On Tuesday, the alarm bells went off at the Democratic National Committee. Someone was trying to hack the organization, specifically targeting its voter database. Speculation followed: Was it the Russians again?
A bit over two years ago, Russian intelligence officers broke into DNC servers. At the time, the political organization came out publicly and revealed the hack, in an apparent attempt to not just be transparent but also to call out what it thought was part of a coordinated attempt to influence the 2016 US presidential elections.
That's not what happened on Tuesday. As it turns out, the phishing attempt was actually set up by the Michigan Democratic Party as a simulation—what’s known in infosec circles as a “pen test” or “red team exercise.” Somehow, the DNC mistook this test for a real attack.
In other words, in trying to test its own security, the DNC set off a false alarm. This is not a great look for the DNC. Two years after it was actually hacked by Russia, and months before a crucial midterm election, the organization seems disorganized, crying wolf when there's no real attack. But for some, the false alarm is good news. Not just because the DNC didn’t get hacked and caught the friendly hackers, but also because the fake phishing attempt was so convincing it fooled their own people, showing a renewed commitment to avoiding past mistakes in keeping its computers secure.
According to chief financial officer at CyberGRX Jonathan Simkins, who has been involved in managing several pen tests, “red teaming” or a phishing test isn’t just about successfully hacking the target and stealing data or some other security-specific outcome; it’s also about stress-testing non-technical parts of the organization
“You want to test how the entire organization reacts, including incident response and PR. If they jump the gun before doing a quick internal check (or the checks fail), you just learned something actionable,” Simkins told Motherboard in an online chat. “Now you know a protocol needs to be inserted somewhere in the chain to check internally for testing activity, or, if it exists, the protocol needs to be strengthened.”
Mike Murray, the vice president of security intelligence at Lookout, the firm that discovered the phishing site, praised the effort.
“The thing about 'false alarms' is that you don’t know that they’re false until you’ve showed up to investigate,” he tweeted on Thursday. “All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible.”
Basically, the DNC failed at internal communication, and perhaps at jumping to conclusions a bit too quickly. In the aftermath of the false alarm, the chief security officer of the DNC told Politico that state parties will now be required to notify the national organization before launching pen tests or other exercises.
It's easy to see this false alarm event as yet another fumble from the DNC and Democrats in general, who have lost controlling power in every branch of government and who are fiercely and rightfully criticized by their own voters. But what happened on Tuesday, in addition to being a public relations nightmare, shows that the DNC is actually implementing good cyber security standards.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.