In May of 2017 vulnerabilities were discovered on one of Devin Nunes’ campaign websites. The campaign website devinnunes.net had apparently been infected with a virus that caused some internal pages to be indexed by Google, in Russian.
The full report on this discovery is here: https://www.slickrockweb.com/devin-nunes-russian-cyberattack-problem.php. The author of the report notified the Nunes campaign of these vulnerabilities on May 19, 2017. Shortly thereafter, it seemed as if the problem had been resolved. The url devinnunes.net was redirected to SquareSpace, here: devinnunes.com. The devinnunes.net site was apparently gone.
But was the problem resolved, really? We had a closer look.
It would have been the easiest thing in the world to delete ALL the files related to the now-defunct devinnunes.net website, then do simple domain forwarding with a URL redirect.
Instead of doing this, whoever was in control of devinunes.net left the spammy files in place, even after being notified of their existence. When we navigated directly to one of the urls that Google had indexed last May, we found that the supposed XML file is still exactly where it was before the site was “cleaned up”: http://devinnunes.net/images/userfiles/kyt5660-bileti-kiev-nyu-york-tsena-myz3171.xml. This file is not actually an XML file. Clicking on the link briefly displays a (mainly) Russian language html page, before redirecting the visitor to a Russian air ticket broker:
The site wasn’t cleaned up at all. Normal traffic was simply redirected so the spammy files were no longer visible to the normal user or indexed by search engines.
This made us curious about what other files may still exist at this url. We checked the service Virus Total to see whether malicious code on devinnunes.net had been detected and reported by others. And indeed it had.
We downloaded the file that VirusTotal alerted us to. What we found was very disturbing. Disguised as a JPEG image file, it contains a Visual Basic script that downloads code from a domain called alihack.com, executes it on the user’s computer, then destroys its own traces. Why is that code STILL THERE many months later?
What could a malicious file like this be used for? Here are the warnings about this file. It’s a Trojan Agent, for sure, and most virus scanners mark it as a BRRT type. It’s a serious threat to anyone running Windows who clicks on the link to this file.
This particular type of virus is especially frightening and dangerous. It is built to steal information from anyone whose computer is infected by it. In short, this is exactly the type of file that is used for spear phishing – stealing personal data, including emails and address books.
If an unsuspecting victim received an email containing a link that would initiate a download of this file, that person’s computer would most likely be compromised.
Did Nunes’s emails get hacked? Did his address book get hacked? Were emails then sent out to other GOP in a Spear Phishing campaign, being that Nunes was a trusted contact to these people? The damage that could have occurred as this spread is deeply concerning.
The continued existence of this file brings up some serious questions. How could this have happened to Devin Nunes’ campaign website? Who was managing this site? Why did the malicious code stay in place, nearly nine months after it was reported to the campaign?
To answer these questions we dug even deeper. We had a look at the computer hosting the devinnunes.net website. Its IP address comes back to an Microsoft Azure server. Who controls this server? What else is hosted there? This is what we found.
North Star Campaigns? Drink Stocks? Who are these people? What do they have to do with Devin Nunes?
Stay tuned. This rabbit hole is about to get crazy deep.