WASHINGTON (Reuters) – The U.S. Federal Bureau of Investigation is investigating a cyber attack on the congressional campaign of a Democratic candidate in California, according to three people close to the campaign.
The hackers successfully infiltrated the election campaign computer of David Min, a Democratic candidate for the House of Representatives who was later defeated in the June primary for California’s 45th Congressional district.
The incident, which has not been previously reported, follows an article in Rolling Stone earlier this week that the FBI has also been investigating a cyber attack against Hans Keirstead, a California Democrat. He was defeated in a primary in the 48th Congressional district, neighboring Min’s.
Paige Hutchinson, Min’s former campaign manager, declined to comment. An FBI spokeswoman said the bureau cannot confirm or deny an investigation.
While both Min and Keirstead later lost to other primary challengers from their own party, the two closely-watched races are considered critical, competitive battlegrounds as the Democrats seek to win back Congress from Republicans in November.
It is unclear who was behind the attack against Min’s campaign, why it was carried out, and what the hackers did with any information they obtained. But details of the hack, described to Reuters by people with direct knowledge of the case, highlight the concerns of national security experts who fear that campaigns are woefully unprotected as the November mid-term elections approach.
It also illustrates how small political campaigns do not have the resources to protect themselves from cyber attacks. Few can hire computer security personnel.
“Political campaigns only exist for such a short amount of time,” said Blake Darche, a cyber security researcher and former National Security Agency analyst. “It takes years to build an effective security program at most corporations. Most political campaigns are only a single phishing email away from being breached.”
While national political parties offer training and software tools to help candidates, they typically do not provide them with financial support to hire computer security experts, even after a campaign believes it has been hit. Corporations often pay security experts more than $100,000 to investigate an attack, security experts say.
In late March, Min’s staff received a troubling notice from the facility manager where the campaign rented space in Irvine, California, said the people close to the campaign. The facility’s internet provider had identified unusual patterns of activity that could indicate a cyber attack on campaign computers.
The four-person campaign team had no in-house expertise to deal with the attack. Instead they enlisted the help of software developers with no ties to the campaign other than that they sat nearby in the same shared workspace that Min rented.
The software developers discovered that hackers had placed software into the computers of Min’s campaign manager and finance director that recorded and transmitted keystrokes. The hackers had also infected the computers with software that made it undiscoverable by the off-the-shelf anti-virus software used by the campaign staff.
The campaign immediately notified the Democratic Congressional Campaign Committee, the organization that assists the party’s candidates. The DCCC notified the FBI and gave the campaign advice on improving its security. It also provided it with secure messaging software for future use. Federal agents interviewed Min’s staff and carried off the infected computers.
Min’s tiny staff considered hiring a security firm to investigate the attack, but decided the $50,000 minimum price was unaffordable. The DCCC did not cover the costs of such a hire.
“The DCCC’s mission is to elect Democrats to Congress, and we spend the vast majority of our limited resources to do that,” a DCCC aide, who declined to named, said. “Despite that, the DCCC has gone far outside the scope of its mission to protect the committee and help campaigns protect themselves when it comes to cybersecurity.”
Ultimately, the campaign’s defense was limited to replacing the infected machines and a future commitment to using encrypted messaging apps. “Even $4,000 to replace those laptops isn’t easy to get,” said a person close to the campaign.
Reporting by Joel Schectman and Christopher Bing; Editing by Damon Darlin and Rosalba O’Brien