During the summer, the Obama campaign was informed by the FBI and the White House that a foreign entity or organization may have been after policy positions that it could use as leverage with the next administration, and that the attack wasn't a case of political espionage from its opponent, according to the report. Experts in the Obama camp later surmised the attackers were Russian or Chinese.
Obama's technical team initially found what they determined to be malware from a phishing attack. But the FBI and Secret Service informed them a day later that they had been compromised, and files had been accessed on their system. "You have a problem way bigger than what you understand," an agent told the Obama team, according to the report. McCain's campaign system was hit with a similar attack in August, and the Obama campaign reportedly stopped the attack on its system and tightened up its security.
The FBI declined to comment on the breach report.
While the report didn't reveal details of the attack, security experts weren't surprised that the campaigns suffered breaches. Oliver Friedrichs, who has previously conducted research on security risks for presidential campaigns, says these kinds of attacks will get only more intense in future elections. "Clearly, one thing we see is campaigns moving to the Net to run their campaigns, and along with that comes the parasites and threats of the Internet," says Friedrichs, who is CEO at startup Immunet. "In the next election, you will see more insidious attacks and threats."
The day after winning the presidency, Obama became the subject of a major spam malware attack that promised clips of an "amazing" Obama speech or other Obama-related news. Earlier this year, Obama's Website also was hit with a cross-site scripting attack that redirected visitors to then-Democratic rival Hillary Clinton's campaign site.
The newly revealed attacks on Obama's and McCain's campaign systems could have started from the outside or within, experts say. "This could have been anything from an external attack from the Internet to individuals who had installed Trojans or keyloggers through a malicious [USB] stick," Friedrichs says.
Robert Graham, CEO at Errata Security, says it's not clear from the report whether Obama's and McCain's Websites were hacked, or their back-end payment processors. "Both campaigns outsourced their donation pages to other companies. A hacker interested in making money would go after these third parties rather than just defacing the front page," Graham says.
Graham noted that Web development firms typically don't have security expertise, which puts candidates and their sensitive data at risk. "Website creation firms do not understand how hackers break into Websites. They make mistakes, such as SQL injections, that allow hackers to break in," he says.
Meanwhile, Friedrichs says the attacks should serve as a wake-up call for future campaigns. "This is really the beginning. The factor was the lack of awareness of the potential risks" of donations and other information moving across the Internet, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message