Sen. Ron Wyden has been a squeaky wheel about the US Senate’s weak security posture for a while. In April, the Oregon Democrat raised objections over the lax physical security measures for Senate staff—including ID badges that just have pictures of smart chips like those on other access cards used across government agencies, rather than actual chips, and provide no access controls. Now, as the November mid-term election approaches, Wyden has written a letter to Senate leadership decrying the lack of assistance that the Senate’s own information security team can provide in protecting senators’ accounts and devices from targeted attacks, even as evidence mounts that such attacks are being staged.
According to Wyden, his office had discovered that “at least one major technology company” had recently detected targeted attacks against members of the Senate and their staffers—and that these attacks had apparently been staged by groups tied to foreign intelligence agencies.
Microsoft reported thwarting spear-phishing attacks staged by a group tied to Russia’s Main Intelligence Directorate (GRU) against members of the Senate in August. And the US Senate’s own systems have been targeted in the past, including a June 2017 effort by the same GRU group (known as “Fancy Bear,” “Pawnstorm,” and “Sofacy”) that created a server spoofing the Senate’s own Windows Active Directory Federation Services (ADFS), according to a report from Trend Micro.