Attack on DNC Part of Simulated Phishing Test

UPDATED. A recent phishing attack aimed at the Democratic National Committee’s voter database was actually part of a simulation, researchers and representatives of the Democratic Party confirmed.

Cybersecurity firm Lookout this week came across a custom phishing website apparently aimed at the Democratic National Committee (DNC), specifically its VoteBuilder service.

The phishing site mimicked a login page of NGP VAN, a technology provider for the Democratic Party, and was hosted by DigitalOcean.

Lookout immediately notified the DNC, NGP VAN and DigitalOcean, and the phishing page was removed within hours, before any credentials were compromised. The FBI was also informed and an investigation was launched.

However, after further analysis, the DNC now believes the fake website was actually created by a third-party as part of a “simulated phishing test on VoteBuilder.”

“The test, which mimicked several attributes of actual attacks on the Democratic party’s voter fil­e, was not authorized by the DNC, VoteBuilder nor any of our vendors,” explained Bob Lord, the DNC’s chief security officer.

“There are constant attempts to hack the DNC and our Democratic infrastructure, and while we are extremely relieved that this wasn’t an attempted intrusion by a foreign adversary, this incident is further proof that we need to continue to be vigilant in light of potential attacks,” Lord added.

Mike Murray, who leads Lookout’s intelligence team, confirmed that it was a false alarm.

“The thing about ‘false alarms’ is that you don’t know that they’re false until you’ve showed up to investigate,” Murray said on Twitter. “All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible.”

According to PCMag tech reporter Michael Kan, the phishing test was actually commissioned by the Michigan Democratic Party, but without authorization from the DNC.

SecurityWeek has reached out to the Michigan Democratic Party for comment and will update this article if the organization responds.

“I would […] not call this a TEST as the phishing attempt was being conducted on a live production system against real people,” Joseph Carson, chief security scientist at Thycotic, told SecurityWeek. “The positive side is that newer technology is helping organizations identify such threats earlier however, this did raise a major issue to attribution and the source of the hacks because as we know, many cyberattacks utilize third party vendors,”

“I would actually handle this incident as an attempted cyberattack since the DNC has confirmed it was not authorized or approved so therefore a full incident and digital forensics process should be carried out even though it was a so-called test,” Carson said.

UPDATE. The Michigan Democratic Party has confirmed for SecurityWeek that this was in fact a test conducted by its partners. MDP Chair Brandon Dillon provided the following statement:

“We have taken heightened steps to fortify our cybersecurity – especially as the Trump Administration refuses to crack down on foreign interference in our elections. In an abundance of caution, our digital partners ran tests that followed extensive training. Despite our misstep and the alarms that were set off, it’s most important that all of the security systems in place worked. Cybersecurity experts agree this kind of testing is critical to protecting an organization’s infrastructure, and we will continue to work with our partners, including the DNC, to protect our systems and our democracy.”

Related: Russian Hackers Breach US Democratic Committee Database

Related: Microsoft Disrupts Election-Related Domains Used by Russian Hackers