Hackers that targeted a Democratic senator up for reelection this year may have left behind clues in their attack that further suggest Russian involvement.
The office of Claire McCaskill, a Missouri senator, was targeted in an apparent targeted phishing attack from a fake Microsoft domain that the software giant later seized pursuant to a court order. The Daily Beast reported that a then-McCaskill staffer was the target of the attack, which was attributed to hackers linked to Russian intelligence — largely because the effort was similar to the phishing attack on Hillary Clinton’s campaign chair John Podesta, whose account was successfully breached and emails were shared with WikiLeaks.
Now, new research suggests that the phishing page used in the McCaskill attack contains language-specific code references that lends further credence that Russian hackers were involved.
When the hackers built the phishing page used to trick the McCaskill staffer, they scraped the code from a legitimate Microsoft login page that staff would use to log into their network. That code included a browser-generated link of the original web page that was scraped, the research said. That link appended a language marker at the end which varies depending on which country the user is located in the world — such as “gb” for the UK, or “fr” for France.
Because the language tag was “ru”, which researchers say shows that the code was likely scraped from a user in Russia.
Yonathan Klijsnma, threat researcher at RiskIQ, said in a blog post that in many cases hackers won’t build a phishing page from scratch but will simply copy and save the page it’s trying to imitate. In doing so, any saved language tags embedded in the code “can be a crucial clue in connecting operators with their malicious campaigns.”
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Klijsnma said these tags are often overlooked by the hackers. That which resulted in a sloppy phishing page that was saved by RiskIQ’s vast internet crawling operation.
Although McCaskill, a vocal Russia critic, confirmed the “unsuccessful” attempted hack in a press release in July that she attributed to Russia, a spokesperson for McCaskill declined to comment further when reached Wednesday prior to publication.
In an additional twist, Klijsnma also found that the same Russian hackers also targeted reporter Serhiy Drachuk, whose work has long criticized of the Russian regime. Code from the page that was used in the McCaskill phishing attempt contained leftover references to the journalist’s work email address, which was previously accessed by the hackers.
We reached out to Serhiy Drachuk for comment, but did not hear back by the time of writing.
It’s the latest in a long string of cyberattacks and phishing efforts to target US political institutions before and during the 2016 presidential election and later. Just this week, Democratic National Committee officials said they thwarted an attempt to access their voter database. It comes hot on the heels of Microsoft’s announcement that it prevented a Russian-backed advanced persistent threat group known as Fancy Bear (or APT28) to steal data from political organizations.
