Breach, Data Security, Incident Response, TDR

Foreign attackers hacked elections site during government shutdown

A government agency website became the target of Chinese hackers just hours after the government shutdown began in October, according to reports.

In a Tuesday article detailing the lack of funding, staff, and overall government attention, the Federal Election Commission (FEC) has endured in recent years, The Center for Public Integrity, a nonprofit news organization, revealed that the hack happened on Oct. 1.

The FEC is an independent regulatory agency tasked with disclosing campaign funding information to the public. The commission is meant to serve as a watchdog that enforces legal limits and rules on political contributions during elections.

Dave Levinthal, senior political reporter at The Center for Public Integrity, told in a Tuesday interview that FEC – which was short all 339 employees, who had been furloughed during the shutdown – “was simply unprepared to repel the people in China that initiated this [attack].”

According to Levinthal, the website hack resulted in the “public-facing elements of the website being taken down,” including databases that were unavailable to the public and the agency itself, he said.

The issue wasn't altogether remediated until after the government shutdown ended, 16 days later, Levinthal said.

“The entire political disclosure system was being held together with gum, shoestring and the Twitter account of the FEC chairwoman,” Levinthal said of FEC's site, following the attack.

Internal staff with the FEC and Department of Homeland Security confirmed with The Center for Public Integrity that the website hack was carried out by attackers based in China.

Levinthal told that it was “not clear” if hackers were able to steal data belonging to the agency in the breach, but that the attack seemed "prophetic," considering a 2012 audit of FEC's IT security controls. The audit showed that about 60 percent of 250 vulnerabilities identified on FEC's systems that year, had already been identified a year earlier by the agency.

In response, FEC said in the audit report (PDF) that the "frequency of vulnerability scanning will be determined based upon results of scan[s] and available resources and funding."

On Tuesday, reached out to FEC, but an agency spokeswoman declined to comment on the incident, deferring all questions to DHS, which has yet to respond to our inquiries.

Security experts warned during the government shutdown that the diminished workforce could provide cyber adversaries with an easier means of targeting agencies faced with smaller, to no, staff.

Levinthal said that during the FEC attack, “every last member of the staff had been furloughed, so they didn't even have a skeleton staff to deal with such issues as foreign infiltration.”

UPDATE: On Tuesday, DHS emailed a statement to on the incident, saying only that an investigation was underway, and that, currently, there were "no indications" that sensitive data had been compromised during the breach.

“At the request of the FEC, DHS' US-CERT is working with our law enforcement partners to analyze any potential impacts as well as help develop and implement appropriate additional mitigation strategies as necessary," the statement said. "While the investigation is ongoing and no final determination has been made, at this point, there are no indications that any sensitive information or other personal data was compromised.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.