NEWS

Russians suspected of hacking local Dems

Paul Srubas
USA TODAY NETWORK-Wisconsin

GREEN BAY - County websites of the Democratic Party in the area have been under attack, at least one apparently by Russian hackers, an officer of the party says.

What appears to have been Russian hackers compromised the website of the 8th Congressional District Democratic Party as well as the sites of seven county Democratic party organizations, said Mary Ginnebaugh, who chairs the congressional district as well as the Brown County Democratic parties.

Russian hackers have been accused on the national level with interfering with the U.S. presidential election by getting into the Democratic National Committee’s website as well as that of the Democratic Congressional Campaign Committee in Washington.

While no one can prove beyond doubt that Russians also were involved in the local hack job, two hackers left “calling cards” with Russian email addresses on the local websites in an apparent gesture of contempt or braggadocio, Ginnebaugh said. Green Bay police were notified and have forwarded information to the FBI, she said.

Ginnebaugh said she was stunned when a computer security consultant told her that Russians may have been involved.

“It was ‘Wait a minute, we’re little bitty Green Bay, not some powerhouse,’” she said. “I was like, ‘Really?’”

The hackers may have been targeting the state site and stumbled onto the 8th Congressional District site, Ginnebaugh said. “We’re one letter off,” she said. “We’re wiscdems.com and the state is wisdems.com.”

The 8th Congressional domain name wiscdems.com serves as an umbrella for county democratic organizations within the district, Ginnebaugh said. Visitors can get to the individual sites from the umbrella site or vice versa. However, the sites are independent of the state and national sites, she said.

The Winnebago County Democratic Party first noticed a problem with its website in November, shortly after the election. People trying to get into that website were being abruptly redirected to some random website and couldn’t get to the party’s site, Ginnebaugh said.

Officers from the Winnebago County party, part of whose county lies in the 8th District, notified the 8th District party. Staff looked into it and determined the problem appeared to be isolated to the Winnebago County site, Ginnebaugh said.

But when technicians from the 8th District couldn’t fix it, they contacted Jane Benson of Main Jane Designs of Green Bay. Benson is a web designer and does online marketing, but she also often works as an IT consultant for the local Democratic parties.

Benson found the problem was wider than 8th District staffers thought. Seven county sites, including Brown County’s, and the umbrella site all were compromised, Benson said. Aside from Winnebago County noticing the problem with its link, they also were notified by Google that their searches were revealing a corruption. Google demanded the corruption be fixed or the site would be blacklisted from Google searches.

Shawano, Marinette, Oconto, Kewaunee and Calumet county party sites were hacked, as were Brown and Winnebago and the overall 8th district site, Ginnebaugh said. Door, Outagamie, Menominee and Waupaca counties were not affected.

No clear answer

At Benson’s direction, the party hired Sucuri, an internationally known cyber security company. It cleaned their sites of all malware and took a variety of other protective steps, Benson said.

All websites are made up of code that often turns out to have a security weakness that can make a website vulnerable, Benson said. Patches are sent out and administrators must update each website to keep it protected. With the election over and the holidays in full gear, people were on vacation, few were visiting the websites and attentiveness apparently lapsed, allowing hackers to get back in, Benson said.

“Somehow, somebody was able to disable one of the Sucuri security features on the wiscdems.com website,” Benson said. “There’s an expectation that the plugins and platform code will be updated, and if they're not, it can leave an opening for hackers to get in.”

Two new users showed up as registered administrators of the website: larisa@steamreal.ru and ewartumba@mail.ru. The “.ru” suffix indicates a Russian origin, Benson said. The profile pages of the users had characters in the Russian alphabet in "Address" and "About Me" fields, she said.

Code was entered, apparently through a back door, to add two registered users, but the website is set up to automatically block new registrants, so the intruders could do no damage. "It's not clear how they got there," Benson said.

A screenshot of Russian characters found in a user profile on a 8th Congressionl District Democratic Party computer.

The intruders could just as easily have removed all trace of having been there and just backed quietly out, but they chose to leave their names “as if to say ‘we can get in whenever we want,’” Benson said.

She said she can’t say whether Russians were really involved or whether the addresses could have been faked by someone mimicking a connection based on what had been in the news. But it was important that police and the FBI become involved, to “make this information part of the body of information police and the FBI are compiling from the national investigation,” she said.

A call to Green Bay police detectives was not returned Monday.

Benson said it was important for the public to know the hackers did not succeed in “harvesting information,” that breaches in the sites have been repaired and that everything is being professionally monitored to keep it secure.

Ginnebaugh said the state Democratic Party also has been notified and would presumably be passing the information on to national levels.

psrubas@pressgazettemedia.com and follow him on Twitter@PGpaulsrubas

Ginnebaugh