The government accounts of US Senator Claire McCaskill (and her staff) were targeted in 2017 by APT28 A.K.A. “Fancy Bear” according to an article published by The Daily Beast on July 26th. Senator McCaskill has since confirmed the details.
And many of the subsequent (non-technical) articles that have been published has focused almost exclusively on the fact that McCaskill is running for re-election in 2018. But, is it really conclusive that this hacking attempt was about the 2018 midterms? After all, Senator McCaskill is the top-ranking Democrat on the Homeland Security & Governmental Affairs Committee and also sits on the Armed Services Committee. Perhaps she and her staffers were instead targeted for insights into on-going Senate investigations?
Because if you want to target an election campaign, you should target the candidate’s campaign server, not their government accounts. (Elected officials cannot use government accounts/resources for their personal campaigns.) In the case of Senator McCaskill, the campaign server is: clairemccaskill.com.
Which appears to be a WordPress site.
Running on an Apache server.
And it has various e-mail addresses associated with it.
That looks interesting, right? So… let’s do some Google dorking!
Searching for “clairemccaskill.com” in URLs while discarding the actual site yielded a few pages of results.
And on page two of those results, this…
Whats is com.de? It’s a domain on the .de TLD (not a TLD itself).
Okay, so… what other interesting domains associated with com.de are there to discover?
How about additional US Senators up for re-election such as Florida Senator Bill Nelson? Yep.
Senator Bob Casey? Yep.
And Senator Sheldon Whitehouse? Yep.
But that’s not all. Democrats aren’t the only ones being spoofed.
And “Senate Conservatives“.
Hmm. Well, while being no more closer to knowing whether or not Senator McCaskill’s government accounts were actually targeted because of the midterm elections – the domains shown above are definitely shady AF. And enough to give cause for concern that the 2018 midterms are indeed being targeted, by somebody.
(Our research continues.)
Meanwhile, the FBI might want to get in touch with the owners of com.de.