The FBI issued a “Flash” memorandum, warning that foreign hackers have been targeting state board of election systems.
The FBI’s alert, originally intended only for those with a “direct need to know,” came to light after it was published by Yahoo News. Furthermore, sources told Yahoo that “foreign hackers” penetrated the Illinois board of election site back in July and made off with the personal data of as many as 200,000 Illinois voters. The hack resulted in the state voter registration system being shut down for 10 days.
The attackers struck again in August, going after Arizona this time. The second attack included malicious software that was reportedly injected into the voter registration system. An unnamed Arizona official said no data was successfully exflitrated.
Tom Hicks, chairman of the federal Election Assistance Commission, called it a “wake-up call for other states to look at their systems.”
The FBI Flash memo identified eight IP addresses, however some security experts are already pointing at Russia. An Illinois election official told Yahoo that the FBI believes the attackers are “foreign hackers,” without blaming a country. The FBI is allegedly “looking at a ‘possible link’ to the recent highly publicized attack on the Democratic National Committee and other political organizations, which U.S. officials suspect was perpetrated by Russian government hackers.”
Once upon a time, efforts to manipulate elections were covert or part of a media disinformation campaign. But if covert is no longer the plan, and logs are left almost deliberately to point back at IPs, it calls into question if the “foreign hackers” want to be discovered. Like it was in the days of nukes, an all-out cyberwar means mutually assured destruction. This could mean the attacks were not the work of professionals.
After all, the attacker scanned the Illinois state election board’s site, discovered an SQL injection vulnerability, exploited it and stole voter registration information. SQLi vulnerabilities are unfortunately still very common, exploited every day and often by script kiddies.
Yet the FBI Flash memo states, “There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor.” The eighth IP was later noted as “new” by the FBI. The feds listed indicators of board of election intrusions and then recommended for states to search for similar activity in their logs. If activity was detected, the agency warned against pinging the IP address directly.
Reuters had previously reported that on August 15 Homeland Security Secretary Jeh Johnson told federal cybersecurity experts to scan for vulnerabilities in voting systems in order to help protect against infiltration.
Yahoo added that although Johnson said to conduct vulnerability scans, Homeland Security was not aware of “specific or credible cybersecurity threats.” A mere three days later, the FBI issued a “Targeting Activity Against State Board of Election Systems” Flash memo.
“This is a big deal,” ThreatConnect CIO Rich Barger, told Yahoo. “Two state election boards have been popped, and data has been taken. This certainly should be concerning to the common American voter.” He suggested one of the IP addresses listed by the FBI has been seen in “Russian criminal underground forums.” The attackers’ tools also “appear to resemble methods used in other suspected Russian state-sponsored cyber-attacks.”
The news might rattle the confidence of voters. It may not make you feel better, but EPIC released a report a few weeks ago about how the “secret ballot” is at risk. 32 of 50 states allow voters to transmit ballots insecurely such as via the Internet, an online portal, email or fax.