The Russian intelligence agency behind the 2016 election cyberattacks targeted Sen. Claire McCaskill as she began her 2018 re-election campaign in earnest, a Daily Beast forensic analysis reveals. That makes the Missouri Democrat the first identified target of the Kremlin’s 2018 election interference.
McCaskill, who has been highly critical of Russia over the years, is widely considered to be among the most vulnerable Senate Democrats facing re-election this year as Republicans hope to hold their slim majority in the Senate. In 2016, President Donald Trump defeated Hillary Clinton by almost 20 points in the senator’s home state of Missouri.
There’s no evidence to suggest that this attempt to lure McCaskill staffers was successful. The precise purpose of the approach was also unclear. Asked about the hack attempt by Russia’s GRU intelligence agency, McCaskill told The Daily Beast on Thursday that she wasn’t yet prepared to discuss it.
“I’m not going to speak of it right now,” she said. “I think we’ll have something on it next week. I’m not going to speak about it right now. I can’t confirm or do anything about it right now.”
The senator later released a statement asserting that the cyberattack was unsuccessful.
“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” McCaskill said. “While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”
In August 2017, around the time of the hack attempt, Trump traveled to Missouri and chided McCaskill, telling the crowd to “vote her out of office.” Just this last week, however, Trump said, on Twitter, that he feared Russians would intervene in the 2018 midterm elections on behalf of Democrats.
The revelations of the attempted hack of McCaskill staffers comes just weeks after Special Counsel Robert Mueller indicted 12 Russian intelligence officers, accusing them of orchestrating cyberattacks that targeted the Democratic National Committee, the Democratic Congressional Campaign Committee, and Clinton’s campaign in 2016.
On Friday, Trump is scheduled to chair a meeting of the National Security Council on election vulnerabilities facing the midterm elections—amid persistent criticism, particularly after his Helsinki meeting with Russian President Vladimir Putin, that he isn’t taking Russian interference seriously.
The attempt against McCaskill’s office was a variant of the password-stealing technique used by Russia’s so-called “Fancy Bear” hackers against Clinton’s campaign chairman, John Podesta, in 2016.
The hackers sent forged notification emails to Senate targets claiming the target’s Microsoft Exchange password had expired, and instructing them to change it. If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.
As with the Podesta phishing, each Senate phishing email had a different link coded with the recipient's email address. That allowed the fake password-change webpage to display the user’s email address when they arrived, making the site appear more convincing.
In October, Microsoft wrested control of one of the spoofed website addresses—adfs.senate.qov.info. Seizing the Russians’ malicious domain names has been easy for Microsoft since August 2017, when a federal judge in Virginia issued a permanent injunction against the GRU hackers, after Microsoft successfully sued them as unnamed “John Doe” defendants. The court established a process that lets Microsoft take over any web addresses the hackers use that includes a Microsoft trademark.
Microsoft redirected the traffic from the fake Senate site to its own sinkhole server, putting it in a prime position to view targets trying to click through to change their passwords.
The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt last week in an appearance at the Aspen Security Forum. Burton discussed the Virginia injunction, and told the audience that it allowed Microsoft to thwart a phishing campaign against three midterm election candidates, whom he declined to name.
“We did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for elections in the midterm elections,” said Burt, Microsoft’s corporate vice president for customer security and trust. “We took down that domain and working with the government actually were able to avoid anybody being infected by that particular attack.”
The most recent domain seizures recorded in the Virginia case took place between August and December of last year, when Microsoft grabbed seven malicious web addresses, including the “qov.info” address. A report from the security company Trend Micro released in January listed that address and the role it played in a Senate phishing campaign against unnamed targets.
A snapshot of a deep link on the phishing site taken September 26th by a website security scanner showed the fake password-change page with the Senate email address of a McCaskill policy aide on display.
There is a notable divide between Congress and the Trump administration over the vulnerability of the 2018 election to Russian election interference.
In March, the Senate Intelligence Committee warned state election officials to make cybersecurity a “high priority” for their election systems, particularly over voter databases, and urged the states to bolster their coordination with the Department of Homeland Security. But the secretary of Homeland Security, Kirstjen Nielsen, appeared earlier this month to downplay the threat. While “adversaries and nonstate actors” consider U.S. elections a persistent target, Nielsen said there are “no indications that Russia is targeting the 2018 U.S. midterms at a scale or scope to match their activities in 2016.”
By contrast, Dan Coats, the embattled director of national intelligence, testified in February that Russia considered its 2016 election hacking a success. Putin “views the 2018 U.S. midterm elections as a potential target for Russian influence operations,” Coats told the Senate intelligence panel. Last week, after being rebuked by Trump beside Putin in Helsinki, Coats reiterated his concern about Russia’s “ongoing, pervasive efforts to undermine our democracy.”
Earlier this year, Congress appropriated $380 million, as part of a broader spending package, to individual states for election security. The Senate is currently weighing whether to authorize an additional $250 million in similar grants.
A spokesperson for the Senate Intelligence Committee declined to comment, as did a spokesperson for Sen. Mark Warner (D-VA), the top Democrat on the panel.
McCaskill is one of 10 Senate Democrats facing re-election this year in states that Trump won in 2016. Her likely Republican challenger is Josh Hawley, who currently serves as the state’s attorney general. Outside groups and campaign committees have spent more than $15.5 million against McCaskill so far.
McCaskill has spoken out forcefully against Moscow, likening Russian election-meddling to “a form of warfare” and calling Putin a “thug and a bully.” She was also caught up in the Podesta hack, which was revealed when WikiLeaks released the Clinton campaign chairman’s private email communications. The document dump showed that McCaskill called Podesta to inform him that she had “info” about an individual working in the State Department’s inspector general’s office, which at the time was investigating Clinton’s private email server. The “info” was that a top aide at the inspector general’s office once worked for a Republican senator, Chuck Grassley of Iowa.
McCaskill’s criticisms of WikiLeaks stretch back nearly a decade. In 2010, she and Sen. Lindsey Graham (R-S.C.) called for prosecutions of individuals who send classified information to WikiLeaks. Earlier this month, Mueller’s GRU indictment included Russian intelligence officers who, through the Guccifer2.0 persona, are accused of funneling the hacked 2016 data to WikiLeaks.
“I hope we can find out where this is coming from and go after them with the force of law,” McCaskill said at the time.
—with additional reporting by Spencer Ackerman