A number of malicious attackers apparently tried to break in to Hillary Clinton’s private email server while she was serving as secretary of state, according to new documents released from the FBI’s investigation into its use.
In a section detailing the FBI’s look into potential intrusions of the server, Bryan Pagliano, the IT worker who helped set it up, told agents that the server had no security breaches, but it had many failed log-in attempts, which he characterized as “brute force attacks.”
In these types of attacks, a hacker tries to guess passwords one by one, or uses an automated tool to do it until getting it right. Pagliano said that these types of attacks “increased over the life” of the server, and he set up alerts for when they occurred.
It’s worth noting that most companies of all sizes experience the same sort of attempts by hackers to break in to their computers and networks.
The FBI could not determine whether hackers gained full access to the server, but on at least one occasion, a hacker did take over an email account belonging to a staffer for President Bill Clinton, the documents said.
“Forensic analysis noted that on January 5, 2013, three IP addresses matching known Tor exit nodes were observed accessing” the account, meaning that an attacker using the Tor service – which encrypts and hides a person’s online presence – logged in and browsed emails, folders, and attachments. The FBI was unable to determine who the attacker was.
There were also a number of security lapses revealed in the FBI documents.
While the server was set up in January 2009, it wasn’t until late March 2009 that Pagliano set it up with an SSL security certificate that would encrypt log-in credentials as a user logged in, though this never covered email content stored on the server.
For this three-month period – if hackers were so inclined and could intercept the traffic – email traffic from ClintonEmail.com was “potentially vulnerable to compromise,” the FBI said.
Pagliano also recalled a conversation with someone – redacted in the documents – who advised that he set up Transport Layer Security, or TLS, a tunnel which would protect data traveling to the server from servers hosted at the State Department. This move apparently never happened.
But it’s also worth noting that the two technologies, SSL and TLS, are related, and when it comes to setting up email servers, often a server in those days would use one or the other.
The FBI also found that Microsoft’s Remote Desktop Protocol (RDP) was enabled on the server, which the FBI said had “known vulnerabilities” associated with it. Though RDP is used by many organizations to allow certain employees to access a system over the internet, they are often only as strong as what they use for a username and password.
In his statement following the investigation, FBI Director James Comey said that the FBI did not find “direct evidence” that the server was successfully hacked, but he added that “given the nature of the system and of the actors potentially involved, we assess that we would be unlikely to see such direct evidence.”
Translation: We did not find the fingerprints of hackers on this system, but hackers often cover up their tracks and delete traces of their breaches, so it’s very possible that they broke in and we would never know it.
Of whether the server was hacked, Clinton’s website says, “No, there is no evidence there was ever a breach.”
Still, Comey spoke of “hostile actors” who gained access to private email accounts of people whom Clinton emailed. Though he didn’t name names, at least one of those actors was Guccifer, whose real name is Marcel Lehel Lazar, the infamous hacker – recently sentenced to four years in prison – who broke into more than 100 accounts of prominent Americans.
“She also used her personal e-mail extensively while outside the United States, including sending and receiving work-related e-mails in the territory of sophisticated adversaries,” Comey said. “Given that combination of factors, we assess it is possible that hostile actors gained access to Secretary Clinton’s personal e-mail account.”