On Wednesday, the Democratic National Committee was alerted by Lookout, a mobile security firm, about an apparent phishing campaign[1]. Someone had created fake site that looked just like VoteBuilder[2], a DNC-managed database that contains years' worth of voter information. Were an unsuspecting DNC employee to give the fake site their username and password, a malicious actor could potentially steal sensitive data. Alarmed, the DNC notified the Federal Bureau of Investigation. But it turns out not to have been a foreign attacker at all. It was, instead, part of a previously undisclosed test, authorized by the Michigan Democratic Party.
Lookout had alerted the DNC as well as DigitalOcean—the server company hosting the imposter—within hours of the fake site going live. The incident was initially touted as a success: A cyberespionage campaign thwarted before any data was stolen. Now, it instead raises questions about how a covert phishing simulation could have taken an understandably guarded group totally unaware.
"The test, which mimicked several attributes of actual attacks on the Democratic Party's voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors," Bob Lord[3], the Democratic National Committee's chief security officer, said in a statement. "The party took the necessary precautions to ensure that sensitive data critical to candidates and state parties across the country was not compromised. There are constant attempts to hack the DNC and our Democratic infrastructure, and while we are extremely relieved that this wasn't an attempted intrusion by a foreign adversary, this incident is further proof that we need to continue to be vigilant in light of potential attacks."
As a result of the incident, the DNC is crafting new rules for state parties and other campaign organizations that want to run cybersecurity exercises,