Basic Digital Security Could Have Prevented One of the Biggest Political Scandals in American History
Russia hacked the Clinton campaign in large part because John Podesta didn't bother to turn on two-factor authentication.
Image: Getty/Alex Wong
As the editor of a publication that spends a lot of time focused on digital security, it is hard to look at Robert Mueller’s indictment of 12 Russian hackers Friday and feel anything other than rage and looming dread.
Whether you believe Russian meddling impacted the results of the 2016 election or not, Russian hacking has without a doubt resulted in a mind-boggling amount of political strife and general tension. Perhaps all of this unpleasantness could have been avoided if John Podesta turned on two-factor authentication, which is among the most basic security advice we could possibly offer.
According to the indictment, Russians targeted over 300 individuals affiliated with the Hillary Clinton Campaign, the DCCC, and the Democratic National Committee. Nation-state hackers in general are highly sophisticated, and it’s possible that Russian hackers would have ratcheted up the sophistication of the techniques that they used to hack top Democratic officials if its initial attack on Podesta wasn’t successful. But it turns out they didn’t need to.
Podesta, Clinton’s campaign chair, fell for a spearphishing attack in which Russian agents spoofed a false Google security notification and got his password. They then stole more than 50,000 emails, leaked them in an agonizing drip-drip fashion for months that supported a right-wing media narrative about the Clintons and corruption.
I use two-factor authentication on a throwaway Reddit account I don’t even care about; it is infuriating that the campaign chair of a major candidate for president didn’t bother to use it on his official email account, or that the campaign’s IT department didn’t force everyone on the campaign to use it.
And it wasn’t just Podesta. According to the indictment, Russians used social media to research some additional victims, including Hillary Clinton’s campaign manager and senior foreign policy advisor, in order to glean information about them; they then sent spearphishing emails using “an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign.” The spearphishing emails contained a link to a “document titled ‘hillary-clinton-favorable-rating.xlsx,’” a fake Excel spreadsheet file that redirected to a website owned by the Russians.
The DNC isn’t any better—CyberScoop reported earlier this month that the organization is happy that only 80 percent of its employees don’t click spearphishing links, and it has only recently begun to suggest (but not require!!!) that its employees use 2FA on their email accounts. The indictment notes that Russia sat inside the DCCC and DNC’s servers until at least October 2016—a month before the election and six months after it had originally gained access.
Well-executed spearphishing can be quite sophisticated, and Russia was highly motivated to hack Democrats. It’s impossible to know whether they would have found a way to hack Podesta and Clinton’s other employees if they had turned 2FA security on. But in 20 years, if history textbooks still exist, it will be difficult to exaggerate how easy it was for Russia to corrupt the elections of the most powerful democracy in Earth’s history.
We're a little over three months away from another election, and so far, there is no indication that the DNC, the DCCC, and many of the candidates who are running in highly contested races are prepared for the type of information warfare that America has been dealing with since 2016. Learn how to protect yourself with The Motherboard Guide to Not Getting Hacked.