DOCUMENT: Investigation

Tracking The Hackers Who Hit DNC, Clinton

Republicans also targeted by suspected Russian op

AUGUST 12--The e-mail from Google arrived at 4:09 AM on March 22 and contained an ominous alert for its recipient, William Rinehart, a staffer with Hillary Clinton’s presidential campaign.

“Someone has your password,” the e-mail’s subject line declared. “Someone just used your password to try to sign in to your Google Account,” warned the message, which reported that the incursion attempt came from an IP address in Ukraine.

While the “Gmail Team” advised Rinehart that the sign-in attempt was stopped, he was told, “You should change your password immediately.”

When he received the message--which carried the address [email protected] was in Hawaii preparing for the March 26 Democratic presidential caucus. An experienced organizer, Rinehart, 33, has previously worked for the United Nations Foundation, Barack Obama’s presidential campaigns, and Organizing for America, which was formed to build grass roots support for Obama’s legislative agenda.

In a bid to thwart any future Ukrainian hijacking attempts, Rinehart followed Google’s suggestion and clicked on a red box marked “CHANGE PASSWORD.” He was then taken to a Gmail log-in page where, as directed, he keyed in his credentials.

Until he was contacted this month by The Smoking Gun, Rinehart had not given that Google alert a second thought. It sat buried in his Inbox, just one of tens of thousands of messages he had never bothered to delete.

Armed with evidence that Rinehart’s Gmail account had been hacked in late-March--likely as part of the suspected Russian intelligence operation that targeted the Democratic National Committee--a reporter asked Rinehart to search for any messages he received that month from Google.

In short order, Rinehart located the March 22 e-mail and shared the message--along with its full header information--with TSG.

An analysis of that e-mail--which was part of a larger “spear phishing” effort aimed at Clinton campaign staffers--has revealed new details about the illegal operation, which is now the subject of an FBI probe.

Additionally, a TSG investigation has unearthed new details about the hacking spree, which recently prompted Obama to cite experts who have tied Russia to the illegal incursions. For its part, the Clinton campaign has insinuated that the hacking was a Russian attempt to influence the presidential election (in favor of Donald Trump, a Vladimir Putin stan).

And while Democrats may appear to be the only crime victims, TSG has learned that numerous prominent Republicans and GOP groups have also been targeted. These hacking victims include John McCain, Lindsey Graham, Michele Bachmann, various state Republican parties, as well as assorted GOP candidates, PACs, and consultants.

As with Rinehart, none of the Republican victims contacted by TSG was aware that their web sites and e-mail servers had been compromised at some point in the past year.

*  *  *

Rinehart was one of scores of Clinton campaign staffers and DNC employees targeted in a “spearphishing” effort that was flagged--after the fact--by researchers with SecureWorks, the security firm hired by the DNC to investigate the hacking of its computer systems.

While the illegal gambit’s success rate is unknown, it appears likely that several targets were duped by the Gmail scam. In late-June, TSG reported that Sarah Hamilton, a Clinton campaign press aide, had her Gmail account breached. Like Rinehart, Hamilton was tricked by a spoofed Google alert warning of an overseas log-in attempt.

TSG learned of the Hamilton hack from “Guccifer 2.0,” the purported “hacktivist” who first contacted the site on June 15 to claim credit for the DNC attack and share an assortment of purloined Democratic Party documents.

In the initial e-mail--which came a day after the Washington Post reported the DNC intrusion--“Guccifer 2.0” said that he had “been in the DNC’s networks” for nearly a year and had provided the “main part of the papers, thousands of files and mails, I gave to Wikileaks.” On July 22, Wikileaks posted nearly 20,000 stolen DNC e-mails, a disclosure that triggered the resignation of the party’s chairman, CEO,  CFO, and communications director.

In e-mails, “Guccifer 2.0” has claimed to be a Romanian national and has bristled when a TSG story referred to him as a thief. “Stop calling me the vandal,” he wrote. “I'm not a criminal I'm a freedom fighter.”

Several security groups have theorized that “Guccifer 2.0” is a Russian invention, a hype man tasked with publicizing criminal acts that were actually committed by skilled government hacking groups. While he has described himself in e-mails as an “unknown hacker with a laptop” and a foe of “all the illuminati and rich clans which try to rule the governments,” “Guccifer 2.0” has acted more like a press flack, promising “exclusives” and pushing journalists to do stories based on stolen documents carrying little news value.

In reviewing e-mails sent by “Guccifer 2.0”--including 25 messages provided by TSG--researchers with ThreatConnect, a Virginia-based cybersecurity firm, determined that he usually connected to a series of burner e-mail accounts via a Russian virtual private network (VPN) as a way of masking his identity. On three occasions, “Guccifer 2.0” made contact with TSG via a Miami, Florida IP address connected to the Russia-based Elite VPN service. ThreatConnect, which has investigated the recent hacking spree, today published a new analysis of developments on that felonious front.

Though “Guccifer 2.0” regularly provided documents swiped during the DNC breach, he wrote from an AOL France account on June 27 offering “exclusive access to some leaked emails” from Clinton’s staff. In a follow-up message, the vandal--whose e-mail account carries the name “Stephan Orphan”--offered a collection of material that was “part of the big archive that includes Hillary Clinton’s staff correspondence.”

But instead of attaching the documents to an e-mail or providing a download link to a file sharing site (as he had previously done), “Guccifer 2.0” told TSG that the material would be available through DC Leaks, a web site he described as a “sub project” of Wikileaks. In fact, DC Leaks has no connection at all with Wikileaks or Julian Assange.

“Guccifer 2.0” wrote that he had “asked the DCleaks” to “release a part” of the staff correspondence, but “with a closed access.” After offering to provide TSG a password with which to access the material on DC Leaks, “Guccifer 2.0” claimed that DC Leaks “asked me not to make any announcements yet.” He added, “So I ask you not to make links to my blog. Ok?”

After TSG accepted his offer, “Guccifer 2.0” e-mailed a password that provided access to the e-mails and documents stolen from Sarah Hamilton’s Gmail account three months earlier. “Let me know your opinion. to be continued...” he wrote.

The Hamilton records posted on DC Leaks provided a largely inconsequential look at the logistical details of the Clinton campaign and its press operation. In a June 28 article about the “spear phishing” attack on Hamilton, TSG noted that a reporter learned of the Hamilton hack from “Guccifer 2.0.” The story did not mention DC Leaks or that “Guccifer 2.0” had provided a password to the newborn web site.

On June 29, “Guccifer 2.0” wrote seeking a correction. “It seems people think it was me who hacked Hamilton,” he stated. “That’s not correct. I just sent you a link. I don’t claim it’s my work! I don’t need another person’s glory.”

In subsequent correspondence, “Guccifer 2.0” did not push further for a correction and he ignored questions about who hacked Hamilton (pictured below) and how he became aware of the stolen e-mails that had mysteriously appeared on an obscure web site.

TSG’s contact with “Guccifer 2.0” ended on July 4, when he e-mailed two DNC documents along with the greeting “happy independence day!”

When “Guccifer 2.0” wrote in late-June to introduce TSG to DC Leaks, the web site had barely been online for three weeks, according to tracking data. The DC Leaks Twitter and Facebook accounts debuted on June 8, the day that the site itself appears to have launched. While nobody else had heard of DC Leaks, “Guccifer 2.0” had somehow not only discovered the site, but had privileges that allowed him to provide TSG with access to a password-protected section of the site. 

On its “About” page, DC Leaks describes itself as a “new level project” committed to exposing “Wall Street fat cats, industrial barons and multinational corporations’ representatives who swallow up all resources and subjugate all markets.” At launch, the site’s sparse offerings included documents hacked from George Soros’s Open Society Foundation and e-mails stolen from the Gmail account of Philip Breedlove, a recently retired U.S. General who served as NATO’s Supreme Allied Commander.

DC Leaks notes that Soros is “named as the architect and sponsor of almost every revolution and coup around the world for the last 25 years.” In a Facebook post, the site reported that the hacked documents revealed Soros’s plans to support opposition movements in Ukraine, Russia, Georgia, Armenia, and other countries “where the United States desire to promote their interests.”

The most newsworthy Breedlove e-mails focused on the military commander’s back-channel attempts to gather support for a more aggressive U.S. stance against Russia in light of the military crisis in Ukraine. The balance of Breedlove’s e-mails, however, involve him exchanging correspondence with old Air Force buddies with call signs like Ghost, Cobra, Maggot, Tuna, and Horndog.

While the DC Leaks proprietors claim to be “American hacktivists,” the site includes some odd phrasings. Hillary Clinton is identified as “the most probable candidate for the President of the Democratic Party,” while a collection of campaign newsclips is described as “media reports from Hillary Clinton's electional staff.”

According to domain records, the dcleaks.com address was registered in mid-April via a small web hosting company in Romania. The site itself traces back to an IP address in Kuala Lumpur, Malaysia. In a series of e-mails over the past week, DC Leaks has corresponded with TSG via a Gmail account in the name of “Steve Wanders.”

Since being provided a password by “Guccifer 2.0,” TSG has monitored DC Leaks for further evidence that the site is being used as a cut-out for the cabal behind the DNC hacking and the “spear phishing” directed at Clinton campaign workers.

Late last month, DC Leaks added a new entry to its “Portfolio” of “latest leaks.” Next to a portrait of Hamilton, a photo of Rinehart appeared. Upon mousing over the image, the words “Protected: William E. Rinehart” emerged. Clicking on the photo brought a visitor to a sign-in page requiring a password

In an August 1 direct message to the DC Leaks Twitter account, TSG sought an opportunity to preview the Rinehart collection. In a reply two days later, DC Leaks wrote, “we could give you a password but we would like to have an article in TSG when the materials are published.” DC Leaks provided a password after TSG responded that it would do a story if a review of the documents proved them to be newsworthy.

An examination of the Rinehart e-mails showed that they spanned several years and contained the kind of mundane campaign details seen in the stolen Hamilton correspondence. The extent of campaign dirt, as it were, was limited to a March e-mail with the subject line “FYI-Oreos are now a political issue.” In the message, a Clinton staffer reported that a journalist visiting the campaign’s Honolulu office “noticed the Oreos in our office and brought this up to me.” This was an issue since Nabisco was moving its Oreo production from a 600-employee Chicago plant to Mexico. Since Clinton had criticized the plan, the e-mail noted, “let’s fall in line and pls refrain from keeping Oreos in plain sight in our office. #optics Mahalo!”

While the targeting of Rinehart (seen at right) and Hamilton apparently did not yield valuable e-mails or documents, the cyberthieves would have been able to copy scores of e-mail addresses--many for Clinton campaign workers. Those fresh addresses likely would have been sent “spear phishing” e-mails like the ones that tricked Rinehart and Hamilton.

When TSG contacted Rinehart earlier this month, he was unaware of the Gmail hack. Nor did he know that his photo was on DC Leaks and that the site had staged his stolen e-mails for future publication. At Rinehart’s request, TSG gave him the password provided to us by DC Leaks so that he could review the material lifted from his e-mail account.

While the spoofed March 22 alert looked on its face like a legitimate communication from Google, a TSG examination of the e-mail’s full header--a jumble of nearly 6000 characters--revealed that it had actually been sent to Rinehart from an e-mail account on Yandex.com, a Moscow-based e-mail provider.

The e-mail’s header also contained a shortened bit.ly link that took Rinehart to a phony Gmail log-in page when he clicked on the red “CHANGE PASSWORD” box in the message. The bit.ly link had condensed a 305-character url that included this string: “myaccount.google.com-securitysettingpage.”

The lengthy url included the .ml suffix, indicating that the domain used in the “spear phishing” operation was registered in the Republic of Mali. A review of the header by ThreatConnect found that the spoofed Gmail page was linked to an IP address in Germany. When the company’s researchers examined the German host, they found several other domains that were similar in structure to the one buried in the Rinehart e-mail. But instead of Mali, suffixes for Equatorial Guinea, the Central African Republic, and Tokelau, a remote group of South Pacific atolls, were seen.

As of this writing, the Rinehart e-mails on DC Leaks remain password protected. The site’s anonymous operators appear preoccupied with plans to upload additional Soros documents. In an e-mail sent yesterday from the DC Leaks Gmail account, the site gave TSG a Trumpian assurance about the new material: “it’s gonna be huge.”

Asked last week whether DC Leaks had any connection with the actors responsible for the DNC and Clinton campaign hacks, “Steve Wanders” replied, “We have our own sources. We have no connection to those leaks.” He also denied any ties to Wikileaks and declared that, “The wish to make our country better is our motivation. We are not afraid of being prosecuted. Let them try to find us :).”

In response to a TSG question about “Guccifer 2.0,” “Wanders” said, “We have no ties with this guy.”

In an August 8 exchange, TSG asked how DC Leaks could have no ties to “Guccifer 2.0” since he provided TSG with a password to the DC Leaks site. Not to mention the hacker’s account of providing DC Leaks with the Hamilton e-mails and the directions to maintain a “closed access” to the material.

The DC Leaks response was not convincing.

“We don’t know how Guccifer got this pass,” claimed “Wanders.” “But he is a hacker, you know. Maybe we need to change our passwords now :).” He later added, “Sure, we’ve heard about Guccifer’s activity but we aren’t in touch with this guy.”

* * *

While the e-mails and documents stolen from Soros and Breedlove have gotten some press coverage for DC Leaks, the site houses a hodgepodge of stolen e-mails offering fresh evidence of the scope and targets of the recent political hacking campaign.

A “portfolio” titled “The United States Republican Party” contains about 300 e-mails that were sent during a five-month period ending in late-October 2015.

A review of that correspondence shows that a wide variety of GOP e-mail accounts have been breached. The victims range from staffers for Senator John McCain’s campaign committee to a candidate running for State Senate in Virginia. Officials with four state Republican party organizations--Wyoming, Connecticut, Rhode Island, Illinois--had correspondence stolen. E-mails to the campaign committees of Senator Lindsey Graham, Rep. Robert Hurt, and former Rep. Michele Bachmann were also swiped. E-mails from Campaign Solutions, a leading Republican consulting firm, and the Stop Hillary PAC were pilfered.

None of the victims contacted by TSG--including the McCain campaign and the Connecticut GOP, were aware of the e-mail hacking.

Since it seemed unlikely that hackers would target such a wide array of individual Republican web sites and e-mail servers, TSG reviewed the DC Leaks “portfolio” in search of a common thread. That analysis revealed that the victimized campaigns, state parties, PACs, and businesses all contracted with the same Tennessee web hosting outfit.

The firm, Smartech, and its parent, AirNet Group, are major providers of data services, call centers, and web hosting for scores of Republican clients. Since the 2008 federal election cycle, the Republican National Committee has paid the companies more than $10.5 million, according to the Center for Responsive Politics. The firms have done work for a Who’s Who of GOP figures, including Karl Rove, Mitt Romney, George W. Bush, Newt Gingrich, and the Koch brothers.

A review of the domains on a single Smartech server in Chattanooga shows that nine of the sites whose e-mails were compromised are housed on that server. Oddly, that server also includes the web site for comedian Stephen Colbert’s

super PAC. Defunct since 2012, Americans for a Better Tomorrow, Tomorrow still maintains a home page with a photo of “Ham Rove,” its late “advisor and chief strategist.” 

Jeff Averbeck, Airnet’s CEO, did not respond to voicemail messages left by TSG, as well as an e-mail seeking comment on what seems to be a significant security breakdown at the company.

The firm’s web site notes that it understands “the delicacy of your data and importance of meeting your security comfort levels.” That delicate data is safeguarded, the company assures, with “security features including triple layered authentication, 24X7 monitoring, and re-enforced concrete walls, redundant power grids.”

It appears that “Guccifer 2.0” and his shadowy cohorts were not deterred by those really thick walls.