The private email address for Hillary Clinton, which became the talk of Washington this week and created her first major speed bump on her road to the White House, has actually been freely available on the Internet for a year, thanks to a colorful Romanian hacker known as Guccifer.
On March 14, 2013, Guccifer—his real name is Marcel-Lehel Lazar—broke into the AOL account of Sidney Blumenthal, a journalist, former White House aide to Bill Clinton, and personal confidante of Hillary Clinton. Lazar crowed about his exploits to journalists, disclosing a set of memos Blumenthal had written to Clinton in 2012, as well as the personal email address and domain she’s now known to have used exclusively for her personal and official correspondence.
Few journalists noticed that at the time, and it caused no ruckus in Washington. But the fact that Clinton’s private email was now public means she was not just putting her own information at risk, but potentially those in the circle of people who knew her private address.
Her email account was the ultimate hacker’s lure. It’s a common technique to impersonate a trusted source via email, in order to persuade a recipient to download spyware hidden inside seemingly innocuous attachments. Indeed, Clinton’s own staff had been targeted with such highly targeted “spear phishing” emails as early as 2009, the year she took office. And according to U.S. authorities, Lazar, who’s now serving a seven-year prison sentence in Romania and is accused of hacking the accounts of other Washington notables like Colin Powell, did commandeer other people’s email accounts. Then he used them to send messages exposing the private correspondence of his other victims.
When her address was exposed, Clinton was running her private email account on equipment in her home in New York, which security experts say is an inherently weak setup that made her more vulnerable to hacking.
It’s not clear whether Lazar tried to hack Clinton’s domain or if he used his access to Blumenthal’s account to do so. But he was within digital striking distance of the secretary, inside the email of a Clinton ally who, as one longtime Blumenthal friend told The Daily Beast, is “a blooded member of Hillaryland, perhaps the personification of that corps who are closest to her inner circle.”
Blumenthal sent Clinton a range of missives covering topics such as U.S.-Egyptian relations to how she was recovering from a concussion. Once he was inside Blumenthal’s account, Lazar could have easily “spear phished” this most senior member of President Obama’s cabinet.
Blumenthal still maintains the once-hacked AOL account. Requests for comment sent there weren’t returned.
Before Lazar exposed the email domain, it would have been known to people with whom Clinton was trading emails, as well as to a tight inner circle lucky enough to be given @clintonemail.com accounts. Those included Clinton’s daughter, Chelsea, and aide Huma Abedin, whom the former secretary treats like family. Maybe Clinton and her staff thought the relative anonymity of her email domain would have given her a measure of security. It’s hard to say, since they and State Department officials have consistently refused to answer journalists questions about what security measures Clinton took to protect her “homebrew” email system.
But “assuming that the domain is ‘secret’ is a dangerous assumption,” Johannes Ullrich, a computer security expert with the SANS Institute, told The Daily Beast.
“A not-well-published domain does not provide significant protection,” Ullrich said. “As seen in the Guccifer incident, it is easy to unmask such domains if just one of the individuals she is corresponding with is breached. At the same note, running a mail server securely is difficult.”
Ullrich said that because email servers communicate with many different outside systems, “e-mail is probably the most dangerous attack vector” that a hacker could use. The fact that Lazar had exposed her private account a year ago suggests that Clinton could have taken steps at the time to better protect herself. Whether she did or not, her aides aren’t saying.
“We have no indication the account was hacked or compromised,” a senior State Department official told The Daily Beast. But unless State inspected the system, officials have no way of knowing that. By the department’s own admission, officials didn’t contact Clinton about turning over emails on her account until October 2014, nearly two years after she’d left office, when the law on official records was being changed to cover emails sent on private accounts.
Had security experts checked the system, they might not have liked what they saw. One security scan this week revealed that the domain uses “obsolete and insecure” protocols and gave it an overall F rating.
The only Blumenthal emails Lazar is known to have disclosed, within days of hacking the account, were four memos from September 2012, marked “classified,” and containing what Blumenthal described as on-the-ground intelligence about the attack on the U.S. consulate in Benghazi. The disclosure tipped off Blumenthal to the breach, allowing him to change the password on his account and regain control.
Perhaps fortunately for Clinton, Lazar was more interested in snooping than spying. That may explain why he may have passed on a golden opportunity to get inside Clinton’s email account, as well. He’s “just a smart guy who was very patient and persistent” and who “wanted to be famous” for showing that he could embarrass Washington power brokers and other celebrities, a Romanian prosecutor told the New York Times, which published a profile of Lazar last year. Among the purloined correspondence he disclosed were emails between Powell and a Romanian diplomat, which were so intimate that Powell had to publicly declare the woman was just a friend and nothing more.
In an interview with the the Times, the imprisoned hacker rambled about “a potpourri of conspiracy theories” he tied to the so-called Illuminati, whom he described as the “very rich people, noble families, bankers and industrialists from the 19th and 20th century” that he said run the world, are responsible for the death of Princess Diana and the 9/11 attacks, and whose email the world deserves to see.
He now seems hardly much of a threat, and was apprehended by Romanian authorities after bragging about his high-profile American victims secretly running the world. He’d also targeted Romanian officials, making him a wanted man in his own country.
But plenty of people were trying to spy on Clinton and the people around her, and Lazar arguably made their job easier.
Indeed, Clinton had been targeted by hackers and cyber spies practically from the moment she took office. In 2009, a senior member of Clinton’s staff received a spear phishing email that purported to come from a colleague in the office next door, according to former officials with knowledge of the matter. The email contained an attachment that the sender claimed was related to a recent meeting, but the recipient couldn’t recall that the meeting had ever occurred. When he inquired with his colleague, he was met with a blank stare.
Had the Clinton staffer opened the attachment, it would have installed spyware on his computer and potentially allowed a hacker to spy on other people using the State Department network. Former officials said the spear phishing email likely came from China.
That same year, in a separate hacking attempt, five State Department employees who were negotiating with Chinese officials on efforts to reduce greenhouse-gas emissions received spear phishing emails claiming to come from a prominent Washington journalist, Bruce Stokes.
Signs pointed to the email being legitimate: The U.S. climate change envoy, Todd Stern, was a friend of Stokes’, and the subject line of the email read “China and Climate Change,” which seemed like a reporter’s inquiry. Stokes is also married to Ambassador Wendy Sherman, a seasoned diplomat who went on to lead U.S. negotiations with Iran over its nuclear program. The body of the message included comments related to the recipients’ jobs and their work at the time.
The spear phishing incident was documented in a State Department cable, part of a massive cached disclosed by WikiLeaks. It’s unclear whether anyone opened an attachment in the email that contained a virus, which could siphon information off the infected computer. But whomever sent the message had studied Stokes, knew who his associates were, and understood what would prompt them to trust the email.
It’s that kind of information that a reasonably sophisticated hacker could glean from someone in touch with the secretary of state. What was on her mind? What did she care about? What was likely to get her to open an attachment? Knowing the private domain Clinton used would have made any spear phishing email look more legitimate.
“At the very least, she should have been worried about individuals impersonating the [clintonemail.com] domain,” Ullrich said. Setting up standard mail filtering mechanisms and proper security certificates “would be a first step, but that should have happened right from the start,” he said.
Right from the start would have been in the days before her Senate confirmation in 2009, when the private email account was set up. If Clinton didn’t realize then that she was a security risk then, the Chinese hackers trying to break into her office should have tipped her off.