WASHINGTON — It was a nightmare scenario for a scrappy congressional candidate. A few hours before the biggest debate of the primary season, California Democrat Bryan Caforio’s website crashed. When he took the stage to debate his Democratic rivals, each of them vying to knock off vulnerable incumbent Republican Steve Knight in California’s 25th District, Caforio’s site was still down. Hours later, well after the debate, the page remained inaccessible. Voters who had watched the event and wanted more information about Caforio or hoped to donate to his campaign were out of luck.
It wasn’t the first time Caforio’s campaign site had suddenly crashed. On two previous occasions, the company that hosted bryancaforio.com had alerted campaign staffers to a strange and unexpected spike in traffic — so much traffic, in fact, that it forced the company to shut down the site until the surge receded. And it happened for a fourth time, for several hours, at yet another inopportune moment — a week before the primary election. Caforio wound up finishing third in the race, failing to advance by a few thousand votes.
According to emails and forensic data obtained by Rolling Stone and reviewed by cybersecurity experts, the four times Caforio’s website crashed were not the result of organic blasts of traffic from a news story or a Facebook link. Nor were they random flukes. Caforio, experts say, appears to be the victim of repeated distributed denial of service, or DDoS, attacks. A DDoS attack is when a burst of bogus traffic overwhelms a website and temporarily cripples it. Think of it as the online version of a phone-jamming campaign, or as “a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination,” as one tech firm puts it.
It’s unclear who was behind the attacks on Caforio. A source close to the campaign provided emails showing that they’d reported the incidents to the Department of Homeland Security, which handles complaints about DDoS attacks. A DHS employee sent the campaign a primer on DDoS attacks and offered to help investigate, but the campaign never responded to the request, according to a DHS spokeswoman.
Traffic logs show that server space operated by Amazon Web Services, the online retailer’s cloud computing business, was used to carry out the attack. Cybersecurity experts and digital consultants familiar with AWS describe several scenarios to explain what may have happened. The attacker or attackers could have found compromised AWS server space or accessed someone else’s AWS account and used it to launch the DDoS attacks. Or they may have created a new AWS account and purchased server space for the DDoS attacks, in which case Amazon would have relevant customer records.
Amazon declined to comment on the record in response to questions about the attacks on Caforio or any action it may have taken in response. The company has said in the past that it acts quickly to shut down anyone who abuses its products or violates its terms of service. “AWS employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services,” the company said.
Emails obtained by Rolling Stone show that Caforio’s website was down for a total of 21 hours over the course of the primary. Even after the campaign added DDoS protection to the site, it created a lag for anyone trying to visit, which could’ve turned away more people. A source close to the campaign refused to blame Caforio’s narrow loss on the DDoS attacks but believes it made a difference in Caforio’s final vote tally. “For us, when he loses by 2 percentage points, everything matters.”
Caforio’s experience is yet another chapter in the ongoing story of cyberattacks in the 2018 midterm elections. Rolling Stone reported last month that the FBI had investigated a series of hacking attempts targeting a Democratic candidate in Southern California who had run against Rep. Dana Rohrabacher (R-CA), widely seen as the most pro-Russia and pro-Putin member of Congress. Reuters reported several days later that the FBI had also examined an attack on another Southern California Democrat who had run in a nearby congressional district. And in July, the Daily Beast revealed that Sen. Claire McCaskill (D-MO), who faces a difficult reelection bid this year, had been targeted by Russian hackers in 2017, around the same time President Trump had urged Missouri voters to “vote her out of office.”
The attacks on Caforio appear to be the first reported instances of DDoS attacks on a congressional candidate. But cybersecurity experts say that DDoS attacks are a growing threat for political campaigns, parties and committees.
A DDoS attack is a blunt form of cyberwarfare intended to silence and bully the intended target — “the digital equivalent of a caveman with a club,” Matthew Prince, CEO and cofounder of the security firm Cloudflare, tells Rolling Stone. Prince, whose company runs one of the largest networks in the world, says you can hire someone online for as little as $20 to launch a DDoS attack capable of taking down a small website-hosting company. Such attacks weren’t all that common in U.S. politics before the 2016 election season, he adds, but his firm has detected a noticeable uptick since then in cyberattacks large and small. “Our thesis is that, prior to 2016, U.S.-style democracy was seen as the shining city on the hill,” Prince says. “The same things you could do to undermine a developing democracy wouldn’t work here. But after 2016, the bloom’s off the rose.”
Last December, Cloudflare rolled out the Athenian Project, a set of tools to help state and local governments that oversee elections guard against cyberattacks. In May, Jigsaw, an offshoot of Google, announced that it had expanded Project Shield, a free DDoS protection service, to be available to political organizations. Most recently, Microsoft unveiled free technology called AccountGuard that campaigns and parties can use to safeguard themselves from hacking.
The four apparent DDoS attacks on Caforio’s campaign happened in a five-week span from April to May 2018, according to documents obtained by Rolling Stone. Each time, the hosting company alerted the campaign that the website had gone down due to an unexpected spike in traffic. Like many upstart congressional campaigns, Caforio did not have a cybersecurity expert on staff or on contract. His campaign manager ended up hiring a cybersecurity consultant midway through the campaign to help strengthen its protections against future attacks. The consultant, who was not authorized to speak publicly, tells Rolling Stone that the attacks resembled a common but effective version of DDoS known as Hulk. Another cybersecurity expert who reviewed the campaign’s traffic logs also said they looked like a Hulk DDoS attack.
It didn’t help that the campaign was using a basic hosting service for its website, which was a holdover from Caforio’s unsuccessful 2016 run for Congress in the same district. After the first two incidents, the emails show, the campaign added several layers of protection to guard against future DDoS attacks. Yet on May 29th, a week before the primary election, a DDoS attack took down Caforio’s website again.
“As I saw firsthand, dealing with cyberattacks is the new normal when running for office, forcing candidates to spend time fending off those attacks when they should be out talking to voters,” Caforio tells Rolling Stone.
Caforio’s campaign manager also alerted the Democratic Congressional Campaign Committee to the attacks. DCCC Chief of Staff Aaron Trujillo communicated with the Caforio campaign by phone and email, sent a “basic cybersecurity recommendations” guide, and offered to bring in outside help if needed. A DCCC aide tells Rolling Stone that the committee takes cybersecurity “extremely seriously” and has taken “extensive measures” to protect itself and Democratic campaigns.
“While we don’t have control over the operations of individual campaigns, we continue to work with and encourage candidates and their staffs to utilize the resources we have offered and adopt best security practices,” the aide said.
The attacks on Caforio are the third reported instance of attacks happening in a competitive congressional race in Southern California. Eight of DCCC’s 84 “Red to Blue” races are located in California, more than any other state in the country. Democrats need a strong showing in Southern California if they have any hope of winning back the House in November.
This story has been updated to correct the spelling of AccountGuard, Microsoft’s new cybersecurity program, and to reflect the fact that, after publication, the DCCC’s list of red-to-blue candidates increased from 73 to 84.