2012: Clinton’s private server is vulnerable to a hacker attack described in a government warning.

Marc Maiffret (Credit: Fox News Business)

Marc Maiffret (Credit: Fox News Business)

The Homeland Security Department’s Computer Emergency Readiness Team issues a warning about remote access attacks, that would allow hackers to take control of computers. The warning notes that “An attacker with a low skill-level would be able to exploit this vulnerability.”

In 2015, the Associated Press will report that Clinton’s private email server could have been vulnerable to a hostile takeover by this very type of attack. Clinton’s server appears to have lacked encrypted protections, and could accept commands from the computers over the Internet.

Marc Maiffret, who founded two cybersecurity companies, will later comment, “That’s total amateur hour. […] Real enterprise-class security, with teams dedicated to these things, would not do this.”

Another cybersecurity expert, Justin Harvey, will comment that Clinton’s server “violates the most basic network-perimeter security tenets: Don’t expose insecure services to the Internet.” (The Associated Press, 10/13/2015)

June 8, 2016: The names of CIA officials could have been revealed through a combination of the content of Clinton’s emails and the classification markings on them.

Stewart Baker (Credit: Diego M. Radzinsch / National Law Journal)

Stewart Baker (Credit: Diego M. Radzinsch / National Law Journal)

The Associated Press reports that after Clinton’s 30,000 work-related emails were turned over to the State Department, 47 of them were marked with the notation “B3 CIA PERS/ORG” to justify why certain passages were redacted.

Stewart Baker, a former assistant secretary of the Homeland Security Department and a former NSA legal counsel, says, “Start with the entirely plausible view that foreign intelligence services discovered and rifled Hillary Clinton’s server.” Then those agencies could compare the full emails with the redacted versions and use the B3 CIA markings to find the meaning of names that otherwise might not be obvious. Baker says, “Presto—the CIA names just fall off the page.”

An unnamed US official says the risk of the names of CIA personnel being revealed in this way is “theoretical,” since it is unknown if other governments hacked Clinton’s server to get their own full versions of the emails. (The Associated Press, 6/8/2016)

June 16, 2016: Various clues suggest that “Guccifer 2.0” could be a front for Russian hacking efforts.

Copy of the metadata and the nickname for Felix Dzerzhinsky, written in the Cyrillic alphabet. (Credit: Ars Technica)

Copy of the metadata and the nickname for Felix Dzerzhinsky, written in the Cyrillic alphabet. (Credit: Ars Technica)

On June 15, 2016, someone going by the name “Guccifer 2.0” claimed to be the “lone hacker” behind the breach of the DNC [Democratic National Committee] computer network reported in the media the day before.

However, various clues support the assertion by security experts hired by the DNC that the hacking effort is connected to the Russian government or at least originates from Russia:

  • The metadata of one file sent by Guccifer 2.0 to Gawker contains metadata indicating the last person to change the file used the nickname for Felix Dzerzhinsky (Феликс Эдмундович), a long-dead Russian statesman best known for founding the Soviet secret police.
  • The nickname is written in the Cyrillic alphabet, which means Guccifer 2.0’s computer was configured to use the Russian language and was connected to a Russian-language keyboard.
  • Another file contains some broken web links. The error message is also written in Russian, using the Cyrillic alphabet.
  • A blog post written by Guccifer 2.0 uses “)))” to indicate a smiley face. This is common in Eastern Europe and Russia but very uncommon elsewhere, due to differences with the Russian-language keyboard. (Ars Technica, 6/16/2016)
  • Other metadata indicates the person who saved the files used a cracked version of Office 2007, which is popular in Russia.
  • Vice News reports that Guccifer 2.0 had no online history prior to June 15, and “multiple security sources said they’d never heard of nor seen anyone by that alias” before that date. (Vice News, 6/16/2016)
  • Dave Aitel, CEO of Immunity Security, comments, “You don’t have the FBI or DHS [Department of Homeland Security] coming out and saying: ‘Hey we don’t think it’s Russia.’ If it is Russia, a nation state, it’s a pretty big deal. Otherwise the FBI would say: ‘We’re conducting an investigation.’ But they’re not saying that.”

Ars Technica comments, “Of course, it’s still possible that the Russian fingerprints were left intentionally by someone who has no connection to Russia, or by a Russian-speaking person with no connection to the Russian government, or any number of other scenarios.” (Ars Technica, 6/16/2016)

July 2016—August 18, 2016: Hackers target the election databases in two US states, but the motives and identities of the hackers are unclear.

In July 2016, the FBI uncovers evidence that two state election databases may have been recently hacked, in Arizona and Illinois. Officials shut down the voter registration systems in both states in late July 2016, with the Illinois system staying shut down for ten days.

160701JehJohnsonpublic

Jeh Johnson (Credit: public domain)

On August 15, 2016,  Homeland Security Secretary Jeh Johnson heads a conference call with state election officials and offers his department’s help to make state voting systems more secure. In the call, he emphasizes that he is not aware of “specific or credible cybersecurity threats” to the November 2016 presidential election.

Three days later, the FBI Cyber Division issues a warning, titled “Targeting Activity Against State Board of Election Systems.” It reveals that the FBI is investigating hacking attempts on the Arizona and Illinois state election websites. The warning suggests the hackers could be foreigners and asks other states to look for signs that they have been targeted too. Out of the eight known IP addresses used in the attacks, one IP address was used in both attacks, strongly suggesting the attacks were linked.

An unnamed “person who works with state election officials calls the FBI’s warning “completely unprecedented. … There’s never been an alert like that before that we know of.” In the Arizona case, malicious software was introduced into its voter registration system, but apparently there was no successful stealing of data. However, in the Illinois case, the hackers downloaded personal data on up to 200,000 state voters.

160701TomKellermannBBCNews

Tom Kellermann (Credit: BBC News)

It is not known who was behind the attacks. One theory is that the Russian government is responsible. A former lead agent in the FBI’s Cyber Division said the way the hack was done and the level of the FBI’s alert “more than likely means nation-state attackers.” Tom Kellermann, head of the cybersecurity company Strategic Cyber Ventures, believes Russian President Vladimir Putin is ultimately behind the attacks, and thinks it is connected to the hacking of the Democratic National Committee (DNC) and other recently targeted US political targets. Kellermann says of Putin, “I think he’s just unleashed the hounds.”

But another leading theory is that common criminals are trying to steal personal data on state voters for financial gain. Milan Patel, former chief technology officer of the FBI’s Cyber Division, says, “It’s got the hallmark signs of any criminal actors, whether it be Russia or Eastern Europe.” But he adds, “the question of getting into these databases and what it means is certainly not outside the purview of state-sponsored activity.” Some cybersecurity experts note that hackers often target government databases for personal information they can sell.

160701RickBarger

Rich Barger (Credit: Threat Connect)

So far, the motive and identity of the hackers remains uncertain. Rich Barger, chief intelligence officer for ThreatConnect, says that one of the IP addresses listed in the FBI alert previously surfaced in Russian criminal underground hacker forums. However, sometimes these groups work alone, and other times they work for or cooperate with the Russian government. Barger also claims the method of attack on one of the state election systems appears to resemble methods used in other suspected Russian state-sponsored cyberattacks. But cybersecurity consultant Matt Tait says that “no robust evidence as of yet” connects the hacks to the Russian government or any other government.

US officials are considering the possibility that some entity may be attempting to hack into voting systems to influence the tabulation of results in the November 2016 election. A particular worry is that all of six states and parts of four others use only electronic voting with no paper verification. Hackers could conceivably use intrusions into voter registration databases to delete names from voter registration lists. However, this is still considered only a remote possibility. But the FBI is warning states to improve their cybersecurity to reduce the chances this could happen.

News of these attacks and FBI alerts will be made public by Yahoo News on August 29, 2016. (Yahoo News, 8/29/2016) (Politico, 8/29/2016)

July 21, 2016: The White House holds a high-level security meeting to discuss reports that the Russian government hacked into the DNC computer network.

The meeting takes place only one day before WikiLeaks publicly releases almost 20,000 Democratic National Committee (DNC) emails. However, when the Washington Post reports on this meeting a few days later, it will give no indication if US intelligence knew of the leak in advance and thus discussed that in the meeting or not. According to the Post, “Officials from various intelligence and defense agencies, including the National Security Council, the Department of Defense, the FBI, and the Department of Homeland Security, attended the White House meeting…” (The Washington Post, 7/24/2016)

October 7, 2016: The US government formally accuses the Russian government of hacking and publishing emails related to US political entities.

161007JamesClapperMarkWilsonGetty

James Clapper (Credit: Mark Wilson / Getty Images)

Director of National Intelligence James Clapper releases a statement in conjunction with the Department of Homeland Security claiming that leaked emails that have appeared on a variety of websites “are intended to interfere with the US election process. … We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”

The New York Times comments that the statement does “not name President Vladimir V. Putin of Russia, but that appear[s] to be the intention.”

Many thousands of emails and other documents have been posted in recent months on the WikiLeaks website, but WikiLeaks won’t say where their leaks come from. Two newly created websites attributed to DCLeaks and Guccifer 2.0 have also posted leaks. Both groups claim to have no ties to the Russian government, but the US government claims otherwise.

The statement adds that US intelligence agencies are less certain who is responsible for “scanning and probing” online voter registration lists in various US states in recent months. Those “in most cases originated from servers operated by a Russian company,” but the statement doesn’t assert that the Russian government is responsible.

161007KerryLavrovGenevaAFP

Kerry (left) and Russian Minister for Foreign Affairs Sergei Lavrov meet in Geneva to discuss the Syrian crisis on September 9, 2016. (Credit: Agence France Presse)

The Times notes that the “announcement [comes] only hours after Secretary of State John Kerry called for the Russian and Syrian governments to face a formal war-crimes investigation over attacks on civilians in Aleppo and other parts of Syria. Taken together, the developments mark a sharp escalation of Washington’s many confrontations with [Russia] this year.”

US officials had debated for months whether or not to formally accuse Russia, and if so, when. An unnamed “senior administration official” says that with only about a month to go before the November presidential election, President Obama was “under pressure to act now,” in part because the closer the declaration would be to election day, the more political it would seem.

It is unclear what action the US will take in an attempt to punish Russia, if any. A range of options are being considered, including economic sanctions and covert cyber attacks against Russian targets. (The New York Times, 10/7/2016)