Cyber Security

Real Hacked Files Include Faked Clinton Campaign ‘Corruption’

A devastating hack on the Bradley Foundation is real. That $156 million check to Hillary Clinton, not so much.

Cyber Security
Vocativ
Nov 03, 2016 at 6:00 PM ET

Hackers breached an American nonprofit and shared thousands of its files online. They also snuck in a doctored email that — falsely — makes it appear that the organization illegally gave Hillary Clinton’s campaign $156 million in July.

Since June, hackers have breached various servers belonging to Democrats and Democratic groups, including the DNC and the emails of Hillary Clinton campaign chair John Podesta, leaking their contents online.Though the vast majority of the files have been innocuous, a few have led to resignations, like those of former DNC Chair Debbie Wasserman Schultz and acting Chair Donna Brazile, who left her role as a CNN commentator this week. While the metadata of some hacked DNC documents appears to have been altered, the leaked documents and emails have largely seemed authentic. That nearly all the leaked files and emails have been genuine has given rise to a fear that a single, deliberately forged document, embedded within actual ones, would be easily accepted by the public as real.

That happened this week. The Bradley Foundation, a nonprofit that sponsors cultural and conservative causes, admitted in a statement Wednesday evening that it had been hacked. Since Saturday, a Twitter account called @anpoland has tweeted links to a 30 gigabyte download of Bradley Foundation files, along with scattered details about the hack.

The majority of the files, reviewed by Vocativ, appear real. They range from personnel files, like employee salaries and emergency contacts, to planning for the annual Kohler Impact Conference, which, according to its program, has in recent years featured conservative commentator Bill Kristol and Republican Senator Ron Johnson. Other documents include a detailed breakdown of how many shares of the foundation belong to each member of the Bradley family, and scans of grant forms filled out by hand, like when the foundation gave $20,000 in April to Pro Musica Hebraica, a nonprofit, for the purpose of “Rediscovering the art of Jewish Music.”

But a folder in the dump named “Election” is suspicious. It contains three nearly identical letters, dated April 19, April 29, and July 19 of 2016. Each is written on the letterhead of Cynthia Friauf, the Bradley Foundation’s Vice President for Finance, and addressed to Joseph Gill, Managing Director at Rothschild Asset Management, an investment firm.

Each of the three letters begins “Payment is required for Mrs. Clinton’s campaign.” Consecutively, they then ask for $1 million, $5 million, and then $150 million — as if the foundation is readying a massive donation to the Clinton camp.

There appears to be an element of copying and pasting with the letters. Friauf’s signature seems identical in all three, as if it was photocopied or photoshopped, and while the first two letters respectively request the money be delivered by April 29th and May 5th, the third requests it by “July 22th.”

“Oh my God, that’s such a fake,” Terri Farmer, Vice President for Administration at the Bradley Foundation, told Vocativ upon first being read the third email’s message over the phone. “We have nothing to do with anything like that.”

While Rothschild didn’t respond to request for comment on the record, a person familiar with their operations said the email was a forgery.

Robert Maguire, a political nonprofits investigator at the Center of Responsive Politics, which tracks donations to political campaigns and action committees, said he had no record of such a donation from the Bradley Foundation, and that it was practically impossible for such a large one to go unnoticed. 

“I definitely would have noticed Bradley Foundation popping up somewhere as a spender, and it definitely can’t give $150 million to the campaign. That would have raised red flags immediately, because the campaign can’t accept such a large contribution. And it hasn’t given to any of the Super PACs,” he told Vocativ.

“It’s a pretty bad fake, because they take the wrong phrasing,” he said. “They didn’t understand the technical aspects of how you can give money.” 

In a conversation conducted over Twitter direct message, @anpoland said that the Bradley Foundation files, in particular those detailing massive donations to Clinton’s campaign, were evidence of “Corruption bro, fucked Corruption !!!”

*****

It’s clear the release of the hacked Bradley Foundation documents was designed to cause harm to the Clinton campaign. The question of who engineered it is murkier, but there are indications pointing toward a series of Russian-linked hacks this summer.

While @anpoland claims to be a member of the hacking collective Anonymous, there’s little to infer from that — by definition, anyone online can claim “membership.” When pressed for details about their identity or motivations, they simply responded “Bro, We are Anonymous.”

But @anpoland has a strange Twitter history. It only has three tweets that date back before July. After that, it tweeted a series of claims against Ukraine. In August, the account began focusing on the Olympics. It shared seemingly hacked documents from the Court of Arbitration for Sport, which handles Olympic disputes, and promised to soon hack the World Anti-Doping Association, an Olympic initiative to test athletes for illegal drug use.

This is where the story gets complicated. Soon after posting CAS documents, @anpoland promised hacked WADA files. Those never came, but on September 5, the account promised a “new attack on the WADA/Olimpic.”

Those also never came. But the next day, someone created a new account, called @FancyBears which similarly promised to hack WADA. Six days after that, @FancyBears began publishing a series of hacked WADA files. They followed a clear pattern: Most of their published files were real medical reports, initially just of American athletes. None of the described drugs or treatment were illegal, but that didn’t stop Fancy Bears from indicating they were, describing the files as evidence of “dirty methods to win.”

“This is other evidence that WADA and IOC’s Medical and Scientific Department are corrupt and deceitful,” Fancy Bears wrote.

While the hack got little attention in the U.S., it was a viral news story in Russia, where many resent WADA for banning nearly a third of its athletes from the 2016 Olympics for illegal doping.

CAS didn’t respond to questions about its hack. But WADA did, and went so far as to formally accuse a Russian government hacking group known as Apt 28, which, confusingly, had previously been nicknamed “Fancy Bear” by American cybersecurity firm Crowdstrike.

Many Cybersecurity firms believe Apt 28 are the government-sponsored hackers responsible for the series of hacks against the Democratic Party in the run-up to the 2016 election. The Department of Homeland Security has accused the Russian government of being behind those hacks, and has specifically named the characters that distribute those files, which have names like Guccifer 2.0 and DC Leaks, as being part of that operation.

Democrats have repeatedly cried foul over the public’s pouring over thousands of their leaked documents, many of which are now stored and searchable at WikiLeaks. But there has yet to be a clear example, until now, that an important email or document was forged to defame them and hidden among a much larger, authentic document dump.

The @anpoland account seems consistent with those other attacks, Toni Gidwani, Director of Research Operations at ThreatConnect, a cybersecurity firm that’s studied recent Russian attacks, told Vocativ.

“The @anpoland handle was suspicious as a mouthpiece for these materials,” Gidwani said. “They don’t have the right backstory, they don’t show consistency in terms of the issues they’re covering with other Anonymous Poland handles and sites. And then you have this connection with the WADA attack and how that data was stolen.” 

The Department of Homeland Security declined Vocativ’s request to comment on whether it believed the Russian government hackers it accused of attacking the DNC were also those responsible for the WADA hack. Regardless of whether this hack did originate from the Russian government, Twitter is already awash with conspiracy theorists convinced Clinton got $156 in illicit funds from the Bradley Foundation. Fake documents in a mostly authentic hack are, at least by some, being treated as genuine.

Fancy Bears didn’t respond to request for comment of whether it was connected in any ways with @anpoland. @anpoland declined to share details of the two’s relationship, except to claim that Fancy Bears was from San Francisco and only pretending to be Russian. (It’s also possible that multiple hackers have recently hit the Bradley Foundation, and @anpoland simply came in later.)

When told that the email detailing a $150 million donation was likely fake, @anpoland said they didn’t doctor the files, but that they were able to get access to the Bradley Foundation’s server because they used an extremely basic administrative username and password.

“I hope server wasnt broken before me,” @anpoland said.