NSA: Russian intel attempts to hack county election computers

More than 100 county election offices targeted in Russian military intelligence hack

Russian military intelligence “likely compromised” a computer software company that does business with county election offices across the country and also tried to hack computers of more than 100 county election employees on the eve of the 2016 presidential election, The Intercept news site recently reported.

Russian hackers hit election “systems” in 39 states, according to Bloomberg.com.

Investigators found there had been a manipulation of voter data in a county database but the alterations were discovered and rectified, Time reported June 22. Investigators have not identified whether the hackers in that case were Russian agents.

The Intercept article, based on a leaked top-secret National Security Agency report, details how Russian military intelligence sent phony emails last August to seven employees of an election software company, Tallahassee, Fla.-based VR Systems, whose products are used in counties in eight states: California, Florida, Illinois, Indiana, New York, North Carolina, Virginia and West Virginia. Not all counties in each state are clients of the company, whose computer software manages voter rolls.

The hackers “likely compromised” at least one VR Systems employee’s account to gain log-in information, according to the report. In turn, the hackers set up a phony email account pretending to be VR Systems, to send to election office employees just days before the presidential election Nov. 8.

The phishing email read: “Dear customers, Please take a look at the instructions for our modernised [sic] products. Best regards, VR Systems Inc.”  The emails were sent to 122 county election employees with a Microsoft Word document attachment that, if opened, would gain control of the person’s computer, according to the report. It’s unclear whether county computers were compromised, but The Intercept story quoted the NSA report, saying: “Russian intelligence obtained and maintained access to elements of multiple U.S. state or local electoral boards.”

Sen. Mark Warner of Virginia (D), vice-chair of the Senate Intelligence Committee, said he is pushing for intelligence agencies to declassify the names of states hit to be sure they are helped before any new elections take place.

VR Systems said it didn’t know it was hacked until they were contacted by a client.

 

‘You can’t hack paper’

While Illinois was one of the eight states mentioned as having clients of the hacked company, Cook County is not a client.

“We’ve always tried to operate from the premise that everything is hackable,” said Noah Praetz, director of elections for Cook County, Ill. Cook County made some decisions 12 years ago to have a verifiable paper trail for every vote. “You can’t hack paper.”

Election officials “have two big goals,” he said. “We have to reassure our voters. Up to now, there has been no indication that any vote has been compromised.” The other goal, he said, “is to assure everybody that we take this incredibly seriously.”

Each state has its own rules and some do not require paper trails. A combination system, where residents vote on computers that spit out paper ballots that are then scanned is the best of both worlds, Praetz said. “You get all the advantages of a computer with the security of a paper ballot.”

Praetz said he is not for all counties using the exact same methods and systems nationwide. “We’re a huge country, individualistic with different management styles. We’re a laboratory of democracy. What works spreads. I think a more central system would be more susceptible to attack. Right now, each one of us election administrators are masters of our own island.”

That’s not to say Praetz didn’t take help offered by the Department of Homeland Security. “We took full advantage,” he said.

The Department of Homeland Security urges any state and local elected official to reach out for cybersecurity assistance. To request assistance, contact the Department of Homeland Security at SLTTCyber@hq.dhs.gov.

North Carolina

Some 21 counties of North Carolina’s 100 counties use VR Systems, according to Kim Westbrook Strach, executive director of the North Carolina State Board of Elections and Ethics Enforcement.

The agency’s partnership with DHS and post-election audits by the state and county boards of elections are among the ways North Carolina protects election data and ensures accurate results, Strach said. “This agency takes any reports of possible interference with our election processes very seriously,” she said. “We are actively investigating reported attempts to compromise VR Systems’ electronic poll book software, which is used on Election Day in 21 of North Carolina’s 100 counties to help check in voters who show up to cast ballots in person. The software is not used during early voting and does not play any role in ballot marking or vote tabulation.”

‘White-hat hackers?’

“The Maricopa County recorder has an in-house IT department that builds its own voter registration software and electronic poll book check-in system,” said county Recorder Adrian Fontes. Fontes also hired “friendly” hackers earlier this year to test the security of the county elections system.

Some other friendly hackers — 25,000 of them — will descend on Las Vegas at the end of July to test election software and hardware at DEFCON, the world’s largest hacking conference.

Their goal: To target American voting machines, as a public service. DEFCON founder Jeff Moss said that he’s concerned that no one has proven where the “soft spots” are when it comes to election software, hardware and voting machines.