Russian election hackers hit at least 39 U.S. states in 2016.
Russian election hackers hit at least 39 U.S. states in 2016.

Russian hackers reportedly breached the electoral systems of at least 39 states during the summer and fall of 2016 accessing software designed to be used by poll workers on Election Day.

The new number is nearly twice the amount of states previously reported. Investigators in Illinois found evidence suggesting the threat actors attempted to delete or alter voter data and in at least one state hackers accessed a campaign finance database, three people close the the investigation told Bloomberg.

"The new details, buttressed by a classified National Security Agency document recently disclosed by the Intercept, show the scope of alleged hacking that federal investigators are scrutinizing as they look into whether Trump campaign officials may have colluded in the efforts," the publication said.

The information gathered from the Illinois breach sheds light on the tactics, techniques, and procedures behind those who are behind the attacks, Tripwire Senior Security Research Engineer Travis Smith told SC Media.

"In this instance, voter data was found in an internal database," Smith said. "The attackers appear to have only gained read-only access to the database based off of a couple of indicators.  First, a contractor spotted unauthorized data (up to 90,000 voter records) leaving the network.  Second, attackers failed to alter and delete voter records on the database. 

The scope of the attacks were so broad that Obama administration took an unprecedented step and complained to Moscow over what was described as a modern-day “red phone.” Administration officials offered detailed documents to the Kremlin accusing Russia of the cyberattacks and warned that the attacks risked setting off a broader conflict.

"From a technical standpoint - these attacks were based on the targeted employees clicking and opening MS Word documents that have VBScript running," FireMon Chief Technology Officer (CTO) Paul Calatayud told SC Media. "A good practice would be to disable and not trust VBScripting within word which can be done based on policies." 

Calatayud said this would have prevented the malware from executive from once employees clicked on the documents to open. He went on to say that organizations supporting the voting processes should be regulated with high security standard and that a minimum set of technologies should be required with audits and assessment performed much like banking and retail industries safe required to demonstrate.

“Local governments are similar to many small business in regards to cyber security defense maturity,"Calatayud said. "Little awareness and training is often presence. Good risk reduction starts with strong awareness to ensure employees are not clicking on random e-mails is a good start but can be difficult to monitor and implement."

Experts agreed that officials need to take better efforts to better audit voter system software, Varonis Vice President of Field Engineering Ken Spinner told SC Media.

"Without a record of who is accessing, changing, or deleting data, it's virtually impossible to detect compromise," Spinner said. "It's not hard to imagine a scenario where voter data has been compromised, but has gone undetected due to lack of auditing or evidence of a breach."

He explained that upcoming data privacy regulations like the General Data Protection Regulation (GDPR) spur organizations to proactively protect critical data by limiting access and taking a privacy-by-design approach. He called these actions a huge step not only in data privacy, but also a method to act as a front line of defense in cyberattacks.

The new information comes right off the heels of the NSA documents leaked by Reality Winner concerning Russian cyberattacks on U.S. voting systems. 

UPDATE: This story was updated to include comments from Tripwire Senior Security Research Engineer Travis Smith.