Federal and state officials have confirmed that cyberattacks against state voting systems during the 2016 election were more widespread than previously disclosed to the public, but they said the heightened activity did not impact final vote tallies.
The confirmations follow Tuesday’s Bloomberg report, citing three unnamed sources, that attempts to influence the 2016 presidential election were much greater than previously disclosed to the public. Still, officials pushed back on the revelation that 39 states were “hit” by Russian attackers.
“Unusual or suspicious activity” was detected in several states during the months leading up to the November election, a DHS official who asked not to be identified told the E-Commerce Times. However, that activity was not necessarily considered an attack. Nor was it necessarily attributed to Russia.
The majority of the activity involved scanning and attempting to steal data from voter registration databases. However, voter tallies were not impacted by the hackers.
“Our past election demonstrated that cybercriminals are aggressively targeting our government’s critical infrastructure to gain access to sensitive information and cause widespread damage,” said Ryan Kalember, senior vice president of cyber security strategy at Proofpoint.
Cybercriminals have been trying to take advantage of the United States’ “vulnerable, decentralized structure” to gain access to as much information as possible, he told the E-Commerce Times.
Although their motivation is not clear, and there’s no certainty about what cyberthieves have learned, it is likely they could use the information gleaned to mount future attacks, Kalember warned.
Illinois and Arizona are the only two states that the FBI and DHS have identified as victims of intrusion by Russian cyberattackers during the 2016 elections, according to a report released earlier this year by the National Association of Secretaries of State, which regulates elections in 40 states.
However, numerous other state systems were scanned or probed by the Russians, based on U.S. intelligence data, but were not breached, according to the report.
“Everybody’s alertness level is at an even higher pitch than it was before,” said Ken Menzel, general counsel of Illinois State Board of Elections.
Post-election investigations of other states’ systems turned up signatures that were similar to those of the hackers who breached the Illinois voter databases, he told the E-Commerce Times, but he did not know which states were involved.
Attempts to breach state voter databases is not a new phenomenon, according to Menzel, who said attempts have been made on a pretty regular basis for years.
The Arizona Secretary of State’s office has learned nothing new since last year, said spokesperson Matt Roberts.
Since the election, Arizona has added two-factor authentication for officials accessing the system, he told the E-Commerce Times.
Phishing in Florida
Bloomberg reported that 39 states were “hit” by cyberattackers, but officials told the E-Commerce Times that what the publication meant by the word “hit” was unclear.
The Bloomberg report followed a controversial story published by The Intercept, reporting that Russian hackers executed a cyberattack on a local software vendor in the U.S. and sent spearphishing emails to at least 100 local election officials around the country. The Intercept based its reporting on a leaked top secret NSA document.
Bloomberg’s report references VR Systems, a firm that specializes in voting system technology. The company earlier this month warned its customers not to click on links in suspicious email messages, after receiving an alert from a customer about a fraudulent email claiming to be from the company. However, VR Systems said at the time that it had no information regarding any customers who may have clicked on any suspicious links, and it had no indication that any data was compromised.
The company last week reported that it was aware of a phishing scam sent to multiple election officials right before the 2016 election, and that it was aware of officials opening the email.
Russian hackers used the phishing attack to try to break into systems of five Florida counties, the Miami Herald reported last week.
A VR Systems official was not immediately available to comment for this story.
“Florida’s online elections databases and voting systems remained secure in 2016. We have multiple safeguards in place to protect against elections fraud and prevent any possible hacking attempts from being successful,” the Florida Department of State said in a statement provided to the E-Commerce Times by spokesperson Sarah Revell.
“The department participated in an informational call with the FBI related to elections security at the end of September 2016, where they alerted officials for the need to maintain security measures, but there was no indication of a Florida-specific issue,” the statement says.
The Bloomberg report highlights the need for the Office of the Director of National Intelligence to release its full report, said Marc Rotenberg, president of the Electronic Privacy Information Center
EPIC requested the full report in a Freedom of Information Act filing earlier this year, he told the E-Commerce Times.
EPIC is seeking information that goes beyond the disclosures in the declassified report previously released to the public, arguing that the full report might reveal a broader scope of attacks on U.S. political organizations, including state voter databases.
The U.S. Election Assistance Commission, which works with state and local officials to make sure election systems are secure, declined to comment on the Bloomberg report until it had more time to review it, said spokesperson Mark Listes.
State officials have been working to better secure their systems and protect against ongoing threats, he told the E-Commerce Times.
The FBI declined to comment for this story.