The central website for President Donald J Trump’s 2020 reelection campaign was hacked for a brief period on Tuesday, with the attackers posting a cryptocurrency scam reminiscent of the Twitter breach in July. The website defacement only lasted for about 30 minutes and in itself was a fairly minor incident, but the hackers have also made unfounded claims about having access to a variety of Trump team devices and having found “secrets” that implicate the president in collusion with foreign powers to influence the election.
Trump website defacement resembles the Twitter attack
The website defacement took place on Oct 27, with the threat actors briefly attempting a cryptocurrency scam that calls to mind the takeover of celebrity accounts on Twitter this past July. However, the approach was a little different. Instead of pretending to be the president or a member of his team, the attackers openly admitted that the site had been hacked and solicited donations for doing so.
The hackers posted wild claims to the website insinuating that they had access to “internal and secret conversations” between the Trump team and some sort of unspecified foreign actors looking to interfere in the election. The hackers asked for a cryptocurrency donation as a prerequisite to sharing these alleged “secret communications,” providing a Monero address.
Monero is very commonly used by cyber criminals due to the extra layer of anonymity it provides, with what is effectively a buffer in the system that hides wallet addresses from view of the public.
Trump campaign communications director Tim Murtaugh issued a statement indicating that the website was not storing any sensitive data. He added that the campaign was “working with law enforcement authorities to investigate the source of the attack.” The website has been restored to normal function.
The nature of the cryptocurrency scam combined with the wild unfounded claims (which included an insinuation that the Trump administration had a hand in starting the coronavirus pandemic) would indicate that the Trump team’s statement is accurate and that the campaign website could not serve as a gateway to any sort of sensitive information. The cyber criminals also said that there would be a “deadline” after which the “secrets” would be revealed, but did not specify exactly when it was and have not resurfaced since their access to the site was removed. The hackers attempted to add credibility to their claims by posting a PGP encryption key, ostensibly for use with the later release of information, but the New York Times reports that the key corresponds to an email address registered to a website that does not exist.
Just a simple cryptocurrency scam, for now
While this website defacement appears to have been a rather amateur and clownish attempt to solicit donations, it comes at a time at which the nation’s intelligence agencies and security personnel are on the highest possible alert for election interference.
Given this, it is surprising that seemingly amateur actors were able to penetrate a campaign website (even if it did not actually contain much of anything worth protecting). Evan Dornbush, CEO of Point3 Security, broke down what might have happened and why there might be some lingering risk from what otherwise appears to be a simple website defacement: “To start with, there are two ways to deface a website. The first is if the attacker can gain access to the web site administrator’s credentials. This can be done by compromising that person’s devices, phishing, or a variety of other methods. The second is if the attacker can leverage a software weakness on the web server and exploit this in a way that allows the attacker to overwrite the legitimate contents with new web pages … Although the campaign has said that no data was stored on the site, two risks remain. The first is that there was in fact data stored, perhaps inadvertently – and servers have files. Perhaps there’s a donor file sitting around? Perhaps there’s some files that have credentials used on other systems that will allow an attacker to continue to move to other Trump assets. The second risk is that again, if the attack came via a system administrator, then anything else that system administrator has access to is also at risk.”
While Dornbush makes valid points about potential unforeseen security consequences, in general a campaign website would not be expected to be storing the sort of classified information that the hackers purported to have access to. The site does have a shopping and donations portal that could be compromised to obtain the sensitive personal and financial information of visitors, however. Questions have been raised about the cybersecurity standards in both the Trump re-election campaign and administration after a Dutch security researcher claimed to have guessed the president’s Twitter password (“maga2020!”), though Twitter has not verified that this has happened and reportedly has extra security steps in place for very high-profile accounts such as these. The president’s account was not among the VIP targets compromised during the July cryptocurrency scams on Twitter.
Though this website defacement bears all the hallmarks of an amateur squad getting lucky with some low-hanging fruit, American intelligence and law enforcement agencies have been warning that foreign actors will attempt to involve themselves with the 2020 elections in similar ways. The three most interested parties are expected to be Iran, Russia and China. While the clumsy attempt at a cryptocurrency scam makes it unlikely that it was state-sponsored hackers from any of those countries, Iran does have some history in specifically targeting Trump re-election campaign sites when they were first rolled out. The authoritarian regime is thought to prefer a Biden win in November in the hopes that it will eventually lead to the easing of sanctions against the country. China is also thought to prefer a Biden win, but has been more low-key and indirect about its attempts to intervene in the election thus far; the Washington Post is reporting that Beijing has thus far mostly limited its actions to disseminating propaganda through social media platforms. That was the preferred method of Russia in 2016, when it was widely believed to support Trump’s election, but experts believe the country is waiting until close to election day to strike at critical infrastructure over the internet rather than anything as trivial as website defacement or cryptocurrency scams.