NSA Report Shines Light on Russian Cyberattacks Targeting State and Local Elections Systems

Eight U.S. states contract with VR Systems, a Florida-based election products and services vendor targeted in a Russian cyberattack aimed at accessing local election boards, according to a top-secret National Security Agency report.

California, Florida, Illinois, Indiana, New York, North Carolina, Virginia and West Virginia rely on equipment and support provided by the company specializing in voter registration, which likely had at least one employee account login compromised, according to report, which was first obtained and independently authenticated by The Intercept.

Of those states, Indiana and Virginia don’t require risk-limiting audits of backup paper ballots post-vote—the only way to ensure electronic results and, thereby, election legitimacy, as Route Fifty previously reported.

“We learned about this report like everyone else,” Kay Stimson, a National Association of Secretaries of State spokeswoman, told Route Fifty in an interview. “For us, it’s really important to make sure elected officials are aware of the existence of this report.”

While VR Systems doesn’t design or program electronic voting machines, tampering with internet-connected voter roll software could effectively amount to a denial-of-service attack on voting itself. People could be taken off the rolls, be designated as having voted absentee or have their address changed to show them living in another jurisdiction.

To avoid such tampering, states should adopt contingencies like backing up voter registration databases regularly to maintain the correct information, said Susan Greenhalgh, Verified Voting elections specialist, in an interview.  

Worse still, state and local information technology employees often configure both voter registration and vote tallying systems pre-election, meaning any software updates they administer could infect the election management system and then voting machines—assuming personnel have already been hacked.

On either Oct. 31 or Nov. 1, the Russian General Staff Main Intelligence Directorate, a military intelligence entity, sent spear-phishing emails containing a trojanized Microsoft Word document on VR Systems’ EViD voter database to 122 local election officials, according to the report.

The effect on state and local election management remains unclear, though the malware was designed to gain control of system and settings functions that would allow the automatic delivery of even more malware. Encrypted information could then be funneled out, likely alerting the owner to the theft but not the content.

Organizations like Verified Voting and the Institute for Critical Infrastructure Technology have warned federal, state and local officials geo-targeted malware could be injected at the manufacturer level with the end goal of altering the electronic vote tally in swing regions of swing states.

“A lot of [states have] provisions where [audits] have to be triggered, or they’re not designed specifically to determine if the election was tallied correctly,” Greenhalgh said. “There’s really nothing they can do. That’s the problem.”

Currently, 21 states don’t mandate post-election audits of the electronic vote, according to the National Conference of State Legislatures, and 32 states continue to use highly vulnerable email or internet portal voting to some degree.

Colorado is exploring some of the most statistically advanced election auditing protocols, and Iowa recently saw legislation proposed testing the waters. Meanwhile, Georgia Secretary of State Brian Kemp, who’s running for governor as a Republican, continues to spurn paper ballots—despite a white hat hacker flagging a known vulnerability with the Center for Election Systems later confirmed by the FBI, Greenhalgh added.

“The only group that was non-receptive . . . was the secretaries of states, and they’re the ones that are ultimately responsible for the failure that we’re seeing here,” James Scott, a ICIT senior fellow, said in an interview.

He argues many secretaries of state lack an understanding of the threat and haven’t taken advantage of cybersecurity companies’ offers to forensically analyze their election systems for vulnerabilities.

Stimson points out ICIT represents the cyber industry and said they’re using “scare tactics” to drum up business for their backers. Not to mention, most states and localities are cash-strapped when it comes to funding new audits.

NASS has asked the U.S. Department of Homeland Security for a briefing on the report and is awaiting a response.

“We need to understand why this info wasn’t shared,” Stimson said. “There’s no information in that report, at least that we can tell, on if anyone opened those emails and what that would mean.”

The VR Systems cyberattack occurred despite a direct warning to Russian President Vladimir Putin from then-President Barack Obama and contradicts Putin’s claims his government never authorized state-level hacking.

Perhaps more alarming is the report’s brief mention of two other election hacking operations, one of which targeted the American Samoa Election Office posing as an absentee ballot-related service provider.

Scott doesn’t even see technical vulnerabilities with voting machines and central tabulators as the biggest threat to future elections, but internet service providers’ curation of unlimited, underprotected metadata on the population—opening users up to psychographic targeting. Information warfare, in other words, where special interest groups manipulate public perceptions and use “seemingly innocent vectors to distribute real news mixed with fake news” is just as likely.

By the 2018 midterm elections, hackers will be offering access-as-a-service to central vote tabulators at the state level and vendor systems and the manufacturing level, Scott predicts, as well as more exclusive services focused on swing states like fractionalization malware that weighs and alters the vote convincingly.

On both sides of the aisle, Republican and Democrat, ICIT has found some congressional staffs more tech savvy and cyber literate than others: Democratic Sen. Ed Markey of Massachusetts, Republican Sen. Lamar Alexander of Tennessee and Democratic Sen. Patty Murray of Washington to name a few. But election security can’t be ensured on Capitol Hill.

“I think the public has to demand more and apply more pressure to those local and state representatives. More has to be done there to educate those guys that operate strictly local because those guys can collectively apply pressure to secretaries of state and governors offices,” Scott said. “I don’t think this is a U.S. senate or U.S. House issue so much as a local- and state-level issue.”