The Democratic National Committee (DNC) Email Hack: Just How Dangerous Have Things Become?

By Tyler Cohen Wood

For the condensed version of this blog and for more helpful blogs, please go to https://Blog.inspiredelearning.com.

Breaking news this week is the WikiLeaks posting of thousands of emails obtained from a hack on the Democratic National Committee (DNC). The fallout during this already dramatic and tense political election season has been substantial and is still continuing. New evidence is coming to light daily on what happened, who did it, and what could have been done to prevent it.

What we do know is that a few days prior to the Democratic National Convention in Philadelphia, approximately 20,000 internal DNC emails were leaked to WikiLeaks, which immediately posted them for viewing by the public. Let’s look at how it happened.

In April 2016, DNC leaders were notified by their technology team that they may have been hacked. Anomalies had been detected on their network.  Apparently, even after the potential compromise had occurred, a DNC press assistant sent an email on a suspected hacked email server alerting the staff that the website had been compromised. The staffer then sent the new unencrypted website password multiple times, probably enabling the hackers to collect even more of the DNC’s sensitive information.

Then in early May, a DNC consultant logged into her personal Yahoo email account and received a pop-up message from Yahoo:

“We strongly suspect that your account has been the target of state-sponsored actors.”

A Yahoo spokesman said the pop-up warning to the consultant “appears to be one of our notifications” and said it was consistent with a new policy announced by Yahoo on its Tumblr page last December to notify customers when it has strong evidence of “state sponsored” cyberattacks.1 

The consultant continued to receive the warnings even after she changed her password. She notified her managers at the DNC. This was of huge concern because it showed that the hackers had not only breached DNC servers, but also personal webmail accounts that were being used by DNC employees and consultants. It is also coming to light that some consultants for the DNC were using personal webmail accounts for work purposes.

Soon after learning about the suspected breach, the DNC hired cyber threat firm CrowdStrike to perform a forensic analysis to see if they had been hacked, what had been compromised, how, when, and by whom. By reviewing the code used by the hackers to perform the attack, CrowdStrike identified two separate hacker groups, both suspected to be Russian.2

All computer code has a unique pattern or signature that can be attributed to a person or a group. It is similar to being able to identify someone based on their pattern of speech or the way they write. Basically, even if the code is zero day (never seen before), analysts can scrutinize code patterns to determine the coder’s/hacker’s identity based on the methods they used to get in, what they did once inside, and the way the code is written. That being said, it is important to keep in mind that code and code patterns can be replicated, so it can be hard to determine exactly who the perpetrators were. Sometimes even after an investigation, it can be difficult to make that determination.

 CrowdStrike’s analysis identified that one of the suspected Russian hacking groups had compromised the DNC systems about a year prior to the initial discovery of the breach. The code the hackers used enabled them to monitor the DNC’s email and other communications.

CrowdStrike found the second suspected Russian hacker group had compromised the network in late April 2016. This was the breach that the DNC technology team noticed because of unusual network activity. During the course of their investigation, CrowdStrike found that this group exfiltrated multiple files and was able to access and monitor the DNC research staff’s computers. Essentially, the hackers were able to read all email and chat traffic and potentially access multiple sensitive files.

CrowdStrike is not sure how the hackers were able to breach the DNC’s systems. They and other experts who have analyzed the code suspect that the hackers targeted specific DNC employees or consultants with spear phishing emails. They were most likely able to glean information about the DNC employees through social media, blogs, or other Internet searches in order to target specific people for spear phishing. Both suspected hacking groups are known to use spear phishing as a method of entry.

So, what could have been done to prevent this attack and what can we take away from it? First, given the sensitive nature of the data contained on the DNC’s servers, they should have been using a method of communication that involved end-to-end encryption, such as a secure communications capability. There are many of these capabilities available in both the open source community and on the open market. There are also multiple popular secure communications enterprise solutions available that you can discuss with your IT department. It is also a good idea to add full encryption and authentication, such as PGP. In addition, make sure you have a policy in place that does not allow anyone to discuss sensitive information using their personal webmail accounts. To help defend against a targeted spear phishing attack, the DNC’s network servers should have been segregated so that the attackers couldn’t easily escalate their privileges, enabling them access to an entire email server or other sensitive data.

Also, as with any organization, the DNC should have had a comprehensive security awareness program in place that included educating all employees and consultants on what to look for in phishing schemes and best practices to defend themselves against them, such as never clicking on suspicious links in emails.

The DNC hack underscores how concerning it is that hackers are gaining so much power over our country and economy. In only the past few years, we have seen hackers bring large companies to their knees by stealing and broadcasting sensitive customer information, damaging corporate and personal reputations. We have seen hackers’ potential to affect our critical infrastructure such as power grids and transportation systems, among other critical needs we rely on, but now they are showing that they have the ability to potentially sway the most important political election in this country. As we become totally reliant on connected devices, we are more at risk from hackers than ever before.

 It is critical that we take threats like the DNC hack seriously. It is more important than ever for all individuals and businesses to implement security policies and rigorous security awareness education programs to ensure that our sensitive data is safe and control over our critical infrastructure remains in the right hands.

For further information on how to protect your network, check out our comprehensive and award-winning security awareness library and phishing assessments tool at Inspiredelearning.com.

1 https://www.yahoo.com/news/exclusive-hacked-emails-of-dnc-oppo-researcher-point-to-russians-and-wider-penetration-154121061.html

2 https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/