Archive

Lawmaker: U.S. Senate, staff targeted by state-backed hackers | TribLIVE.com
U.S./World

Lawmaker: U.S. Senate, staff targeted by state-backed hackers

The Associated Press
252087252087d1f5767593a44203bd75e9f1fad227db
FILE - In this Aug. 1, 2018, file photo, Senate Minority Leader Chuck Schumer, D-N.Y., makes a phone call just off the Senate floor on Capitol Hill in Washington. Oregon Sen. Ron Wyden is proposing new legislation that would allow the Senate’s Sergeant at Arms to spend taxpayer money protecting senators’ private email accounts and personal devices amid persistent anxieties over the digital security of the American midterm vote. (AP Photo/J. Scott Applewhite, File)
2520872520870e08a01c6e08418e9027b39e061e1337
FILE - In this April 30, 2015, file photo, a Capitol Hill staffer looks down at papers while on a cellphone while walking inside the Russell Senate Office Building on Capitol Hill in Washington. Oregon Sen. Ron Wyden is proposing new legislation that would allow the Senate’s Sergeant at Arms to spend taxpayer money protecting senators’ private email accounts and personal devices amid persistent anxieties over the digital security of the American midterm vote. (AP Photo/Jacquelyn Martin, File)
25208725208719abe9ff973c4388a7d5919316d50614
FILE - In this June 28, 2018, file photo, Sen. Ron Wyden, D-Ore., ranking member of the Senate Finance Committee, speaks during a hearing on the nomination of Charles Rettig for Internal Revenue Service Commissioner on Capitol Hill in Washington. Wyden is proposing new legislation that would allow the Senate’s Sergeant at Arms to spend taxpayer money protecting senators’ private email accounts and personal devices amid persistent anxieties over the digital security of the American midterm vote. (AP Photo/Jacquelyn Martin, File)
252087252087ef215535d3b24042819742adc9f6b3d1
FILE - In this Feb. 4, 2015, file photo, Sen. Mike Enzi, R-Wyo., checks his phone as he arrives for a bipartisan lunch in the Kennedy Caucus Room on Capitol Hill in Washington. Oregon Sen. Ron Wyden is proposing new legislation that would allow the Senate’s Sergeant at Arms to spend taxpayer money protecting senators’ private email accounts and personal devices amid persistent anxieties over the digital security of the American midterm vote. (AP Photo/Susan Walsh, File)

Foreign government hackers continue to target the personal email accounts of U.S. senators and their aides — and the Senate’s security office has refused to defend them, a lawmaker says.

Sen. Ron Wyden, an Oregon Democrat, said in a Wednesday letter to Senate leaders that his office discovered that “at least one major technology company” has warned an unspecified number of senators and aides that their personal email accounts were “targeted by foreign government hackers.” Similar methods were employed by Russian military agents who leaked the contents of private email inboxes to influence the 2016 elections.

Wyden did not specify the timing of the notifications, but a Senate staffer said they occurred “in the last few weeks or months.” The aide spoke on condition of anonymity because he was not authorized to discuss the issue publicly.

But the senator said the Office of the Sergeant at Arms , which oversees Senate security, informed legislators and staffers that it has no authority to help secure personal, rather than official, accounts.

“This must change,” Wyden wrote in the letter. “The November election grows ever closer, Russia continues its attacks on our democracy, and the Senate simply does not have the luxury of further delays.” A spokeswoman for the security office said it would have no comment.

Wyden has proposed legislation that would allow the security office to offer digital protection for personal accounts and devices, the same way it does with official ones. His letter did not provide additional details of the attempts to pry into the lawmakers’ digital lives, including whether lawmakers of both parties are still being targeted.

Google and Microsoft, which offer popular private email accounts, declined to comment.

The Wyden letter cites previous Associated Press reporting on the Russian hacking group known as Fancy Bear and how it targeted the personal accounts of congressional aides between 2015 and 2016. The group’s prolific cyberspying targeted the Gmail accounts of current and former Senate staffers, including Robert Zarate, now national security adviser to Florida Sen. Marco Rubio, and Jason Thielman, chief of staff to Montana Sen. Steve Daines, the AP found.

The same group also spent the second half of 2017 laying digital traps intended to look like portals where Senate officials enter their work email credentials, the Tokyo-based cybersecurity firm TrendMicro has reported.

Microsoft seized some of those traps, and in September 2017 apparently thwarted an attempt to steal login credentials of a policy aide to Missouri Sen. Claire McCaskill , the Daily Beast discovered in July. Last month, Microsoft made news again when it seized several internet domains linked to Fancy Bear , including two apparently aimed at conservative think tanks in Washington.

Such incidents “only scratch the surface” of advanced cyberthreats faced by U.S. officials in the administration and Congress, according to Thomas Rid, a cybersecurity expert at Johns Hopkins University. Rid made the statement in a letter to Wyden last week .

“The personal accounts of senators and their staff are high-value, low-hanging targets,” Rid wrote. “No rules, no regulations, no funding streams, no mandatory training, no systematic security support is available to secure these resources.”

Attempts to breach such accounts were a major feature of the yearlong AP investigation into Fancy Bear that identified hundreds of senior officials and politicians — including former secretaries of state, top generals and intelligence chiefs — whose Gmail accounts were targeted.

The Kremlin is by no means the only source of worry, said Matt Tait, a University of Texas cybersecurity fellow and former British intelligence official.

“There are lots of countries that are interested in what legislators are thinking, what they’re doing, how to influence them, and it’s not just for purposes of dumping their information online,” Tait said.

In an April 12 letter released by Wyden’s office, Adm. Michael Rogers — then director of the National Security Agency — acknowledged that personal accounts of senior government officials “remain prime targets for exploitation” and said that officials at the NSA and Department for Homeland Security were discussing ways to better protect them. The NSA and DHS declined to offer further details.

Guarding personal accounts is a complex, many-layered challenge.

Rid believes tech companies have a sudden responsibility to nudge high-profile political targets into better digital hygiene. He said he did not believe much as been done, although Facebook announced a pilot program Monday to help political campaigns protect their accounts, including monitoring for potential hacking threats for those that sign up.

Boosting protection in the Senate could begin with the distribution of small chip-based security devices such as the YubiKey, which are already used in many secure corporate and government environments, Tait said. Such keys supplement passwords to authenticate legitimate users, potentially frustrating distant hackers.

Cybersecurity experts also recommend them for high-value cyber-espionage targets including human rights workers and journalists.

“In an ideal world, the Sergeant at Arms could just have a pile of YubiKeys,” said Tait. “When legislators or staff come in they can (get) a quick cybersecurity briefing and pick up a couple of these for their personal accounts and their official accounts.”

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.