Among its duties, the EAC helps handle reports of voting machine fraud and complaints of abuse complaints.
Among its duties, the EAC helps handle reports of voting machine fraud and complaints of abuse complaints.

A Russian-speaking dubbed Rasputin attempted to sell access to the U.S. Election Assistance Commission (EAC), Recorded Future has discovered.

Among its duties, the EAC helps handle reports of voting machine fraud and complaints of abuse complaints.

Earlier this month the company heard chatter that appeared to be related to a breach of the EAC. After engaging Rasputin to get a handle on the scope of unauthorized access, researchers at the company contacted law enforcement with its findings, which, according to a Recorded Future blog post, evidence of more than 100 access credentials that could have been compromised. Some of those had administrative privileges.

Researchers were able to attribute the breach to Rasputin, who had “offered to sell an unpatched system vulnerability to a Middle Eastern government broker,” the post said. “Rasputin claimed to be accessing the system via an unpatched SQL injection (SQLi) vulnerability. It's not uncommon for this type of vulnerability to lead to broader system level access, however, in this case the full extent of the EAC compromise remains unknown.”

The hack and the subsequent attempt to sell credentials “is a particularly troubling data breach for an organization which is mandated to ensure the integrity and security of electronic voting machines,” Nathan Wenzler, principal security architect at AsTech Consulting, said in comments emailed to SC Media.Perhaps more disturbing is that the hack did not rely on any sophisticated, previously unknown zero-day exploit or a clever bit of social engineering, but rather, the attacker took advantage of a basic SQL injection vulnerability, one of the most common and simplistic vulnerabilities within web applications.”

Chris Roberts, chief security architect at Acalvio, said in comments emailed to SC Media that he wasn't "convinced this is a nation state attack. It doesn't have the hallmarks of getting in, parking, harvesting and basically being “inside” the system. This was find-a-flaw sell-a-flaw work."

Roberts also called out the EAC for its security foibles. "Speaking of flawed machines, WHO IN THEIR RIGHT MINDS uses flawed computers to count votes in the countries MOST talked about, scrutinized and dirty/nasty election," he said. "You'd think they would want to be pristine clean, not caught with their pants around their ankles!"