Donald Trump has more to worry about on Friday than just some silly pranks for April Fool’s Day: The Internet hacking collective Anonymous and its allies have promised April 1 will mark the launch of a “total war” on the Republican frontrunner that includes shutting down his websites and other attacks to “dismantle his campaign and sabotage his brand.”
A record of attacks over the past year suggests it’s no idle threat: In that time Trump has been hit by at least a half dozen embarrassing hacks that have included the defacing and spamming of his campaign and business websites, stolen credit card information from his hotel chain’s guests and the public release of his Social Security number. It’s unclear exactly what more the hackers intend to do on Friday or beyond that, but their warnings have been aggressive.
“We have more than enough knowledge and power on our team to do almost whatever,” a West Coast-based hacker who goes by the name Compiled told POLITICO earlier this week in an interview. He’s part of the group New World Hackers, which is allied with Anonymous and boasts of striking both the Trump hotel chain and the presidential campaign websites over the last three months, taking each of them offline for brief periods of time.
Hackers targeting Trump say they’re responding to his controversial campaign rhetoric. A widely circulated video from mid-March posted by Anonymous slams the Republican candidate for “an agenda of fascism and xenophobia, as well as the religious persecution of Muslims through totalitarian policies.”
A long-running war with Anonymous could turn into a costly distraction: The decentralized global group has turned into a digital thorn in the side of governments and corporations whose policies its members decide to confront; it has even gone after ISIS, identifying websites and shutting down pro-terror group Twitter accounts.
The Trump campaign did not respond to requests for comment about its cybersecurity efforts or the Anonymous threats. A spokesman at the Secret Service, which has had Trump under its protection since last fall, also declined to comment. The Secret Service previously has confirmed that it is working with the FBI to investigate an earlier hacking attack that led to the release of Trump’s personal information.
Donald Trump waves as he gets into his vehicle in Washington on Thursday, following a meeting with the Republican National Committee.
The success so far of Anonymous and other allied hacker groups against Trump – a candidate with personal wealth and a business to help support his security infrastructure – highlights the broader vulnerability of political campaigns across the board. Presidential campaigns are notorious for having thin cyber defenses, and with their high public profiles, fast pace and constantly distracted staffers, are widely considered to be an emerging security risk.
There’s great publicity value for anyone who can successfully knock a presidential candidate’s website offline, and it can damage a campaign’s reputation and momentum in the heat of a race. Presidential campaign aides on both sides of the aisle said in interviews that they worry about a well-timed denial of service attack at a critical primetime moment of the election cycle – a debate night, or as primary results are coming in, for example – because it could leave them without a way to raise the tens or even hundreds of thousands of dollars that can pour in per hour in online donations during such a spike in web traffic.
The campaigns are also targets because of the information they hold. They collect vast databases of sensitive information about voters and manage websites that solicit credit card-numbers from donors and campaign store shoppers. And on a bigger scale, opposition researchers and even foreign intelligence operatives are tempted by the internal political and policy strategy materials they might be able to spy on. Barack Obama and John McCain were both targeted back in 2008 by Chinese agents trying to access their internal policy plans as they prepared to govern if they won the general election. In 2012, both Obama and Mitt Romney faced a steady stream of attempted cyberattacks too.
While Trump may not be as vulnerable as other candidates if his online fundraising tools were shuttered, the database of potential supporters he’s building would appear to include millions of new voters who have previously avoided presidential politics. And even though the Republican isn’t seen as having a deep policy portfolio, he has begun putting together a team of issue experts to help him fill in the blanks on what he’d actually do as a chief executive if he won the White House. That kind of policy intelligence will only become more substantive and detailed as the campaign shifts into general election mode, making Trump should he become the Republican nominee an even riper target for hacking threats.
Every campaign that commented for this article said it was aware of cyberthreats and was taking proactive security measures, though each is different in how it handles the risk. Bernie Sanders, for example, has outsourced security for his campaign’s web tools to the digital firm Revolution Messaging; on the Hillary Clinton campaign, work is done in-house and is led by Stephanie Hannon, a former Google executive who serves as the Democrat’s chief technology officer, as well as Chief Information Officer Shane Hable and lead security engineer Tim Ball. Their work includes daily internal security audits and briefings for campaign staff on “social engineering” threats like phishing emails.
But it can all still be a challenge, even for a juggernaut like Clinton, with a rotating crew of paid staffers and volunteers, as well as the candidates themselves, using mobile devices that can be ripe targets for attack. “The weakest point of any software is the human interaction,” warned one senior GOP technology staffer.
This cycle, Republican National Committee staff and party leaders like attorney Benjamin Ginsberg have been reminding senior brass in many of the presidential campaigns to make cybersecurity one of their top priorities. But as early as last summer, it became clear this campaign wouldn’t be a smooth ride, especially for the Republican frontrunner—whose brash public persona had already made him a target of cybercrime before he even announced his candidacy.
Security blogger Brian Krebs reported in July 2015 that the Trump Hotel Collection had been the victim over several months of a credit card breach at multiple U.S. sites. Last August, a hacker group defaced the Trump.com site by posting a tribute to comedian Jon Stewart. Three months later, a group that calls itself the HydraHacking Team posted on Facebook Trump’s social security number and his cell phone.
At the start of 2016, the group New World Hackers took credit on Twitter for taking down Trump’s presidential campaign site. Last week, the same group claimed an attack on the Trump hotel chain’s website and said it was “testing” its capabilities ahead of April 1.
Another New World Hackers member, who goes by the name SinfulHaze, said in an interview he was surprised the billionaire Trump hadn’t already done more to improve his online security presence. “He could pay someone to sit there and watch the service 24/7,” he said.
Several of the other presidential campaigns have been dealing with cyber weaknesses too. Ted Cruz’s campaign, which did not respond to a request to comment, was dinged last month for poor cyber-hygiene by the Associated Press. With the help of a computer-security firm, AP had conducted a review of a Cruz mobile app installed on more than 70,000 Apple and Android devices and found poor coding and weak encryption that potentially exposed personal data and allowed text messages to be sent without a user’s permission. The Cruz campaign updated its technology to address the problems. At the same time that the AP was reporting its story, it also learned that one of the Cruz campaign’s senior staffers, Chris Wilson, fell victim to a “phishing” scheme that exposed his email account to hackers.
While the Clinton campaign wouldn’t comment about any past hacking attempts, its website does include one cyber-vulnerability that allows anyone to log in and create an event – even a fake one with an outrageous title like “Hillary Jail Watch Party” – and then blast it out with an official firstname.lastname@example.org email address and the official campaign logo in the message. Jonathan Lampe, a Madison, Wisc.-based cyber security expert at the InfoSec Institute, called the Clinton campaign website’s function a “hacker’s dream to have a trusted authority who is able to send people spam or phishing messages on her behalf.”
“I don’t understand how that got in there if you have security guys on staff,” he said.
Clinton campaign aides countered that they were well aware of the risks but opted to leave the system in place because they didn’t want to create additional hurdles for their grassroots supporters who want to host events aimed at drumming up enthusiasm. “It’s by design,” Hannon said. She said her team built the page in a way that phishing attacks can’t happen unless someone who got an infected link actually cut and pasted it into their web browser. The campaign also runs an automated review of the event postings, and staffers weigh in as well in the search for bogus events. So far, she said, they’ve only had to remove a couple of items.