Breach, Compliance Management, Threat Management, Data Security, Incident Response, Network Security, Privacy, TDR

Voter database hack in Illinois by foreign intruder compromises info of 200K

Personal information of Illinois voters was likely siphoned off in a cyberattack, possibly of foreign origin, according to The Chicago Tribune.

On Monday, officials at the Illinois State Board of Elections said personal details of fewer than 200,000 voters were accessed via a cyberintrusion.

Some parts of drivers' license numbers, state ID numbers or Social Security numbers may have been compromised, although files of registered voters were not erased or modified, nor were voting histories or voter signature images stolen, Ken Menzel, general counsel for the elections board, told SCMagazine.com on Tuesday. "Some data, but far from all," may have been captured, he said.

The attackers may have gained access to data as citizens registered to vote online. The personal data of long-time registrants or those who enrolled through a registrar is not in the state voter files. 

The attack is believed to have lasted from June 23 until it was detected and blocked on July 12 when programmers altered code to mitigate database queries originating from suspect locations.

While Menzel attested that the elections board is highly confident the attackers didn't do anything to the state database, he added that they are still analyzing the situation, as is law enforcement, he told SCMagazine.com.

As a result of the attack, the voter registration portal was taken offline and only restored last month, enhanced with further encryption and other tools to improve security, officials said.

"We're confident the attackers could not undermine the election process in November," Menzel told SC.

Along with the attack in Illinois, Arizona state officials were notified by the FBI in June of attacks on their election system, which the bureau attributed to Russian bad actors. The FBI's Cyber Division issued a "flash" report to election officials across the country to strengthen the security of their computer systems.

“There are a million reasons as to why whoever hacked the voter registration systems targeted these databases," Levi Gundert, vice president of intelligence and strategy at Recorded Future, a Somerville, Mass.-based internet technology company, told SCMagazine.com in an email.

Gundert pointed out that there is no concrete data linking the hackers to Russia, but, he said, a Russian effort is one possibility. "This could be Russia continuing to prove they can interfere with the U.S. election cycle and doing anything they can accomplish with that objective in mind. This could also be part of the larger trend of criminal groups stealing data from various databases, then cross referencing other stolen databases to compromise bigger targets."

He sees a continuing trend in prolific unauthorized database access, the results of which are being used as stepping stones to larger and more lucrative targets. "While the hack on these voter registration systems could very well be a foreign government with instructions to create havoc among U.S. voters, it's also likely that the attacks can be attributed to other non-state sponsored groups."

As for the repercussions of voter registration system compromises, Gundert said it's unlikely that either attack would cause irregularities in the actual vote count. "By gaining access to these respective websites, hackers gain access to voter registration data, but that isn't necessarily catastrophic. Criminals gain access to names, addresses and birthdates, but can't alter the integrity of the vote count unless they are coordinating with insiders on the ground.”

Oren Falkowitz, CEO and co-founder of Area 1 Security, a Redwood City, Calif.-based security firm, told SCMagazine.com in an email that who is behind the attacks matters less than finding the right tools to stop them. "The hack of voter registration systems makes a headline and should make people more aware that many organizations around the world have an interest in our democratic process," said Falkowitz, who formerly worked at the NSA and U.S. Cyber Command.

And, Arizona and Illinois are certainly not the only targets, he said. "As we learned after the reporting on the breach at the Democratic National Committee, governments of all kinds have and remain interested in the people and organizations that operate our country. Unfortunately we're still learning about the results of these breaches too late and are too focused on who the culprit is. The only thing that matters is how we stop them. We have to preempt attackers before they strike."

The possibility of Russian involvement in the hacks into Illinois and Arizona's voter registration databases prompted Senate Minority Leader Harry Reid (D-Nev.) to send a letter [pdf] on Aug. 27 to James Comey, director of the FBI, expressing concern at the threat posed by the Russian government "tampering in our presidential election." 

Citing news reports and a "consensus of national security experts" that the Russian government was behind cyberattacks on the Democratic National Committee and the Democratic Congressional Campaign Committee, Reid urged the FBI to investigate. He also cited video evidence of an individual with ties to Republican presidential candidate Donald Trump and his top campaign aides "claiming to be in communication with WikiLeaks," the clearinghouse site for secret, leaked information.

"The prospect of individuals tied to Trump, WikiLeaks and the Russian government coordinating to influence our election raises concerns of the utmost gravity and merits full examination.," Reid wrote.

Meanwhile, in Illinois, Menzel said he had no idea who might be behind the attack on the voter registration site. Law enforcement might know, but they have yet to share that information with the Board of Elections, Menzel told SC.

Other experts caution that not enough credible evidence has yet been gathered to ascribe who is behind the attack. "The FBI routinely puts out bulletin alerts and this one is no more cause for concern than any of the others," Cris Thomas, security strategist at Tenable Network, told SCMagazine.com on Tuesday via email. "The fact that the FBI Flash mentions an unknown actor and indicates that there is no credible threat means that this could have been an automated attack not driven by nation-state interests. Attackers set up scripts to scan websites at random, launch SQL injections and grab whatever they can get, so with very little confirmed information available, it's hard to know for sure."

Before anyone gets caught up on who is responsible, Thomas, aka Space Rogue, a former white hat hacker and founding member of L0pht hacker collective, said we should remember that voter information is not private. Anyone can get that same information by filing a request with a local state voter agency, he said.

"The FBI has been looking into this incident since July and appears to be taking all of the necessary precautions," Thomas told SC. "The recommendations outlined in the bulletin will significantly raise the bar for any attacker and should be taken seriously by all defenders, regardless of whether their threat model includes nation-state attackers or not. However, if their threat model does include nation-state attackers these recommendations will most likely not keep them out."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.