A cybersecurity firm responsible for protecting Hillary Clinton’s private server received more than 50 incident reports triggered by unusual activity logged by her network’s firewall, according to documents reviewed by the Washington Examiner.
Some, though probably not all, of the 53 incidents are likely to have been triggered by foreign IP addresses representing hackers. Those addresses originated in countries that had already been suspected of trying to hack into Clinton’s network, including China, Germany and South Korea. What has not been known is the number of times Clinton’s network was targeted.
The incident reports, which range from October 2013 through December 2014, were provided to congressional investigators by SECNAP Network Security Corporation and obtained by the Examiner. The illuminate the cybersecurity issues Clinton’s server faced, and indicate anomalous cybersecurity events may have become nearly routine for the firms contracted to maintain the private system.
Related Story: http://www.washingtonexaminer.com/article/2598282
It is not known whether Clinton’s server was breached over the course of any of the 53 newly-disclosed incidents. Some of the incidents are likely to have been caused by outdated software on Clinton’s network, like JavaScript, resulting in false alarms.
But some successful breaches involving the network are excluded from the logs.
Related Story: http://www.washingtonexaminer.com/article/2587111
The events, logged by a SECNAP firewall known as “CloudJacket,” also became so commonplace that employees responsible for monitoring them began discussing the best method of shutting down at least some of the automatic notifications.
In an October 2013 email that followed 10 anomalous events over a 16-minute period, the manager for SECNAP’s security operations center, John Meyer, jokingly raised the issue with Paul Combetta, an IT specialist responsible for watching notifications.
“I was going to wait until Saturday night to call you on this, but figured I’d just do it now,” Meyer said in a Monday message, adding a smiley face. “Seriously though, I can whitelist [the IP address causing the anomalous activity]. That will completely and totally ignore any traffic to and from that subnet.”
“Be advised though, this may not be the best course. For example, if your management network is breached and starts attacking [Clinton’s] network,” he added. “Typically I’d highly recommend we watch all networks as closely as possible, however, I know this particular client may be different.”
Meyer did not say what made Clinton’s situation unusual. Clinton’s campaign did not return a request for comment.
Combetta, who received an immunity agreement from the FBI in exchange for information about his role in the scandal surrounding Clinton’s server, became the subject of renewed controversy in September when it was revealed he sought advice on the Internet forum “Reddit” for help managing Clinton’s emails in July 2014.
Combetta told investigators he was only trying to strip Clinton’s personal email address out of messages on the server. However, he later deleted them entirely using a program called BleachBit, software aimed at facilitating “bit” deletion necessary to permanently destroy data.
The documents don’t reveal information about breaches, but some known breaches have happened. It was revealed by FBI notes released in September that the server was penetrated at least once by someone using a Tor browser, which masks a user’s IP address, on Jan. 5, 2013, a month before Clinton left office. That incident is not included in the logs. While that software could be used by a foreign government, it is more commonly associated with criminal elements.
Datto, a tech company retained to handle backups for Clinton’s server, disclosed in October 2015 that it had been previously hacked by a “white hat” hacker who informed the company it was vulnerable. That event was similarly excluded from the log of incidents involving Clinton’s firewall.
The documents show Clinton’s server was unprotected from June 2013 until October of that year, when Clinton’s main tech firm, Platte River Networks, contracted SECNAP to provide security.
Clinton’s term as secretary of state ended in February 2013, but she retained more than 60,000 messages from her time in the position on the server after leaving office. The Romanian hacker known as Guccifer discovered Clinton’s personal email address in March 2013, resulting in its publication.
Guccifer, also known as Marcel Lazar Lehel, claimed to have successfully breached the server itself. He withdrew that claim after his extradition to the United States and questioning by the FBI.
A September report indicated congressional intelligence sources believe Guccifer’s retraction might have been false, and that information he managed to acquire from Clinton’s server could have been stolen by foreign intelligence agencies.
