WASHINGTON — Russia-linked hackers tried at least five times to trick Hillary Rodham Clinton into infecting her computer systems while she was secretary of state, newly released emails show. It was unclear whether she was fooled into clicking on any attachments to expose her account.
Clinton received the virus-riddled emails, disguised as speeding tickets from New York, over four hours early on the morning of Aug. 3, 2011. The emails instructed recipients to print the attached tickets — and opening them would have allowed hackers to take over control of a victim’s computer.
Security researchers who analyzed the malicious software in September 2011 said that infected computers would transmit information from victims to at least three server computers overseas, including one in Russia. That doesn’t necessarily mean Russian intelligence or citizens were responsible.
Nick Merrill, a spokesman for Clinton’s Democratic presidential campaign, said: “We have no evidence to suggest she replied to this email or that she opened the attachment. As we have said before, there is no evidence that the system was ever breached. All these emails show is that, like millions of other Americans, she received spam.”
Practically every Internet user is inundated with spam or virus-riddled messages daily. But these messages show hackers had Clinton’s email address, which was not public, and sent her a fake traffic ticket from New York state, where she lives. Most commercial antivirus software at the time would have detected the software and blocked it.
The phishing attempts highlight the risk of Clinton’s unsecure email being pried open by foreign intelligence agencies, even if others also received the virus concealed as a speeding ticket from Chatham, New York. The email misspelled the name of the city, came from a supposed New York City government account and contained a “Ticket.zip” file that would have been a red flag.
Clinton has faced increasing questions over whether her unusual email setup amounted to a proper form of secrecy protection and records retention. The emails themselves — many redacted heavily before public release — have provided no shocking disclosures thus far and Clinton has insisted the server was secure.
During Clinton’s tenure, the State Department and other U.S. government agencies faced their own series of hacking attacks. U.S. counterterrorism officials have linked them to China and Russia. But the government has a large staff of information technology experts, whereas Clinton has yet to provide any information on who maintained her server and how well it was secured.
The State Department estimated that its own government users were targeted with 19,000 such incidents the same year that Clinton received the five emails on her personal account. The following year, the number of such incidents in the State Department surged to 27,000.
“This steady increase in malicious software (malware) is significant because spear-phishing emails containing malware can place ‘code’ on department machines, which may compromise the integrity of U.S. networks and possibly enable the exfiltration of sensitive data,” the agency warned in a report during the period.
The emails released Wednesday also show a Clinton confidant urging her boss and others in June 2011 not to “telegraph” how often senior officials at the State Department relied on their private email accounts to do government business because it could inspire hackers to steal information. The discussion never mentioned Clinton’s own usage of a private email account and server.
The exchange begins with policy chief Anne-Marie Slaughter lamenting that the State Department’s technology is “so antiquated that NO ONE uses a State-issued laptop and even high officials routinely end up using their home email accounts to be able to get their work done quickly and effectively.” She said more funds were needed and that an opinion piece might make the point to legislators.
Clinton said the idea “makes good sense,” but her chief of staff, Cheryl Mills, disagreed: “As someone who attempted to be hacked (yes I was one), I am not sure we want to telegraph how much folks do or don’t do off state mail b/c it may encourage others who are out there.”
In a separate email in July 2011, Clinton joked about foreign hackers during an email to an aide about a mix-up over the aide’s government and private email addresses. Clinton asked special assistant Nora Toiv to send her email address, prompting Toiv to respond: “You’ve always emailed on my State email.”
Clinton replied: “Even weirder — I just checked and I do have your State but not your gmail — so how did that happen. Must be the Chinese!”
The previous month, U.S. investigators began looking into reports that Chinese hackers had mounted phishing attacks on the Google email accounts of senior Obama administration officials. Google had warned that hundreds of American officials, Chinese political activists and officials in several Asian nations had received such dangerous emails.
“We know this is going to be a continuing problem and therefore we want to be as prepared as possible to deal with these matters when they do come to our attention,” Clinton said in June 2011.
It was not clear whether Clinton ordered tightened security on her private email server.
The hacking attempts were included in the 6,300 pages the State Department released, covering a period when U.S. forces killed Osama bin Laden and the Arab Spring rocked American diplomacy.
New York State police warned as early as July 2011 about emails containing warnings of traffic tickets that actually contained computer viruses.
Clinton received five copies between 1:44 am and 5:26 am on Aug. 3, 2011. They appeared to come from “New York State — Department of Motor Vehicles,” warning that a car registered to Clinton was caught speeding “over 55 zone” on July 5. Clinton had no public events in Washington that day, following the July 4 holiday. The email instructed the recipient to “print out the enclosed ticker and send it to town court, Chatam Hall, PO Box 117.”
The former first lady and New York senator had maintained that nothing was classified in her correspondence, but the intelligence community has identified messages containing “top secret” information. Clinton had insisted that all of her work emails were being reviewed by the State Department, but Pentagon officials recently discovered a new chain of messages between Clinton and then-Gen. David Petraeus dating to her first days in office that she did not send to the State Department.