Breach, Compliance Management, Critical Infrastructure Security, Threat Management, Data Security, Privacy, Vulnerability Management

Voter databases in two states breached by foreign hackers, FBI

Foreign hackers made their way into voter databases in two states in recent weeks, according to a Yahoo! News report.

The FBI's Cyber Division revealed in a "flash" report that it uncovered evidence that the election databases were hacked, which led to the agency issuing warnings to election officials across the country to strengthen the security of their computer systems.

The news follows on suspicions that Russian state-sponsored hackers were behind the July intrusions into systems belonging to the Democratic National Committee as well as other political groups in order to affect results for the upcoming presidential election.

Those breaches prompted Jeh Johnson, secretary of the Department of Homeland Security, to contact state election officials on Aug. 15 to offer the agency's assistance in strengthening state voting systems, including offering cybersecurity experts from the federal government to scan for vulnerabilities in voting systems. The office could also help "provide actionable information, and access to other tools and resources for improving cybersecurity," he said in a statement.

Although Johnson said there was no evidence of credible threats, a few days later, the FBI Cyber Division issued its message to “NEED TO KNOW recipients.” In the report, “Targeting Activity Against State Board of Election Systems,” the FBI said it was looking at cyberintrusions into two state election websites this summer. At least one attack resulted in the siphoning of voter registration data.

While the FBI bulletin didn't identify the two states, Yahoo! reported that sources said it was Arizona – where malicious software was detected in its voter registration system – and Illinois, where officials shuttered the statewide Illinois Voter Registration System for 10 days in July after personal data on up to 200,000 state voters was stolen.

One of the IP addresses documented in the FBI alert was familiar to cybersecurity experts as having been detected before in Russian criminal underground hacker forums. As well, the strategies and technologies used in the incursions bared similarities to methods used in other Russian state-sponsored cyberattacks.

These attacks on the two state voter registration databases shouldn't come as a surprise, Idan Udi Edry, CEO at Nation-E, a Santa Clara, Calif.-based firm that offers protection for critical infrastructure assets, told SCMagazine.com in an email on Monday. "Hackers don't need very much experience to corrupt the outcome of an election based on today's voting machine technology," he said. "With the wide breadth of information available on the internet, almost anyone can do it. In past elections, we have seen several security problems with voter machines. Poor cryptographic protection is one, another is due to a lack of testing by company manufacturers prior to installing the systems at voting stations."

The problem, Edry said, is that often these companies are using cost-efficient methods. That is, they're more interested in turning a profit rather than providing a secure, quality product. The second problem, he said, comes from local governments not having the time, funds or resources to certify that these machines are properly secured and safe to use. "Without these resources, city and county officials are forced to assume that the voting machines are secure enough to protect from cyberattacks, and protect private voter information. In reality, election fraud might become easier than ever," he warned.

The adversaries interest in steering the outcome of an election are numerous, James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology, told SCMagazine.com on Monday in an email. "Russia has a record of attacking elections in Ukraine and Crimea, China has a track record of interrupting the growth of democracy throughout Asia," he said.

Between Bernie Sanders supporters feeling as if the Democrat nomination was somehow slighted and Trump telling his supporters to watch out for a rigged election, there are insider threats, hacktivists and script kiddies with modest technical capabilities with a keen interest on the outcome of this emotionally charged election, Scott added.  

"For years, voting machine manufacturers and election officials promoted security through obscurity and the impenetrable coding within the machines black box," he explained. "This is a laughable defense. Most voting machines are nothing more than a barebones pc with limited, if any, endpoint security."

These dilapidated, barebones PCs are warehoused in-between elections in church basements and other minimal security environments which makes them easy prey to any social engineer wishing to inject malicious code or self-deleting malware into the machines via USB, memory card or PBE, Scott said. "When regions audit their machines pre-election, they usually do this weeks or months before elections, so there is more than enough time to infect any or all machines in that particular warehouse."

Scott adds that it is a misconception that adversaries would have to attack the national election in order to have a profound impact. "This is not the case," he said. "Adversaries would target vulnerable voting centers in swing regions of swing states that are critical to the election."

Still, two swing states, Pennsylvania and Georgia, have rejected Johnson's offer of assistance from the DHS to scan its election rolls, according to a report by Nextgov.

Rather, the two states announced they would rely on their own systems to monitor potential election hacking, with Georgia Secretary of State Brian Kemp telling NextGov that the fed's involvement would be a "vast federal overreach."

"The question remains whether the federal government will subvert the Constitution to achieve the goal of federalizing elections under the guise of security," Nextgov reported Kemp as writing in an email.

Wanda Murren, a spokeswoman for the Pennsylvania Department of State, said that her state too would rely on its own resources. "Pennsylvania has implemented policies, technologies, best practices and procedures around the safeguarding of data and the protection of our applications, systems and resources," Murren said, according to the report.

​"​Slot machines currently undergo more testing and regulation than voting machines," Alex Rice, co-founder and CTO at HackerOne, told SCMagazine.com on Monday via email. "The fact that voting machines are vulnerable should not be a surprise to anyone, all technology has been proven vulnerable and these computer systems are no different. Voting computers have not been subjected to basic security best practices such as third-party source code review, vulnerability disclosure, and any level of transparency that a critical system should undergo before they are depended on by our democracy."

As far as what could be the motivation for hacking into these databases, Vishal Gupta, CEO of Seclore, told SCMagazine.com in an email on Monday that intelligence gathering seems to be the prime motivation for whoever is behind this cyber campaign. All signs point to a nation-state actor, he said. "This is a stark reminder that defending data being stored in our systems is oftentimes more critical than historically unreliable network defenses.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.