WASHINGTON — FBI agents in California and Washington, D.C., have investigated a series of cyberattacks over the past year that targeted a Democratic opponent of Rep. Dana Rohrabacher (R-CA). Rohrabacher is a 15-term incumbent who is widely seen as the most pro-Russia and pro-Putin member of Congress and is a staunch supporter of President Trump.
The hacking attempts and the FBI’s involvement are described in dozens of emails and forensic records obtained by Rolling Stone.
The target of these attacks, Dr. Hans Keirstead, a stem-cell scientist and the CEO of a biomedical research company, finished third in California’s nonpartisan “top-two” primary on June 5th, falling 125 votes short of advancing to the general election in one of the narrowest margins of any congressional primary this year. He has since endorsed Harley Rouda, the Democrat who finished in second place and will face Rohrabacher in the November election.
Cybersecurity experts say that it’s nearly impossible to identify who was behind the hacks without the help of law enforcement or high-priced private cybersecurity firms that collect their own threat data. These experts speculate that the hackers could have been one of many actors: a nation-state (such as Russia), organized crime, so-called e-crime or a hacktivist with a specific agenda. The FBI declined to comment.
Kyle Quinn-Quesada, who was Keirstead’s campaign manager, tells Rolling Stone that the campaign is now going public about the attacks for the sake of voter awareness. “It is clear from speaking with campaign professionals around the country that the sustained attacks the Keirstead for Congress campaign faced were not unique but have become the new normal for political campaigns in 2018,” Quinn-Quesada says. He added that the Keirstead campaign did not believe the cyberattacks had an effect on the primary election results.
The timing of the attacks is significant. Last month, Director of National Intelligence Dan Coats said the warning lights for future cyberattacks aimed at the U.S. were “blinking red.” A week later, a senior Microsoft executive said that Microsoft had identified and helped block hacking attempts aimed at three congressional candidates during the 2018 midterms. The executive declined to name those candidates, but the Daily Beast reported that the Russian intelligence agency responsible for the cyberattacks in 2016 had attempted to hack the office of Sen. Claire McCaskill (D-MO), who is running for reelection this year. (A Microsoft spokesperson declined to say if Keirstead was one of three people targeted by hackers, citing “customer privacy.”) Just last week, Sen. Bill Nelson (D-FL) said that Russian hackers had “penetrated” county voting systems in Florida.
Rep. Rohrabacher is arguably the most ardent supporter of the Russian government and its leader, Vladimir Putin, in Congress. He has voted against Russian sanctions and was once warned by the FBI that Putin’s government was trying to recruit him as an asset. More recently, drawing on information provided by Russian officials, he sought to remove the name of Russian anti-corruption activist Sergei Magnitsky from the Global Magnitsky Act, a U.S. law that permits sanctions on foreign officials who engage in human rights abuses or acts of corruption. And unlike many of his Republican colleagues, Rohrabacher refused to criticize President Trump for not raising the issue of Russia’s interference in American elections during his press conference last month with Putin. Rohrabacher’s campaign did not respond to requests for comment.
The hacks on Keirstead began in August 2017 with a spear-phishing attempt — a fake email intended to deceive the recipient into typing in his or her password or other confidential information — sent to Keirstead’s work email address. The phishing attempt was successful — Keirstead thought it was a legitimate Microsoft Office message and entered his password before quickly realizing the message was fake and having his company take measures to secure their email system. (Keirstead had used his work account for campaign purposes, emails show.) This was similar to the phishing attack on Hillary Clinton campaign chairman John Podesta that later resulted in the release of thousands of Podesta’s personal emails.
In December, the cyberattacks on Keirstead took a different form: a sophisticated and sustained effort to hack into the campaign’s website and hosting service.
Campaign officials detected repeated attempts to access the campaign’s website, Hansforca.com. Hackers or bots tried different username-password combinations in a rapid-fire sequence over a two-and-a-half-month period to get inside the campaign’s WordPress-hosted website. According to the campaign, there were also more than 130,000 so-called brute force attempts over a month-long period to gain administrator access to the campaign’s server via the cloud-server company that hosted the Keirstead campaign’s website.
In January, according to the campaign’s digital consultant, there were also several attempts to access the campaign’s Twitter account by unknown users. And later that same month, Keirstead’s company was briefly hacked again, according to campaign emails and interviews.
While the spear-phishing attack targeting Keirstead’s work account was successful, none of the attempts to gain unauthorized access to the campaign’s website, hosting company or Twitter account were effective, according to the campaign emails.
Quinn-Quesada, Keirstead’s campaign manager, informed the Democratic Congressional Campaign Committee and the FBI about the August spear-phishing message. He also told the DCCC about the attacks on its website and server several months later. According to campaign emails, news of the various cyberattacks — beginning with the initial spear-phishing incident — quickly reached the DCCC’s top IT executive and the organization’s chief of staff, who reports directly to DCCC Chairman Rep. Ben Ray Luján of New Mexico. The DCCC relayed the information to the FBI, according to campaign officials. (The DCCC declined to comment.) After the brute-force attacks last winter, the FBI contacted the Keirstead campaign.
Two agents based in California met with Quinn-Quesada in late January, according to the emails. Quinn-Quesada wrote in an email to his staff that the two agents said they were assisting with an investigation into the past and present hacking of political campaigns and committees. The campaign told the two agents about the successful and attempted hacks of Keirstead’s email, website, hosting service and Twitter account. Soon afterward, an FBI special agent based in Washington contacted the campaign’s digital consulting firm, Veracity Media, and requested a meeting. A team of FBI employees visited Veracity Media’s office and collected reams of forensic data about the attempted hacks.
Ed McAndrew, a former federal cybercrime prosecutor who now leads the privacy and data security group at the law firm Ballard Spahr, tells Rolling Stone that the FBI’s request for information suggested the bureau was taking the attacks on the Keirstead campaign seriously. “That’s fairly comprehensive in terms of an initial list of things you would want if you were looking to investigate unauthorized access to a web server,” McAndrew says. “They weren’t short-arming; those were real requests.”
McAndrew, who spent nearly a decade investigating cybercrime, said the FBI would likely take that information and run it through various criminal and intelligence databases. They would look for IP addresses, browser information and various types of software operating systems that matched those used by nation-state actors, organized crime or hacking syndicates.
He added that it’s not uncommon for federal law enforcement to conduct a cybercrime investigation and not inform the victims of the findings. “This is the constant tension between helping members of the public and maintaining confidentiality around intel sources and methods,” McAndrew says.
Quinn-Quesada tells Rolling Stone that the FBI never told him or anyone else on the campaign if it had identified who was behind the cyberattacks.
He says the accounts he’s heard from fellow political operatives about cyberattacks and other suspicious online activity grow more common by the day. “The targets aren’t just high-profile statewide candidates or elected officials,” he says. “Individual congressional campaigns are being targeted on a regular basis.”
By Andy Kroll