Senate Campaign In Tennessee Fears Hack After Impostor's Emails Request Money
Updated at 8:35 p.m. ET
The campaign for the leading Democratic candidate for Senate in Tennessee, former Gov. Phil Bredesen, said in a letter to the FBI Thursday that it feared it had been hacked.
The potential breach comes as state and federal officials are increasingly worried that enough hasn't been done to improve election security since 2016.
According to the letter, which the campaign shared with NPR, the campaign received emails asking for money on Feb. 28, from an address that was almost identical to the address of the campaign's media buyer.
"The sender knew that the campaign was preparing to purchase air time for a TV commercial and knew the dates of the proposed media buy," wrote campaign lawyer Robert Cooper Jr. "These emails urged the campaign to wire funds to an international bank account."
Because the impostor knew that the campaign was planning to buy ad time on the dates proposed, Cooper wrote that the campaign was "concerned that there has been an unauthorized intrusion into the extended campaign organization."
After aides recognized that the emails weren't legitimate, the campaign brought on a cybersecurity firm, which linked the email addresses back to an Arizona-based registrar. No money was transferred, according to the letter.
An FBI spokesperson in Tennessee said the agency is "aware of the matter" but does not comment on whether investigations are ongoing.
Bredesen, who was governor of Tennessee from 2003-2011, is vying for the seat now held by Republican Sen. Bob Corker, who announced last year that he wouldn't run for re-election in November.
The Tennessee primary is Aug. 2, and Rep. Marsha Blackburn is the current favorite for the Republican nomination, since Corker decided not to reverse his decision to retire and Gov. Bill Haslam declined to get into the race. Dr. Rolando Toyos, an opththalmologist, is also running on the GOP side.
The potential breach of the Bredesen campaign comes as the 2018 primary season is heating up, amid concerns that election security hasn't improved enough since the 2016 election.
Russian operatives probed the online voter registration databases of 21 states leading up to that election and broke into at least one, according to the Department of Homeland Security.
During the 2016 cycle, campaign data were another target of Russia, which worked to acquire and release reams of embarrassing messages from the staffs of the Democratic National Committee and the Clinton campaign.
There are no indications, at this point, that a foreign adversary had anything to do with the potential Bredesen hack. But Thursday's letter illustrates how many of the security issues that were revealed by the 2016 hacks to the American electoral system remain in need of attention.
Speaking earlier this week, President Trump said he was not worried about potential Russian interference in the 2018 midterms.
"Because we'll counteract whatever they do. We'll counteract it very strongly. And we are having strong backup systems," the president said. "We haven't been given credit for this but we've actually been working very hard on the '18 election and the '20 election coming up."
"We're doing a very very deep study and we're coming out with I think some very strong suggestions on the '18 election," Trump also said Tuesday.
Attorney General Jeff Sessions also recently announced the creation of a Justice Department "Cyber-Digital Task Force" to be led by Deputy Attorney General Rod Rosenstein.
And FBI Director Christopher Wray told lawmakers on Capitol Hill late last year that the bureau had already begun its own effort to combat foreign influence in U.S. elections and is working in coordination with the Department of Homeland Security.
Nicholas Weaver, a researcher at the International Computer Science Institute, told NPR earlier this year that nonpresidential campaigns are perfect phishing targets.
"Phishing is unreliable — you might send out 500 phishing emails and only get a couple of responses," said Weaver. "But when you have  House races, each with dozens of potential staffers as targets, you're going to see a lot of these low-level attacks that are remarkably effective when you just use the law of large numbers."
There are currently no federal security requirements that campaigns are required to follow.
"Campaigns need to think like they are a target," Weaver said. "Because they are."
Copyright 2021 NPR. To see more, visit https://www.npr.org.