A new report from the Associated Press suggests Russian hackers deliberately attempted to infiltrate Hillary Clinton’s private email server, realizing the worst fears that critics of the server have held for months. But the story presents no evidence that any human being, Russian or otherwise, ever deliberately and knowingly attempted to hack into Clinton’s account. She just got spam, like all of us do.
The AP’s headline reads “Russia-linked hackers tried to access Clinton email.”
Russia-linked hackers tried at least five times to pry into Hillary Rodham Clinton’s private email account while she was US secretary of state, emails released Wednesday show.
As the news trickled down to other outlets, it became even more alarming: Politico said “Hackers targeted Hillary Clinton’s email account,” while NBC News blared “Hackers Tried to Access Clinton’s Private Email at Least 5 Times.” This suggests that a scheming team of evil hackers based in Russia knew of the existence of a private Clinton email account, and then sought to target Clinton using “hacking techniques,” however the popular imagination now conceives of that. This wasn’t a drive-by email phishing, the stories suggest, but a premeditated plot to hack the secretary of state.
But there’s absolutely zero evidence that such a plot existed. The AP story—and it should be noted that the AP has done some groundbreaking and excellent reporting on the Clinton email beat—is based on a series of spam emails from the inbox of Clinton’s off-the-books account released yesterday by the State Department. The emails posed as traffic violation alerts from the City of New York, and directed Clinton to click on a link to pay a speeding tickets—the idea being that recipients irritated at the false accusation would click on the link to investigate, launching a malware package that would surreptitiously infect their computer.
In 2011, people all over the planet were getting precisely the same malware spam bundle (identified by Sophos as Mal/ChepVil-A/Troj/Invo-Zip), prompting MSNBC and others to warn users about the phishing scam.
Despite the geographical specificity of the scam, whoever is behind it is spreading it far and wide; Sophos’ Facebook page contains comments from people in California, Thailand, Scotland, England and Australia who’ve received the phony ticket email.
“Got the email today,” wrote Iain Wilson. “Since I live in Asia and have not been in NY in 18 years I laughed, assumed viral and deleted.”
Given how vastly the phishing attack had ppropagated it’s hard to conclude that the emails in Clinton’s inbox were the work of anyone targeting the Clintons (let alone someone who even knew Clinton’s private server existed). There’s no evidence that Russian hackers tried to do anything—emails like this are blasted out to email addresses through completely automated means. Once a computer is infected, the malware scrapes its address book and blasts a new version of itself out to everyone one it. The evidence does suggest that someone with Clinton’s private email address was compromised, but not that the people who wrote the ticket-scam malware had any idea that Clinton was on the receiving end. You can’t try to target something when you don’t even know the target exists.
And besides, if Clinton’s email truly was in the crosshairs of a nefarious foreign actor, wouldn’t they try a phishing rouse that hadn’t become so played out that MSNBC was quoting Joe Blow off the street about seeing it? Or one that wasn’t based on a traffic ticket, something that Clinton—who hasn’t driven a car since 1996—would be at zero risk of getting?
None of which disputes the contention that Clinton’s email set-up was wildly insecure. But the AP’s framing—RUSSIANS TARGETED HILLARY—is the sort of story that Clinton’s defenders can handily use to make her critics seem like wild-eyed conspiracists. What, it’s illegal to get spam now?
The AP’s eagerness to sell the email as a hot scoop led to this tweet from the news organization’s Twitter account, which mistakenly presents a wholly different story, for which there also is no evidence:
BREAKING: Emails show Russia-linked hackers tried at least 5 times to break into Clinton private server.— The Associated Press (@AP) September 30, 2015
The phishing emails were designed to hack the device that Clinton opened her emails on, not the private server that directed the emails to that account.
When I emailed AP investigations editor Ted Bridis about the story, he directed me to an FAQ sent out by the AP, which starts to back away from the overzealous headline:
WERE THE HACKERS FROM RUSSIA?
It’s easy for hackers to disguise their origins. Security researchers determined that some of the malicious software sent to Clinton in 2011 communicated with rogue servers in Russia, but that doesn’t necessarily mean Russian hackers were behind the plot. The rogue servers appear to be no longer operating. The hackers responsible were never identified or captured.
WAS CLINTON HERSELF TARGETED BY THE HACKERS?
So many Internet users were receiving the same speeding-ticket ruse that New York State police and others began openly warning about the ploy as early as June 2011, two months before Clinton received the messages. But it’s still a significant mystery how the hackers knew to send emails to Clinton’s private server address she used for State Department business, since in 2011 it was still a secret email address to most of the world. Roughly two years later, the email account belonging to an informal adviser to Clinton, Sidney Blumenthal, was hacked by a Romanian, Marcel-Lehel “Guccifer” Lazar, who is serving a seven-year prison sentence. Emails released from that hack in 2013 included the first public references to Clinton’s private email address.
Emphasis added. Clinton’s account was a secret to “most of the world,” but certainly not all of it. For this malware to reach HDR22@clintonemail.com, all it would take is a single email account that had sent or received an email from that name, and it’d be scraped and spammed alongside all the others. A June 2011 email between State employees shows just how many were using private email accounts for Department business—any single one of those could’ve been a point of failure:
In the same thread, longtime Clintonian counsel Cheryl Mills said she already had been the victim of an attempted breach:
Maybe she’d been a calculated target of Putin’s SVR RF cyber marauders. Or maybe she clicked on a fake email about a fake speeding ticket.