A phishing email sent to Hillary Clinton campaign chairman John Podesta may have been so sophisticated that it fooled the campaign’s own IT staffers, who at one point advised him it was a legitimate warning to change his password.
The stolen email thread, released by WikiLeaks Friday, also provides the most direct evidence yet that the Russian government was behind the damaging hack into the Clinton campaign, according to a private cybersecurity company.
The thread shows a Clinton campaign staffer writing that a phishing email sent to Podesta’s Gmail account on March 19, 2016, is “legitimate,” though the staffer advises him to go through Google’s official procedures to update his password. It’s not clear if Podesta gave hackers his password before he was advised by his staff, or if the email in question was the one that led to the hack.
The Clinton campaign has not commented directly on the hacked emails and CNN cannot independently verify their authenticity.
On its face, the source of the potentially dangerous email is Google, but a closer look at the actual mailing address shows an unfamiliar or bogus-looking account: “no-reply@accounts.googlemail.com.”
The subject line warns, “Someone has your password” and the body of the message says “someone” in Ukraine tried, but was stopped, from signing into Podesta’s account.
“You should change your password immediately,” the email warns. The words “CHANGE PASSWORD” then appear — inviting Podesta to click on them — as a way to do just that. But the address did not link to a secure Google web page, instead directing the user blindly via bit.ly, a service used to shorten or conceal web addresses.
According to the cybersercurity company SecureWorks, the link used in the Podesta email was clicked two times. If his information was entered into a form on the landing site — potentially run by a hacker — the floodgates could have opened right there.
Podesta was not the only Clinton campaign staffer targeted, SecureWorks found.
“We saw 108 email addresses targeted and we know that 20 of the links that were sent to those individuals were clicked,” Phil Burdette, a senior security researcher at the firm, told CNN on Friday. There were 213 similar bit.ly links created, he said, but because there were duplicates it is likely the same accounts received multiple phishing messages.
It is unclear if anyone else targeted entered their information.
The Russian connection
The US government has pinned other cyberattacks targeting Democratic groups — including the summer’s hack of the Democratic National Committee — on the Russian government, though it has not yet accused Moscow of the Podesta hack. Moscow has denied involvement.
SecureWorks, however, says Friday’s email thread provides proof of Russia’s involvement in the Podesta hack. The group points to evidence that “Fancy Bear” — the name of the cyberespionage group also believed to have carried out the allegedly Russia-led DNC hacks — was involved in the Podesta thefts.
“Fancy Bear” is a nickname for one of the Russian military-intelligence hacking groups that were discovered in the DNC’s servers. Other cyberfirms have corroborated these findings, as has the US government.
SecureWorks has linked the bit.ly account used in the Podesta phishing attack to “Fancy Bear.”
WikiLeaks has denied working with the Russians, though the group won’t reveal its sources for the material it releases.
Don Smith, the director of cyberintelligence at SecureWorks, said historically, the targeting of the bit.ly campaign appears aimed at military attaches in Western embassies, in addition to dissidents in Ukraine and Georgia and journalists outside Russia.
But the phishing operation retrained its focus in March 2016, he said, employing the same tactics in an effort to breach the DNC and Clinton campaign staff email.
“You don’t have to think very hard to determine it was one of the Russian intelligence agencies,” Smith said.
