WASHINGTON: It was just before noon in Moscow on March 10, 2016, when the first volley of malicious messages hit the Hillary Clinton campaign.
The first 29 phishing emails were almost all misfires. Addressed to people who worked for Clinton during her first presidential run, the messages bounced back untouched.
Except one.
Within nine days, some of the campaign’s most consequential secrets would be in the hackers’ hands, part of a massive operation aimed at vacuuming up millions of messages from thousands of inboxes across the world.
An Associated Press investigation into the digital break-ins that disrupted the US presidential contest has sketched out an anatomy of the hack that led to months of damaging disclosures about the Democratic Party’s nominee. It wasn’t just a few aides that the hackers went after; it was an all-out blitz across the Democratic Party. They tried to compromise Clinton’s inner circle and more than 130 party employees, supporters and contractors.
While US intelligence agencies have concluded that Russia was behind the email thefts, the AP drew on forensic data to report Thursday that the hackers known as Fancy Bear were closely aligned with the interests of the Russian government.
The AP’s reconstruction— based on a database of 19,000 malicious links recently shared by cybersecurity firm Secureworks — shows how the hackers worked their way around the Clinton campaign’s top-of-the-line digital security to steal chairman John Podesta’s emails in March 2016.
It also helps explain how a Russian-linked intermediary could boast to a Trump policy adviser, a month later, that the Kremlin had “thousands of emails” worth of dirt on Clinton.
____
PHISHING FOR VICTIMS
The rogue messages that first flew across the Internet March 10 were dressed up to look like they came from Google, the company that provided the Clinton campaign’s email infrastructure. The messages urged users to boost their security or change their passwords while in fact steering them toward decoy websites designed to collect their credentials.
One of the first people targeted was Rahul Sreenivasan, who had worked as a Clinton organizer in Texas in 2008 — his first paid job in politics. Sreenivasan, now a legislative staffer in Austin, was dumbfounded when told by the AP that hackers had tried to break into [email protected]. He said the address had been dead for nearly a decade.
“They probably crawled the Internet for this stuff,” he said.
Almost everyone else targeted in the initial wave was, like Sreenivasan, a 2008 staffer whose defunct email address had somehow lingered online.
But one email made its way to the account of another staffer who’d worked for Clinton in 2008 and joined again in 2016, the AP found. It’s possible the hackers broke in and stole her contacts; the data shows the phishing links sent to her were clicked several times.
Secureworks’ data reveals when phishing links were created and indicates whether they were clicked. But it doesn’t show whether people entered their passwords.
Within hours of a second volley emailed March 11, the hackers hit pay dirt. All of a sudden, they were sending links aimed at senior Clinton officials’ nonpublic 2016 addresses, including those belonging to longtime Clinton aide Robert Russo and campaign chairman John Podesta.
The Clinton campaign was no easy target; several former employees said the organization put particular stress on digital safety.
Work emails were protected by two-factor authentication, a technique that uses a second passcode to keep accounts secure. Most messages were deleted after 30 days and staff went through phishing drills. Security awareness even followed the campaigners into the bathroom, where someone put a picture of a toothbrush under the words: “You shouldn’t share your passwords either.”
Two-factor authentication may have slowed the hackers, but it didn’t stop them. After repeated attempts to break into various staffers’ hillaryclinton.com accounts, the hackers turned to the personal Gmail addresses. It was there on March 19 that they targeted top Clinton lieutenants — including campaign manager Robby Mook, senior adviser Jake Sullivan and political fixer Philippe Reines.
A malicious link was generated for Podesta at 11:28 a.m. Moscow time, the AP found. Documents subsequently published by WikiLeaks show that the rogue email arrived in his inbox six minutes later. The link was clicked twice.
Podesta’s messages — at least 50,000 of them — were in the hackers’ hands.
___
A SERIOUS BREACH
Though the heart of the campaign was now compromised, the hacking efforts continued. Three new volleys of malicious messages were generated on the 22nd, 23rd and 25th of March, targeting communications director Jennifer Palmieri and Clinton confidante Huma Abedin, among others.
The torrent of phishing emails caught the attention of the FBI, which had spent the previous six months urging the Democratic National Committee in Washington to raise its shield against suspected Russian hacking. In late March, FBI agents paid a visit to Clinton’s Brooklyn headquarters, where they were received warily, given the agency’s investigation into the candidate’s use of a private email server while secretary of state.
The phishing messages also caught the attention of Secureworks, a subsidiary of Dell Technologies, which had been following Fancy Bear, whom Secureworks codenamed Iron Twilight.
Fancy Bear had made a critical mistake.
It fumbled a setting in the Bitly link-shortening service that it was using to sneak its emails past Google’s spam filter. The blunder exposed whom they were targeting.
It was late March when Secureworks discovered the hackers were going after Democrats.
“As soon as we started seeing some of those hillaryclinton.com email addresses coming through, the DNC email addresses, we realized it’s going to be an interesting twist to this,” said Rafe Pilling, a senior security researcher with Secureworks.
By early April Fancy Bear was getting increasingly aggressive, the AP found. More than 60 bogus emails were prepared for Clinton campaign and DNC staffers on April 6 alone, and the hackers began hunting for Democrats beyond New York and Washington, targeting the digital communications director for Pennsylvania Gov. Tom Wolf and a deputy director in the office of Chicago Mayor Rahm Emanuel.
The group’s hackers seemed particularly interested in Democratic officials working on voter registration issues: Pratt Wiley, the DNC’s then-director of voter protection, had been targeted as far back as October 2015 and the hackers tried to pry open his inbox as many as 15 times over six months.
Employees at several organizations connected to the Democrats were targeted, including the Clinton Foundation, the Center for American Progress, technology provider NGP VAN, campaign strategy firm 270 Strategies, and partisan news outlet Shareblue Media.
As the hacking intensified, other elements swung into place. On April 12, 2016, someone paid $37 worth of bitcoin to the Romanian web hosting company THCServers.com, to reserve a website called Electionleaks.com, according to transaction records obtained by AP. A botched registration meant the site never got off the ground, but the records show THC received a nearly identical payment a week later to create DCLeaks.com.
By the second half of April, the DNC’s senior leadership was beginning to realize something was amiss. One DNC consultant, Alexandra Chalupa, received an April 20 warning from Yahoo saying her account was under threat from state-sponsored hackers, according to a screengrab she circulated among colleagues.
The Trump campaign had gotten a whiff of Clinton email hacking, too. According to recently unsealed court documents, former Trump foreign policy adviser George Papadopoulos said that it was at an April 26 meeting at a London hotel that he was told by a professor closely connected to the Russian government that the Kremlin had obtained compromising information about Clinton.
“They have dirt on her,” Papadopoulos said he was told. “They have thousands of emails.”
A few days later, Amy Dacey, then the DNC chief executive, got an urgent call.
There’d been a serious breach at the DNC.
___
’DON’T EVEN TALK TO YOUR DOG ABOUT IT’
It was 4 p.m. on Friday June 10 when some 100 staffers filed into the Democratic National Committee’s main conference room for a mandatory, all-hands meeting.
“What I am about to tell you cannot leave this room,” DNC chief operating officer Lindsey Reynolds told the assembled crowd, according to two people there at the time.
Everyone needed to turn in their laptops immediately; there would be no last-minute emails; no downloading documents and no exceptions. Reynolds insisted on total secrecy.
“Don’t even talk to your dog about it,” she was quoted as saying.
Reynolds didn’t return messages seeking comment.
Two days later, as the cybersecurity firm that was brought in to clean out the DNC’s computers finished its work, WikiLeaks founder Julian Assange told a British Sunday television show that emails related to Clinton were “pending publication.”
“WikiLeaks has a very good year ahead,” he said.
On Tuesday, June 14, the Democrats went public with the allegation that their computers had been compromised by Russian state-backed hackers, including Fancy Bear.
Shortly after noon the next day, William Bastone, the editor-in-chief of investigative news site The Smoking Gun, got an email bearing a small cache of documents marked “CONFIDENTIAL.”
“Hi,” the message said. “This is Guccifer 2.0 and this is me who hacked Democratic National Committee.”
___
’CAN IT INFLUENCE THE ELECTION?’
Guccifer 2.0 acted as a kind of master of ceremonies during a summer of leaks, proclaiming that the DNC’s stolen documents were in WikiLeaks’ hands, publishing a selection of the material himself and constantly chatting up journalists over Twitter in a bid to keep the story in the press.
He appeared particularly excited to hear on June 24 that his leaks had sparked a lawsuit against the DNC by disgruntled supporters of Clinton rival Bernie Sanders.
“Can it influence the election in any how?” he asked a journalist with Russia’s Sputnik News, in uneven English.
Later that month Guccifer 2.0 began directing reporters to the newly launched DCLeaks site, which was also dribbling out stolen material on Democrats. When WikiLeaks joined the fray on July 22 with its own disclosures the leaks metastasized into a crisis, triggering intraparty feuding that forced the resignation of the DNC’s chairwoman and drew angry protests at the Democratic National Convention.
Guccifer 2.0, WikiLeaks and DCLeaks ultimately published more than 150,000 emails stolen from more than a dozen Democrats, according to an AP count.
The AP has since found that each of one of those Democrats had previously been targeted by Fancy Bear, either at their personal Gmail addresses or via the DNC, something a finding established by running targets’ emails against the Secureworks’ list.
All three leak-branded sites have distanced themselves from Moscow. DCLeaks claimed to be run by American hacktivists. WikiLeaks said Russia wasn’t its source. Guccifer 2.0 claimed to be Romanian.
But there were signs of dishonesty from the start. The first document Guccifer 2.0 published on June 15 came not from the DNC as advertised but from Podesta’s inbox, according to a former DNC official who spoke on condition of anonymity because he was not authorized to speak to the press.
The official said the word “CONFIDENTIAL” was not in the original document.
Guccifer 2.0 had airbrushed it to catch reporters’ attention.
___
’PLEASE GOD, DON’T LET IT BE ME’
To hear the defeated candidate tell it, there’s no doubt the leaks helped swing the election.
“Even if Russian interference made only a marginal difference,” Clinton told an audience at a recent speech at Stanford University, “this election was won at the margins, in the Electoral College.”
It’s clear Clinton’s campaign was profoundly destabilized by the sudden exposures that regularly radiated from every hacked inbox. It wasn’t just her arch-sounding speeches to Wall Street executives or the exposure of political machinations but also the brutal stripping of so many staffers’ privacy.
“It felt like your friend had just been robbed, but it wasn’t just one friend, it was all your friends at the same time by the same criminal,” said Jesse Ferguson, a former Clinton spokesman.
An atmosphere of dread settled over the Democrats as the disclosures continued.
One staffer described walking through the DNC’s office in Washington to find employees scrolling through articles about Putin and Russia. Another said she began looking over her shoulder when returning from Clinton headquarters in Brooklyn after sundown. Some feared they were being watched; a car break-in, a strange woman found lurking in a backyard late at night and even a snake spotted on the grounds of the DNC all fed an undercurrent of fear.
Even those who hadn’t worked at Democratic organizations for years were anxious. Brent Kimmel, a former technologist at the DNC, remembers watching the leaks stream out and thinking: “Please God, don’t let it be me.”
___
’MAKE AMERICA GREAT AGAIN’
On Oct. 7, it was Podesta.
The day began badly, with Hillary Clinton’s phone buzzing with crank messages after its number was exposed in a leak from the day before. The number had to be changed immediately; a former campaign official said that Abedin, Clinton’s confidante, had to call staffers one at a time with Clinton’s new contact information because no one dared put it in an email.
The same afternoon, just as the American electorate was digesting a lewd audio tape of Trump boasting about sexually assaulting women, WikiLeaks began publishing the emails stolen from Podesta.
The publications sparked a media stampede as they were doled out one batch at a time, with many news organizations tasking reporters with scrolling through the thousands of emails being released in tranches. At the AP alone, as many as 30 journalists were assigned, at various times, to go through the material.
Guccifer 2.0 told one reporter he was thrilled that WikiLeaks had finally followed through.
“Together with Assange we’ll make america great again,” he wrote.
___
Donn reported from Plymouth, Massachusetts. Desmond Butler, Ted Bridis, Julie Pace and Ken Thomas in Washington, Justin Myers in Chicago, Frank Bajak in Houston, Lori Hinnant in Paris, Maggie Michael in Cairo, Erika Kinetz in Shanghai and Vadim Ghirda in Bucharest, Romania contributed to this report.
___
Editor’s Note: Satter’s father, David Satter, is an author and Russia specialist who has been critical of the Russian government. Several of his emails were published last year by hackers and his address is on Secureworks’ list.
Nineteen thousand lines of raw data associated with the theft of Hillary Clinton campaign emails shows how the hackers dodged strict security measures to pull it off.
Minute-by-minute logs gathered by cybersecurity company Secureworks and recently shared with The Associated Press tell the tale. It took the hackers just over a week of work to zero in on and penetrate the personal Gmail account of campaign chairman John Podesta.
One outside expert who reviewed the data said it showed how even the well-defended Clinton campaign fell prey to phishing, a basic cyberespionage technique which uses bogus emails to harvest passwords
Inside story: How Russians hacked the Democrats’ emails
Inside story: How Russians hacked the Democrats’ emails
UN calls for investigation into air strikes on Afghanistan border
- UN mission in Afghanistan says dozens of civilians killed in airstrikes this week by Pakistan in Paktika province
- Islamabad accuses Kabul of harboring militant fighters, allowing them to strike on Pakistani soil with impunity
KABUL: The UN mission to Afghanistan on Thursday called for an investigation into Pakistani air strikes in Afghanistan, in which the Taliban government said 46 people were killed, including civilians.
The United Nations Assistance Mission in Afghanistan (UNAMA) said it had “received credible reports that dozens of civilians, including women and children, were killed in airstrikes by Pakistan’s military forces in Paktika province, Afghanistan, on 24 December.”
“International law obliges military forces to take necessary precautions to prevent civilian harm,” the agency said in a statement, adding an “investigation is needed to ensure accountability.”
The Taliban government said the 46 deceased were mainly women and children, with another six wounded, mostly children.
An AFP journalist saw several wounded children in a hospital in the provincial capital Sharan, including one receiving an IV and another with a bandaged head.
A Pakistan security official told AFP on Wednesday the bombardment had targeted “terrorist hideouts” and killed at least 20 militants, saying claims that “civilians are being harmed are baseless and misleading.”
On a press trip to the area organized by Taliban authorities, AFP journalists saw four mud brick buildings reduced to rubble in three sites around 20-30 kilometers (10-20 miles) from the Pakistan border.
AFP spoke to multiple residents who said the strikes hit in the late evening, breaking doors and windows in villages and destroying homes and an Islamic school.
Several residents reported pulling bodies from the rubble after strikes targeted houses, killing multiple members of the same families.
Afghanistan’s Minister of Borders and Tribal Affairs Noorullah Noori called the attack “a brutal, arrogant invasion.”
“This is unacceptable and won’t be left unanswered,” he said during the site visit.
Pakistani foreign ministry spokesperson Mumtaz Zahra Baloch did not confirm the strikes but told a media briefing on Thursday: “Our security personnel conduct operations in border areas to protect Pakistani from terror groups, including TTP.”
She was referring to the Tehreek-e-Taliban Pakistan (TTP) — Pakistan’s homegrown Taliban group which shares a common ideology with its Afghan counterpart.
The TTP last week claimed a raid on an army outpost near the border with Afghanistan in which Pakistan said 16 soldiers were killed.
Baloch said Pakistan prioritized dialogue with Afghanistan, and that Islamabad’s special envoy, Sadiq Khan, was in Kabul meeting with officials where “matters of security” and “terror groups including TTP” were discussed.
The strikes were the latest spike in hostilities on the frontier between Afghanistan and Pakistan, with border tensions between the two countries escalating since the Taliban government seized power in 2021.
Islamabad has accused Kabul’s authorities of harboring militant fighters, allowing them to strike on Pakistani soil with impunity — allegations Kabul denies.
Asian countries mark 20 years since the world’s deadliest tsunami
- Indonesia launched its early tsunami warning system in the aftermath of the 2004 disasters
- Its westernmost Aceh province was the hardest-hit, with some 170,000 people killed
JAKARTA: Herman Wiharta began that Sunday morning like many 11-year-olds would on a weekend: watching cartoon shows on TV.
But at around 8 a.m., he felt the powerful tremors from a 9.1-magnitude earthquake that struck off the coast of Indonesia’s Sumatra island, which then triggered the tsunami that inundated the coastline of more than a dozen countries and killed some 230,000 people.
Wiharta, now 31, recalled his brother calling out to him to leave their house in Banda Aceh minutes after the quake and how they had attempted to run to safety. He remembered hearing people scream about the rising sea water before he himself was swept away by a giant wave.
“I lost consciousness when the wave hit me and I woke up on a roof, confused. Thankfully, my brother and sister were also on that roof,” he told Arab News.
“We were able to see just how black the water was from that spot, how strong the currents were. The water was about 4 to 5 meters high; cars and motorbikes were floating, and I could see bodies being swept away by the currents, too. It was terrifying.”
The tsunami on Dec. 26, 2004 quickly escalated into a global disaster, with some 1.7 million displaced.
The brunt of the tsunami was felt in Indonesia, where almost 170,000 people perished. The country’s westernmost province of Aceh was the hardest-hit of all, while Sri Lanka, India and Thailand were among the worst-affected countries.
“It was impossible to sleep that night. We could still hear people screaming for help and the dogs were howling. Everything was just so eerie. The disasters happened so quickly, but they were deeply traumatizing,” Wiharta said.
“It was even worse the day after. We could see bloated human and animal corpses, and the smell was just terrible. I can still picture that scene in my mind to this day.”
Across Asia on Thursday, people attended ceremonies and memorials held to mark 20 years since the deadliest tsunami in recorded history.
Coastal communities were united in grief as they also commemorated how far they had come after two decades of rebuilding and regrouping.
In Sri Lanka, where more than 35,000 people were killed, survivors and relatives gathered in the coastal village of Peraliya to remember the 1,000 victims who died when waves derailed a passenger train.
In Thailand, where half of the death toll of 5,000 were foreign tourists, commemorations were held in Ban Nam Khem, the country’s worst-hit village. People laid flowers and wreaths at a wall curved in the shape of a tsunami, which also bears plaques with the names of the victims.
In India, where around 20,000 people perished, women led the rituals held at Pattinapakkam beach in Chennai, where they lit candles and offered flowers for the victims.
In Banda Aceh city, an official ceremony held at the Baiturrahman Grand Mosque began with a three-minute-long siren at the exact time the major earthquake caused giant waves. People also gathered for prayers at the city’s mass graves — Ulee Lheue and Siron — where thousands of unidentified and unclaimed tsunami victims are buried.
In the years since, infrastructure across Aceh has been rebuilt and is now stronger to withstand major disasters. Early warning systems have also been set up in areas closer to shores, to warn residents of a potential tsunami.
Indonesia’s early tsunami warning system was launched only in 2008 in the aftermath of the disasters, said Daryono, the head of the earthquake and tsunami center at Indonesia’s meteorology, climatology and geophysical agency.
“Before the 2004 Aceh earthquake and tsunami … there were too many people who did not understand the threat, or the danger and risks of a tsunami,” Daryono told Arab News.
“But what happened in 2004 became a starting point to raise awareness on earthquake and tsunami mitigation and also to develop high-tech monitoring for earthquakes and early tsunami warning systems.”
Yet Aceh resident Wiharta was concerned with the direction of development in the province, particularly on the beaches of Aceh Besar district where many new cafes have been popping up in recent years.
“It’s important not to cut down the trees for the sake of building these cafes. It’s better to plant more trees, especially mangroves, so that they can help defend against potential tsunamis,” he said.
“I think the early warning systems also need to be fixed or reset to make sure that they are properly working for early evacuations, since many are either broken or stolen.”
Record number of migrants lost at sea bound for Spain in 2024: NGO
- The vast majority of the fatalities — 9,757 — took place on the Atlantic migration route from Africa to Spain’s Canary Islands
MADRID: At least 10,457 migrants died or disappeared while trying to reach Spain by sea in 2024, an NGO said Thursday, more than 50 percent more than last year and the most since it began keeping a tally in 2007.
The 58-percent increase includes 1,538 children and 421 women, migrants rights group Caminando Fronteras or Walking Borders said in a report which covers the period from January 1 to December 5, 2024.
It amounts to an average of 30 deaths per day, up from around 18 in 2023.
The group compiles its data from hotlines set up for migrants on vessels in trouble to call for help, families of migrants who went missing and from official rescue statistics.
It blamed the use of flimsy boats and increasingly dangerous routes as well as the insufficient capacity of maritime rescue services for the surge in deaths.
“These figures are evidence of a profound failure of rescue and protection systems. More than 10,400 people dead or missing in a single year is an unacceptable tragedy,” the group’s founder, Helena Maleno, said in a statement.
The victims were from 28 nations, mostly in Africa, but also from Iraq and Pakistan.
The vast majority of the fatalities — 9,757 — took place on the Atlantic migration route from Africa to Spain’s Canary Islands, which has received a record number of migrants for the second year in a row.
Seven migrant boats landed in the archipelago on Wednesday, Christmas Day, Spain’s maritime rescue service said on social media site X.
At their closest point, the Canaries lie 100 kilometers (62 miles) off the coast of North Africa. The shortest route is between the coastal town of Tarfaya in southern Morocco and the island of Fuerteventura in the Canaries.
But the Atlantic route to the Canary Islands is particularly dangerous because of strong currents.
Along with Italy and Greece, Spain is one of the three major European gateways for migrant arrivals.
According to the interior ministry, 60,216 migrants entered Spain irregularly between January 1 and December 15 — a 14.5 percent increase over the same time last year.
The majority, over 70 percent, landed in the Canaries.
Pope Francis opens special ‘Holy Door’ for Catholic Jubilee at Rome prison
- Francis opened the Catholic Holy Year, also known as a Jubilee, on Tuesday
- A Catholic Jubilee is considered a time of peace, forgiveness and pardon
ROME: Pope Francis made a visit on Thursday to one of the largest prison complexes in Italy, opening a special “Holy Door” for the 2025 Catholic Holy Year, in what the Vatican said was the first such action by a Catholic pontiff.
Speaking to hundreds of inmates, guards and staff at the Rebibbia prison on the outskirts of Rome, Francis said he wanted to open the door, part of the prison chapel, and one of only five that will be open during the Holy Year, to show that “hope does not disappoint.”
“In bad moments, we can all think that everything is over,” said the pontiff. “Do not lose hope. This is the message I wanted to give you. Do not lose hope.”
Francis opened the Catholic Holy Year, also known as a Jubilee, on Tuesday. A Catholic Jubilee is considered a time of peace, forgiveness and pardon. This Jubilee, dedicated to the theme of hope, will run through Jan. 6, 2026.
Holy Years normally occur every 25 years, and usually involve the opening in Rome of four special “Holy Doors,” which symbolize the door of salvation for Catholics. The doors, located at the papal basilicas in Rome, are only open during Jubilee years.
The Vatican said the opening of the “Holy Door” at Rome’s Rebibbia prison was the first time such a door had been opened by a pope at a prison since the start of the Jubilee year tradition by Pope Boniface VIII in 1300.
Francis has shown special attention for the incarcerated over his 11-year papacy. He often visits prisons in Rome and on his foreign trips.
China urges Philippines to return to ‘peaceful development’
- The US Typhon system, which can be equipped with cruise missiles capable of striking Chinese targets, was brought in for joint exercises earlier this year
BEIJING: China’s foreign ministry on Thursday urged the Philippines to return to “peaceful development,” saying Manila’s decision to deploy a US medium-range missile system in military exercises would only bring the risks of an arms race in the region.
The US Typhon system, which can be equipped with cruise missiles capable of striking Chinese targets, was brought in for joint exercises earlier this year.
On Tuesday, Philippine Defense Minister Gilberto Teodoro said the Typhon’s deployment for joint exercises was “legitimate, legal and beyond reproach.” Army chief Roy Galido said on Monday that the Philippines was also planning to acquire its own mid-range missile system.
Rivalry between China and the Philippines has grown in recent years over their competing claims in the South China Sea. Longtime treaty allies Manila and Washington have also deepened military ties, further ratcheting up tensions.
“By cooperating with the United States in the introduction of Typhon, the Philippine side has surrendered its own security and national defense to others and introduced the risk of geopolitical confrontation and an arms race in the region, posing a substantial threat to regional peace and security,” said Mao Ning, a spokesperson at China’s foreign ministry.
“We once again advise the Philippine side that the only correct choice for safeguarding its security is to adhere to strategic autonomy, good neighborliness and peaceful development,” Mao told reporters at a regular press conference.
China will never sit idly by if its security interests were threatened, she added.
The Philippine embassy in Beijing did not immediately respond to a Reuters request for comment.
China claims almost the entire South China Sea, which is also claimed by several Southeast Asian countries including the Philippines.
