Cyber Incident Victim: Claire McCaskill
Date:
Aug 2017
Location:
United States of America
Summary
Russian GRU hackers targeted a vulnerable Democratic Senator during her re-election campaign using a phishing technique resembling the 2016 attack on Clinton campaign officials. The attackers sent spoofed emails mimicking Senate password reset notifications, directing staffers to fraudulent login pages designed to harvest credentials. Microsoft disrupted the operation by seizing a malicious domain used in the campaign, redirecting traffic to prevent compromises. The Senator confirmed the attack was unsuccessful but condemned it as part of ongoing Russian cyber warfare against U.S. democracy. The incident underscored divisions within government regarding election interference threats, with intelligence officials warning of persistent Russian efforts while some administration figures downplayed immediate risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In August 2017, Russian GRU intelligence operatives targeted Senator Claire McCaskill’s office during her 2018 re-election campaign using a phishing technique similar to their 2016 attack on Clinton campaign chairman John Podesta. The hackers sent forged emails to Senate staffers, falsely claiming their Microsoft Exchange passwords had expired and directing them to a counterfeit U.S. Senate Active Directory Federation Services (ADFS) login page. Each phishing email contained a unique link coded with the recipient’s email address, which displayed their address upon clicking to enhance the deception’s credibility. The fake domain "adfs.senate.qov.info" mimicked legitimate Senate infrastructure. Microsoft, leveraging a 2017 federal court injunction from Virginia against GRU hackers, seized control of the malicious domain in October 2017 and redirected traffic to a sinkhole server to monitor attempted access. Security firm Trend Micro later identified this domain as part of a Senate phishing campaign, with a September 26, 2017, snapshot revealing a McCaskill policy aide’s Senate email address displayed on the spoofed page. Microsoft Corporate Vice President Tom Burt confirmed the takedown prevented infections but did not name targets. McCaskill’s office stated the attack was unsuccessful, with no evidence of compromised credentials. The incident marked the first publicly identified Russian targeting of a 2018 midterm candidate.
The attempted breach occurred amid heightened concerns over election security, with McCaskill—a vulnerable Democrat in a Trump-won state—facing significant Republican opposition. McCaskill condemned the attack as part of Russia’s "ongoing, pervasive efforts to undermine our democracy," reiterating her characterization of Putin as a "thug and a bully." The incident followed Special Counsel Robert Mueller’s July 2018 indictment of 12 GRU officers for 2016 election interference and preceded a National Security Council meeting chaired by President Trump on midterm election vulnerabilities. Divisions emerged between Congress and the Trump administration regarding the threat level, with Senate Intelligence Committee warnings contrasting Homeland Security Secretary Kirstjen Nielsen’s downplayed assessment of Russian targeting. Congress had allocated $380 million for state election security earlier in 2018, with debates ongoing over additional funding. McCaskill’s prior involvement in the 2016 Podesta hack—revealed via WikiLeaks’ document release—and her decade-long criticism of WikiLeaks underscored her status as a persistent Kremlin target. Microsoft’s domain seizure exemplified private-sector countermeasures under court-approved mechanisms, while the absence of confirmed breaches reflected improved defensive coordination since 2016. The targeting highlighted continued Russian focus on politically consequential races and the operational overlap between GRU’s 2016 and 2018 tactics.