Hackers that targeted a Democratic senator up for reelection this year may have left behind clues in their attack that further suggest Russian involvement.
The office of Claire McCaskill, a Missouri senator, was targeted in an apparent targeted phishing attack from a fake Microsoft domain that the software giant later seized pursuant to a court order. The Daily Beast reported that a then-McCaskill staffer was the target of the attack, which was attributed to hackers linked to Russian intelligence — largely because the effort was similar to the phishing attack on Hillary Clinton’s campaign chair John Podesta, whose account was successfully breached and emails were shared with WikiLeaks.
Now, new research suggests that the phishing page used in the McCaskill attack contains language-specific code references that lends further credence that Russian hackers were involved.
When the hackers built the phishing page used to trick the McCaskill staffer, they scraped the code from a legitimate Microsoft login page that staff would use to log into their network. That code included a browser-generated link of the original web page that was scraped, the research said. That link appended a language marker at the end which varies depending on which country the user is located in the world — such as “gb” for the UK, or “fr” for France.
Because the language tag was “ru”, which researchers say shows that the code was likely scraped from a user in Russia.
Yonathan Klijsnma, threat researcher at RiskIQ, said in a blog post that in many cases hackers won’t build a phishing page from scratch but will simply copy and save the page it’s trying to imitate. In doing so, any saved language tags embedded in the code “can be a crucial clue in connecting operators with their malicious campaigns.”
Klijsnma said these tags are often overlooked by the hackers. That which resulted in a sloppy phishing page that was saved by RiskIQ’s vast internet crawling operation.
Although McCaskill, a vocal Russia critic, confirmed the “unsuccessful” attempted hack in a press release in July that she attributed to Russia, a spokesperson for McCaskill declined to comment further when reached Wednesday prior to publication.
In an additional twist, Klijsnma also found that the same Russian hackers also targeted reporter Serhiy Drachuk, whose work has long criticized of the Russian regime. Code from the page that was used in the McCaskill phishing attempt contained leftover references to the journalist’s work email address, which was previously accessed by the hackers.
We reached out to Serhiy Drachuk for comment, but did not hear back by the time of writing.
It’s the latest in a long string of cyberattacks and phishing efforts to target US political institutions before and during the 2016 presidential election and later. Just this week, Democratic National Committee officials said they thwarted an attempt to access their voter database. It comes hot on the heels of Microsoft’s announcement that it prevented a Russian-backed advanced persistent threat group known as Fancy Bear (or APT28) to steal data from political organizations.