The campaign for the leading Democratic candidate for Senate in Tennessee, former Gov. Phil Bredesen, sent a letter to the FBI Thursday that said it feared it had been hacked.
The potential breach comes as state and federal officials are increasingly worried that enough hasn’t been done to improve election security since 2016, as this year’s midterms approach in November.
According to the letter, which the campaign shared with NPR, the campaign received emails asking for money on Feb. 28, from an address that was almost identical to the address of the campaign’s media buyer.
“The sender knew that the campaign was preparing to purchase air time for a TV commercial and knew the dates of the proposed media buy,” wrote the campaign’s lawyer Robert Cooper Jr. “These emails urged the campaign to wire funds to an international bank account.”
Due to the fact that the “imposters” knew that the campaign was indeed planning on buying ad time on the dates proposed, Cooper wrote that the campaign was “concerned that there has been an unauthorized intrusion into the extended campaign organization.”
After aides recognized that the emails weren’t legitimate, the campaign brought on a cybersecurity firm who linked the email addresses back to an Arizona-based registrar. No money was transferred, according to the letter.
An FBI spokesperson in Tennessee said the agency is “aware of the matter” but does not comment on whether investigations are ongoing.
Bredesen, who was governor of Tennessee from 2003-2011, is vying for the seat now held by Republican Sen. Bob Corker, who announced last year that he wouldn’t run for re-election in November.
The Tennessee primary is Aug. 2, and Rep. Marsha Blackburn, former Rep. Stephen Fincher and Dr. Rolando Toyos are all running to represent Republicans in the general election.
The potential breach of the Bredesen campaign comes as the 2018 primary season is heating up, amid concerns that election security hasn’t improved enough since the 2016 election.
Russian operatives probed the online voter registration databases of 21 states leading up to that election, and broke into at least one, according to the Department of Homeland Security.
During the 2016 cycle, campaign data was another target of Russia, which worked to acquire and release reams of embarrassing messages from the staffs of the Democratic National Committee and Clinton campaign.
There are no indications, at this point, that a foreign adversary had anything to do with the potential Bredesen hack. But Thursday’s letter illustrates how many of the security issues the 2016 hacks revealed in the American electoral system remain, still in need of attention.
Speaking earlier this week, President Trump said he was not worried about potential Russian interference in the 2018 midterms.
“Because we’ll counteract whatever they do. We’ll counteract it very strongly. And we are having strong backup systems,” the president said. “We haven’t been given credit for this but we’ve actually been working very hard on the ’18 election and the ’20 election coming up.”
“We’re doing a very very deep study and we’re coming out with I think some very strong suggestions on the ’18 election,” Trump also said Tuesday.
Attorney General Jeff Sessions also recently announced the creation of a Justice Department “Cyber-Digital Task Force” to be led by Deputy Attorney General Rod Rosenstein.
And FBI Director Christopher Wray told lawmakers on Capitol Hill late last year that the bureau has already begun its own effort to combat foreign influence in U.S. elections and that the FBI is working in coordination with the Department of Homeland Security.
Nicholas Weaver, a researcher at the International Computer Science Institute, told NPR earlier this year that non-presidential campaigns are perfect phishing targets.
“Phishing is unreliable — you might send out 500 phishing emails and only get a couple of responses,” said Weaver. “But when you have  House races, each with dozens of potential staffers as targets, you’re going to see a lot of these low-level attacks that are remarkably effective when you just use the law of large numbers.”
There are currently no federal security requirements that campaigns are required to follow.
“Campaigns need to think like they are a target,” Weaver said. “Because they are.”