It happened on March 19 of this year – campaign chairman for Hillary Clinton John Podesta unwittingly clicked on a link in an email he thought was from Google corporate. It wasn’t from Google, but rather from a group of phishing hackers the US government has since linked to Russia. Podesta wasn’t aware the link was malicious at the time he clicked on it, but doing that gave the hackers access to his entire email account. Fast-forward to October 9, when WikiLeaks began publishing thousands of Podesta’s emails, the motive seen by many as the desire to influence the US Presidential election by exposing Clinton camp improprieties. Now there is evidence that it may have been the same hacker group that targeted the Democratic National Committee.
Both hacking incidents were done using the same malicious short URLs that are routinely hidden in fake Gmail messages by black hat hackers. Those URLs were created with a Bit.ly account linked to a domain controlled by a hacker named Fancy Bear, one of the identified Russian hackers. Data also shows a “clear thread” between allegedly separate and independent leaks that have shown up on a site called DC Leaks which included some of both Colin Powell’s and John Podesta’s emails.
Fancy Bear and Political Hacks
Hidden in the Bit.ly link was a longer URL that included a 30-character string that actually contained the encoded Gmail address of John Podesta. The link was clicked on twice in March, acts which opened up Hillary Clinton’s campaign manager’s email account to exploitation and revelation on a major scale. The link was just one of thousands created by Fancy Bear which were used to target nearly 4,000 persons between October 2015 and May 2016.
The Fancy Bear hacker group used two Bit.ly accounts to create the malicious links, but forgot to set those accounts to private, allowing “good guy” hackers like security firm SecureWorks to track their use through command and control domains and servers. Fancy Bear used 213 shortened links targeting fully 108 email addresses on the HillaryClinton.com domain, as reported by SecureWorks and in BuzzFeed earlier in October. Using Bit.ly “allowed third parties to see their entire campaign, including all their targets— something you’d want to keep secret,” said Tom Finney, a researcher at SecureWorks.
According to Thomas Rid, professor at King’s College, it was “one of Fancy Bear’s gravest mistakes,” explaining that it gave researchers unparalleled visibility into the hacker group’s activities, which resulted in investigators being able to link different, supposedly disparate parts of its larger campaign together. Using the encoded strings, embedded inside the shortened links, and which targeted numerous political figureheads like Podesta, Powell, and Clinton staffer William Reinhart, effectively revealed their targets for any and all eyes to see.
No Smoking Gun
Although the evidence is clear and profound, it doesn’t constitute any kind of smoking gun that can unequivocally link the phishing attacks to the Russian hackers, in early October the US government publicly accused the Russian government of not only sponsoring but directing the attacks. And as Motherboard put it in their piece entitled, “How Hackers Broke into John Podesta and Colin Powell’s Gmail Accounts,” “The intelligence community declined to explain how they reached their conclusion, and it’s fair to assume they have data no one else can see.”
Need Cybersecurity Advice?
If you need advice about cyberattack preparedness, cyber safety awareness and security, Interplay is a proven leader in providing IT consulting and cybersecurity in Seattle. Contact one of our IT experts at (206) 329-6600 or send us an email at [email protected] today, and we can help you with all your questions or needs.