Penetration testing, or pentesting, can be a useful strategy for an enterprise to use to tighten security on its network. Paying an ethical hacker to find holes in a company’s cybersecurity architecture can help a company avoid a major breach. Of course, this comes with some risks. What if the pentester is not so ethical and uses the vulnerabilities found to hack the corporate network they are hired to protect? What if they sell this information to unethical hackers? In other words, a company or organization must be careful who it allows into its network.
This is why there are organizations that certify pentesters. However, many so-called pentesters aren’t certified. Let’s call them, ‘unsolicited pentesters’. These are people who may test a company’s cybersecurity on their own initiative, find a vulnerability, and then ask the company to pay them for their work. It’s a hit or miss scenario. The company may just give the unsolicited pentester a pat on the back and nothing more. Other companies offer official payments for those who find bugs in their networks or products. They offer clearly defined bug bounties to bug bounty hunters. For the most part, any unsolicited individual who hacks into an enterprise’s network must be considered a hacker unless they clearly state that they want no money or other compensation for what they find.
That’s what makes the recent cybersecurity incident at the DNC so interesting. It was initially reported that the DNC thwarted a cyber attack designed to get login information from spearphished employees. Someone had made a fake sign-in page that emulated NGP VAN’s Votebuilder, a database used by the Democratic Party. The DNC’s chief security officer, Bob Lord, wasted no time contacting the FBI and CNN to report the “sophisticated attempt to hack into our voter file”. In his report to CNN, Lord tried to make political hay of the attempt by claiming, that “we need the (Trump) administration to take more aggressive steps to protect our voting systems. It is their responsibility to protect our democracy from these types of attacks.” There were clear insinuations in the CNN story that Russia may have been behind the attack.
However, just as this incident was to become a major news story, it was found that the hack wasn’t a hack at all. According to the DNC, the Michigan Democratic Party had asked NGP VAN to do a “simulated phishing test” on the DNC and no one thought it might be a good idea to tell the DNC about it. But, according to a statement given to CNN by Brandon Dillon, the chair of the Michigan Democratic Party, it was all Donald Trump’s fault. “We have taken heightened steps to fortify our cybersecurity — especially as the Trump Administration refuses to crack down on foreign interference in our elections.” Dillon referred to the blunder as “a misstep”.
Misstep or not, this qualifies as a hack, since the DNC did not authorize itself to be pentested. However, it is not clear what the Michigan Democratic Party wanted with Votebuilder login information even if they got it. Did they simply want to learn which people in the DNC would be stupid enough to fall for a phishing attack? Wouldn’t this be the job of the DNC security team? Did they want access to part of the database they did not normally have access to? I’m perplexed. In fact, the Washington Post reported that it may not have been the Michigan Democratic Party at all, but an unidentified “web contractor” hired by them. This group was identified by the Wall Street Journal as the recently formed, DigiDems, a largely volunteer group of tech people with a strongly left wing agenda: “DigiDems is a team of innovators passionately committed to supporting the progressive movement through the use of technology.”
This is not the first time that NGP VAN has caused trouble for the DNC. Back in December of 2015, NGP VAN temporarily left its database open which allowed members of the Bernie Sanders campaign to access Hillary Clinton’s strategy. This resulted in the firing of one member of Bernie Sanders’ IT team, Josh Uretsky, and the banning of the Sanders’ campaign from accessing the Votebuilder database. Why NGP VAN agreed to go along with this is still open to debate, since it occurred just before the New Hampshire primary and banning the Sanders campaign from using the database would tilt the primary in Clinton’s favor. Sanders subsequently sued the DNC.
The whole incident spawned a number of conspiracy theories. The cybersecurity firm, CrowdStrike, was asked to look into the Sanders’ breach and, after studying the situation for four months, concluded, in April, 2016, that the Sanders team really didn’t do much with the information they accessed. Sanders subsequently dropped his lawsuit. However, just as CrowdStrike was finalizing its findings, the DNC discovered that they had been hacked. Coincidentally, CrowdStrike was still on board and they were experts in Russian hacking. Coincidentally, they found, within minutes, that Russia had hacked the DNC. Interestingly, they found no indication of this while they had had access to the servers for four months. This has led conspiracy theorists to conclude that “the Russian hacking that’s caused so much division and turmoil at home and abroad never really happened. It was all a ruse concocted by CrowdStrike.” This is not a minor accusation as the entire Robert Mueller investigation of the Trump campaign’s involvement with Russia hinges on CrowdStrike’s conclusions.
The problem here is that the Russians don’t need to hack the DNC to get voter records. Voter registration records are available to anyone, free of charge. Each state also maintains voter records that are openly available. Some are free and searchable online while others must be purchased. Firms like NGP VAN simply compile these databases and organize them to make them searchable by various criteria. As such, they would be a tempting target for certain hackers as they contain a wealth of personal information. Here is a list of the information available in these databases (from Wikipedia).
The problem with this list is that it doesn’t go far enough. NGP VAN boasts, “before, only Facebook, Twitter, and LinkedIn profiles were matched to an individual’s contact record. Now, 97 different social networks are matched daily (highlight NGP VAN), and also provide social media biographies to be integrated into a contact record. Additionally, an individual’s photo will be automatically synced from their profiles when available. You can find your supporters with a particular network with our updated search functionality, and when on that contact’s record, you’ll see a lot more information.” NGP VAN gives the following example to show just what they can do.
In other words, being able to hack into this organized database would be any hacker’s dream, Russian or not.
I’m not saying this happened, but if I were a Russian hacker (or any bad actor) I would certainly consider setting up a fake login page to NGP VAN, just like the contractor for the Michigan Democratic Party purportedly did. In fact, if I were a hacker employed by the Russian government, I would probably volunteer for a firm like DigiDems and use their connection with NGP VAN and Votebuilder. I would then send spearphishing emails to key DNC employees, telling them, for whatever reason, to sign into NGP VAN. I would have a link for them to follow to the spoofed login page and hope they would not look too closely at the URL address. Once they entered their login information I would have access to the full NGP VAN Votebuilder database and, with such access, I really could influence the outcome of any election.
I’m not really sure what the Michigan Democratic Party was up to and maybe they didn’t really know what their overly enthusiastic contractor, DigiDems was doing. I’m not really sure why CSO, Bob Lord, was so quick to contact the FBI, unless he was overly paranoid about Russian meddling. For the same reason, or for pushing a political agenda, he may have contacted CNN. This would give the DNC, with CNN’s help, ammunition to use against the Russians that could substantiate the current investigations into their supposed meddling in the 2016 election. In the end, such an angle could damage the Republicans and Trump in particular.
This strategy may have worked if the scenario didn’t fall apart the next day. In the end, Lord threw a punch which ended up with the DNC getting a black eye.
DNC Chairman, Tom Perez, tried to put a positive spin on the blunder in a quote he gave to CNN.
“We are at war right now — it’s a cyberwar and unfortunately the commander in chief of the cyberwar is asleep at the switch because he benefits and has benefited from the cyberwar. We’re not waiting for help, we’re not waiting for the cavalry from the White House. We’re working with our partners in the cyber-ecosystem and that is in part how we were able to address this, what turned out to be a false alarm.”
Well, you obviously didn’t work that closely with your partners or you would have been informed that they were performing a pentest or hack on your organization. Yes, the DNC could use the angle that it was being proactive in quickly reporting a suspected breach. Then again, they could also be accused of desperately grasping at straws in order to connect all suspected breaches with Russia.
There is something just not right here. Bob Lord stated that this ‘test’ “was not authorized by the DNC, VoteBuilder nor any of our vendors.” So are you saying NGP VAN did not agree to have DigiDems make a fake copy of its Votebuilder login page? You can’t have it both ways.
My problem is with DigiDems. It’s a newly formed enterprise with a poorly designed web page. I’ve seen many fake websites in my days, and this certainly looks like one. You’d think an organization that prided itself on its technical expertise would come up with something better than this pre-packaged web design. For example, the photograph used on its homepage is taken from one used on a number of websites. Ok, I understand. The organization just formed in March and they had to put something together quickly before the 2018 midterms.
So why would the Michigan Democratic Party allow a fly-by-night organization to undertake a pentest of the Democratic National Party? Why would they trust them with such a sensitive task? My guess is that they didn’t. My guess is that they knew nothing at all about what someone on Digidems was doing. They only found out when the hack was traced back to them. That’s when damage control kicked in.
What do you do when it looks like you dropped the ball? You act as if it was planned all along. An actual hack on the DNC, especially by Russians, would make them look pretty inept. The DNC was reluctant to report the 2016 hack because they feared it would negatively impact donations. People don’t want to give personal details to an organization that can’t protect them. This could be a similar case of damage control and the damage was done by Lord when he publicly reported the breach without considering the implications. When the possible financial repercussions of reporting yet another DNC hack was realized, they tried to back off the report by claiming it to be a planned attack.
I would have to agree with the observation by Joseph Carson, chief security scientist at Thycotic, in his statement to Security Week. “I would actually handle this incident as an attempted cyberattack since the DNC has confirmed it was not authorized or approved so therefore a full incident and digital forensics process should be carried out even though it was a so-called test.” As I stated previously, an unauthorized pentest is a hack and should be investigated as one. My prediction is that we will never hear anything about this attack again and, in the near future, Bob Lord will be replaced as DNC CSO.