Pages

24 September 2018

Russian Hackers Aren’t the Only Ones to Worry About

Eli Lake

Eli Lake is a Bloomberg Opinion columnist covering national security and foreign policy. He was the senior national security correspondent for the Daily Beast and covered national security and intelligence for the Washington Times, the New York Sun and UPI.

On the surface, John Podesta and Elliott Broidy are not at all alike. Podesta chaired Hillary Clinton’s presidential campaign, whereas Broidy was a major fundraiser for Donald Trump. Broidy is a businessman who has long been on the outskirts of national politics. Podesta, a former White House chief of staff, is the consummate Washington insider.

And yet Broidy, like Podesta, looks to be the victim of a new kind of political warfare: state-sponsored hacking and leaking. Governments have been spying on foreigners since the dawn of war. Until recently, however, they kept most of the details to themselves. That changed in 2014, when the Russian government intercepted a phone call between two senior U.S. diplomats discussing the Ukrainian government after a popular uprising and posted a recording of it on the internet. Podesta’s privacy was violated when his emails were pilfered by Russian operatives and distributed in 2016 through fake websites and WikiLeaks.

In Broidy’s case, his lawyers say, the hacker and leaker is Qatar. Like Podesta, his emails were hacked through a technique known as phishing. Emails sent to Broidy and his assistant were made to look like they came from legitimate sources such as Google or the BBC, but directed them to fake sites that captured their passwords and log-in credentials. And, just as the Podesta hack was only one facet of a more complex scheme, Broidy’s lawyers now say they have uncovered a much wider operation than previously known.

Broidy gained some notoriety last spring after The Associated Pressreported about his efforts to influence U.S. foreign policy away from Qatar. Those stories were based on Broidy’s emails, and Broidy later sued Qatar in federal court, charging that it had hired a consulting firm that specializes in cybersecurity, Global Risk Advisors, to coordinate the hacking campaign.

Last month, the judge threw the case out, ruling that the court lacked jurisdiction. And representatives of both the government of Qatar and Global Risk Advisors have denied their involvement in the hack of Broidy’s email account, with a lawyer for the consulting firm telling me that his lawsuit was “baseless” and its allegations “totally false.”

Nevertheless, last month’s decision does not address the substance of Broidy’s charges, and his lawyers have uncovered some compelling details in their investigation. They began by issuing subpoenas to TinyURL, a company that shortens lengthy web addresses into more manageable texts, which was used in the phishing attack to obscure the fake website’s real address. Broidy’s lawyers uncovered first the fake website that collected Broidy’s password and log-in information. Then they issued subpoenas for every website created by the TinyURL user who made the phishing websites that snookered Broidy.

It turned out to be a gold mine. Eventually a team of specialists was able to uncover both a pattern of phishing and a list of other email accounts — more than 1,000 — that they say were compromised by the same kind of phishing attack. Broidy’s lawyers claim that these hackers had been conducting phishing attacks since at least 2014. The alleged victims range from Syrian human rights activists to Egyptian soccer players (Qatar will host the World Cup in 2022). They include celebrity Rabbi Shmuley Boteach and his wife, Debbie; the Egyptian billionaire Naguib Sawiris; and Mouaz Moustafa, a U.S. citizen who is the executive director of the Syria Emergency Task Force.

For the most part, the hackers used virtual private networks to mask their IP addresses. In a couple instances, however, they did not — and the addresses linked back to the internet service provider, Ooredoo, which is majority-owned by Qatari government agencies.

Usually phishing operations are interested in bank accounts or identity theft. In this case, the project looks like it was designed to yield political intelligence of interest to the Qatari government. Broidy himself has had close ties to Qatar’s Gulf rivals, the United Arab Emirates and Saudi Arabia.

The scale of the operation, as well as the targets, suggest this was a state operation. “The extent and volume of information that they were able to obtain in these subpoenas goes beyond the capabilities of an individual,” said Sam Rubin, a vice president of Crypsis Group, a cybersecurity firm, who has seen the research conducted by Broidy’s lawyers. “It’s set up in a systematic manner, to be shared by what appears to be a team.”

Broidy’s theory of the case is that this team was working for the government of Qatar. His litigation has produced damning evidence in this regard. But the significance of this lawsuit bears on more than the reputation of a once-obscure Republican fundraiser. It shows how nations are copying Russia by merging traditional espionage with information warfare. That’s not a problem for just Elliott Broidy. It’s a problem for all of us.

No comments:

Post a Comment