
The malicious email sent to Mr. Podesta contained a link that had been created by Bitly, a shortening service that takes long web addresses and condenses them into tiny URLs. Once Bitly directed Mr. Podesta to the original address, however, it might not have necessarily seemed suspicious to the untrained eye: when expanded, the actual URL contained words including “My Account,” “Google” and “Security Setting Page,” but wasn’t actually registered to Google.
SecureWorks has been tracking Fancy Bear for the last year, and during the course of their work found command-and-control domains used by the group to operate campaigns waged against various targets of interest to the Russian government. Researchers probing those domains discovered ties to a particular Bitly link, then learned that link had been shortened by a specific Bitly account that wasn’t set to private. In turn, SecureWorks stumbled upon nearly 9,000 links that had been shortened to use against targets between Oct. 2015 and May 2016, each one containing the name and email of the intended victim.
Using Bitly allowed “third parties to see their entire campaign including all their targets— something you’d want to keep secret,” Tom Finney, a researcher at SecureWorks, said to Motherboard.
Among those targets were Mr. Podesta, former NATO commander Philip Breedlove, Colin Powell and at least 26 individuals associated with either the Clinton campaign or Democratic National Committee. While sensitive data stolen from Mr. Podesta and the DNC have ended up on WikiLeaks, the other officials have seen their information released in recent months by other actors widely believed to be taking orders from Moscow.
“The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the U.S. election process,” intelligence officials concluded recently.
Thomas Rid, a professor at London’s King’s College, wrote Thursday in Esquire that the nearly 9,000 links had been crafted to be used against roughly 4,000 Gmail accounts, “including targets in Ukraine, the Baltics, the United States, China and Iran.”
Around 40 percent of the targets consisted of current and former military personnel, while others included officials in Germany, Italy and Saudi Arabia; victims coughed up their credentials roughly one-in-seven tries, he wrote. Similarly malicious emails containing shortened URLs were used in hacking campaigns deployed recently against journalists from Bellingcat, a website critical of the Kremlin, Motherboard noted.
President Vladimir Putin has repeatedly denied Russia is hacking U.S. targets, but has applauded WikiLeaks’ publication of documents stolen from the Clinton campaign and DNC.
Despite being briefed in classified meetings, Republican candidate Donald Trump has questioned Russia’s alleged role as recently as during the final presidential debate.
“Our country has no idea” who is behind the hacks, Mr. Trump told Democratic opponent Hillary Clinton during Thursday’s debate in Las Vegas. On her part, Mrs. Clinton said 17 intelligence agencies have concluded Russia is responsible.
“We are approaching the point in this case where there are only two reasons for why people say there’s no good evidence,” Mr. Rid, the King’s professor, told Motherboard on Thursday. “The first reason is because they don’t understand the evidence—because the don’t have the necessary technical knowledge. The second reason is they don’t want to understand the evidence.”