To break into William Rinehart’s email account, hackers used old-fashioned trickery rather than a sophisticated cyberattack.
On March 22, Mr. Rinehart opened an email that appeared to be from Google, telling him that someone was trying to access his account from Ukraine. The email urged him to change his password immediately.
“I was a tad confused,” said Mr. Rinehart, a former staffer on Hillary Clinton’s presidential campaign who is now a director with the consulting firm Blue Rising. “I opened it and right when I clicked the link I had a bad feeling.”
Five months later, that bad feeling was confirmed. Someone dumped the contents of his Gmail account to a website called DC Leaks. Security experts believe that DC Leaks is run by hackers connected to the Russian government. The hack of Mr. Rinehart was earlier reported by website The Smoking Gun.
For years, U.S. government officials have warned of a “cyber 9/11,” a catastrophic hacking attack that would bring down the electrical grid or cause death and physical destruction. Apparent Russian attempts to sow discord in the U.S. election highlight both the risks of more mundane attacks and a new weapon in information wars: the disclosure of hacked information to influence policy or public perception.
“We tend to over-militarize everything and spend our time looking for a cyber 9/11, and Russia completely went around us on it,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies. “Our doctrine is very much about protecting critical infrastructure, and their doctrine is about information warfare.
“They can’t take us on directly, so they figured out a way to take us on indirectly,” Mr. Lewis said.
Other disclosures from hacked email this year have revealed the transcripts of Hillary Clinton’s paid private speeches and efforts by Clinton allies to undermine the presidential campaign of Sen. Bernie Sanders. Most recently, hackers revealed emails from Clinton campaign Chairman John Podesta, also after tricking Mr. Podesta to click on a phony link.
Mr. Podesta didn’t reply to an email seeking comment. Google declined to comment on security incidents relating to users.
Computer-security firm SecureWorks said that hackers have tried to break into about 5,000 email accounts belonging to journalists, politicians, members of the Democratic National Committee and Mrs. Clinton’s campaign. U.S. government officials have accused Russia of orchestrating the attacks.
This type of attack, called “phishing,” has been around for years and doesn’t require a lot of technical knowledge, said Tom Finney, a senior security researcher with SecureWorks. The attack itself was simple, but it would take “some sophistication” to target 5,000 email addresses, Mr. Finney said.
About one in seven phishing attempts is successful, according to an April report by Verizon Communications Inc., which also said criminals, not state-sponsored hackers, are responsible for the vast majority of such attacks.
The attacks on Democratic political groups exploited basic problems in computer security. It isn’t possible to protect everything, said Jeremiah Grossman, chief of security strategy at anti-malware vendor SentinelOne, and “the bad guys will go after the weakest link.” Often, that is a person who succumbs to a targeted attack like the one that snared Mr. Podesta.
Cybersecurity experts say the vast majority of attacks rely on such well-known methods, not on novel attacks on previously unknown vulnerabilities called “zero day exploits.”
National Security Agency Deputy National Manager for National Security Systems Curt Dukes said at a talk in October that major recent attacks on government networks such as the Office of Personnel Management didn’t involve zero-day exploits. “Basically, the adversary took advantage of poorly secured, poorly patched systems,” he said.
But talking about “poorly secured systems” is less sexy than a “cyber 9/11.”
“People like to obsess about spies and they like to obsess about them being ultra-sophisticated,” said Matt Tait, a former Google security researcher and the founder of Capital Alpha Security Ltd. Recent successful attacks have been less sophisticated, he said. “They might go after zero days if phishing doesn’t work, but phishing is going to be the main way they go after you,” he said.
The recent attacks highlight another asymmetry in cybersecurity. The federal government is in charge of defense against conventional arms. But most defense against cyberattacks is left to private companies and individuals, who must secure their own systems and email accounts.
That may not be adequate when a foreign government is behind an attack because of the cost of good computer security and the complexity of the situation, said Mr. Lewis of the Center for Strategic and International Studies. He said the U.S. needs a new strategy to deal with Russia and information warfare. “The only people who are going to stop the Russians are the American government.”
