House investigators concluded that Democratic IT aides made unauthorized access to congressional servers in 2016, allegedly accessing the data of members for whom they did not work, logging in as members of Congress themselves, and covering their tracks, according to a presentation summarizing the findings of a four-month internal probe.
Their behavior mirrored a “classic method for insiders to exfiltrate data from an organization,” and they continued even after orders to stop, the briefing materials allege. There are indications that numerous members’ data may have been secretly residing not on their designated servers, but instead aggregated onto one server, according to the briefing and other sources. Authorities said that the entire server was then physically stolen.
When acting on the findings, Democratic leadership appear to have misrepresented the issue to their own members as solely a matter of theft, a comparison of the investigators’ findings with Democrats’ recollections and a committee’s public statement shows, leading 44 Democrats to not conduct protective measures typically taken after a breach—including informing constituents whose personal information may have been exposed. (A list of the involved members is below.)
The presentation, written by the House’s Office of the Inspector General, reported under the bold heading “UNAUTHORIZED ACCESS” that “5 shared employee system administrators have collectively logged into 15 member offices and the Democratic Caucus although they were not employed by the offices they accessed.”
It found indications that a House “server is being used for nefarious purposes and elevated the risk that individuals could be reading and/or removing information” and “could be used to store documents taken from other offices.” The server was that of the House Democratic Caucus, a sister group of the DNC that was run at the time by then-Rep. Xavier Becerra.
The aides named are Imran Awan, his wife Hina Alvi, his brothers Abid and Jamal, and his friend Rao Abbas, Pakistani-born aides whose lives are filled withreason for concern. Abid’s Ukranian wife Natalia Sova and Haseeb Rana were also involved in the Awans’ activities but departed the House payroll prior to the investigation.
One systems administrator “logged into a member’s office two months after he was terminated from that office,” the investigative summary says.
While the rules could have been violated for some innocuous purpose, the presentation indicates that is unlikely: “This pattern of login activity suggests steps are being taken to conceal their activity.”
A second presentation shows that shortly before the election, their alleged behavior got even worse. “During September 2016, shared employee continued to use Democratic Caucus computers in anomalous ways:
- Logged onto laptop as system administrator
- Changed identity and logged onto Democratic Caucus server using 17 other user account credentials
- Some credentials belonged to Members
- The shared employee did not work for 9 of the 17 offices to which these user accounts belonged.”
The investigation found “possible storage of sensitive House information outside the House … Dropbox is installed on two Caucus computers used by the shared employees. Two user accounts had thousands of files in their Dropbox folder on each computer.” Using Dropbox is against House rules because it uploads files offsite.
The Washington Post referenced the presentation in July, and quoted a House source who claimed that the server was full of the Awan children’s “homework” and “family photos.” The presentation offers reasons to doubt that. “Based on the file names, some of the information is likely sensitive,” it reads.
The statements of numerous Democrats indicate that the Democratic staff of the House Administration Committee and other House officials may have withheld information about cybersecurity breaches from members who employed the suspects, and appear to have misled them about the basic nature of the investigation.
“This is the first I’ve heard about that,” said Missouri Democratic Rep. Emmanuel Cleaver—who employed almost every member of the Awan group—of cybersecurity issues.
“The only thing I’m aware of is that he’s being charged with bank fraud,” Democratic Rep. Joaquin Castro, who employed Jamal and is a member of the intelligence committee, told TheDCNF. “Do you have evidence that there’s anything more than a bank investigation? If someone’s given you a document to that effect, please give it to me.”
In early February, House Sergeant-At-Arms Paul Irving, Chief Administrative Officer Phil Kiko, and Jamie Fleet, the Democratic staff director of the Committee on House Administration, summoned affected chiefs of staff to a meeting to announce that the family was being banned from the network. Republican staff was not present, and the briefers omitted all mention of the cybersecurity component that appears to comprise the most dangerous part of the findings, according to numerous Democrats’ accounts.
On Feb. 3, 2017, Committee on House Administration Chairman Gregg Harper and Ranking Member Robert Brady issued the sole official statement about what they called “the ongoing House theft investigation.”
“House Officials became aware of suspicious activity and alleged theft committed by certain House IT support staff,” the statement read. “An internal investigation determined that a number of House policies and procedures had been violated. This information was turned over to the United States Capitol Police and their investigation is ongoing. These employees have also been blocked from accessing House systems. All offices impacted have been contacted. No further comment will be issued until the investigation is complete.”
But that internal investigation’s most notable findings—in fact, the second presentation didn’t even mention theft—concerned credible evidence of a cyber-breach, and at the time of the announcement, the most recent incident of theft consisted of the disappearance of a server that was evidence in a cybersecurity probe, several authorities said.
There is no scenario where the access was appropriate because House members are not allowed to accept services from people not on their payroll and employees are not permitted to log in to servers of members for whom they do not work. The presentation notes that such House polices are codified in law.
But nearly a year later, there have been no criminal charges related to House IT. Two of the suspects were indicted for bank fraud in July after prosecutors said they transferred money from the House bank to Pakistan and tried to flee the country.
There are strong indications that many of the 44 members’ data—including personal information of constituents seeking help—was entirely out of those members’ possession, and instead was stored on the House Democratic Caucus server. The aggregation of multiple members’ data would mean all that data was absconded with, because authorities said that entire server physically disappeared while it was being monitored by police.
An IT aide told TheDCNF that colleagues deployed to clean up after the Awans’ firing discovered that in many offices, computers were set up to be nothing more than “thin clients” that were portals to an outside computer. “They were using terminal servers, your desktop is projected to you” from a computer in a different location.
The presentation—though its language is at times opaquely technical—found remote sessions that remained active for months at a time. The House commonly uses Citrix remote sessions that allow someone’s computer screen to show the contents of a different computer, but its security precautions ordinarily cause them to disconnect after just a few minutes. Virtual Private Networks can also make a server’s hard drive appear to be local to a computer.
A House committee staffer close to the probe told TheDCNF that “the data was always out of [the members’] possession. It was a breach. They were using the House Democratic Caucus as their central service warehouse.”
“All 5 of the shared employee system administrators collectively logged onto the Caucus system 5,735 times, an average of 27 times per day… This is considered unusual since computers in other offices managed by these shared employees were accessed in total less than 60 times,” the presentation reads.
That, too, may imply that dozens of members’ data was all in one place—on the Caucus’s server instead of in members’ possession. The apparently constant access by the entire crew, even their friend Rao Abbas, also doesn’t jive with The Washington Post’s claim that they were using it as a family computer for homework and photos.
With the basics of the probe hidden from members, Democrats appear to have vocally painted an inaccurate picture of what the report alleges occurred, pointing to the current criminal charges instead of the House’s investigation while not taking any steps to protect potentially compromised data.
Rep. Ted Lieu of California, who employed Abid Awan and is a member of the foreign affairs committee, said as far as he was concerned it was a simple issue of bank fraud.
“The staffer that I used, there was no allegation,” he told a TV station. “If you look at the charge of the brother, he was charged with bank fraud… that has nothing to do with national security.”
Prosecutors contend in court filings that they committed bank fraud and tried to flee because they found out about the already-existing investigation into their House activities.
Becerra’s House Democratic Caucus knew about problems and tried to stop them, according to the presentation, but the suspect defied him. Based on other members’ accounts, Becerra does not appear to have warned other offices that might have been affected.
“The Caucus Chief of Staff requested one of the shared employees to not provide IT services or access their computers,” the investigative briefing reads. “This shared employee continued.” Then, as police monitored the server as a primary piece of evidence, they discovered in January that it was taken from under their noses and replaced with a different computer.