Lorenzo Franceschi-Bicchieral, writing for Motherboard:
On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google.
The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government. At the time, however, Podesta didn’t know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account.
In short, John Podesta received a Bit.ly link to his Gmail address. He clicked the link, which took him to a fake Google login page, and he entered his login & password.
Eric Geller, writing for Politico:
According to the cybersecurity firm SecureWorks, the fake Google domain in that link — first reported Thursday by Motherboard — matches one the hacker group “Fancy Bear” has employed in a wide-ranging spear-phishing campaign that has also targeted major U.S. political institutions, Clinton campaign figures and other top officials.
“The Google-spoofing domain in the Motherboard article is one we observed used by Fancy Bear,” SecureWorks researcher Tom Finney told POLITICO in an email.
Security researchers have long tied Fancy Bear to Russia's military intelligence agency, the GRU.
Motherboard’s story included a redacted screenshot of the malicious Bitly link’s analytics page that showed the link redirecting to Fancy Bear’s fake Google domain. POLITICO independently reviewed the bit.ly link’s analytics page and confirmed with SecureWorks that the domains matched.
Fancy Bear customized spear-phishing links for each target, encoding their email addresses within them.
In June, SecureWorks first described Fancy Bear’s months-long campaign, which it said targeted staffers at the Clinton campaign and the DNC.
The same month, security firm CrowdStrike also pointed the finger at Fancy Bear for the DNC hack.
Security firms ThreatConnect and Fidelis subsequently linked Fancy Bear to the DCCC intrusion, as well.
Over time, Fancy Bear has relied on one IP address to host several fake Google domains, including the one used to target Podesta and another to go after Clinton staffer William Rinehart. Finney confirmed that SecureWorks had found another Bitly link made for Rinehart.