The FBI has launched investigations into malicious cyberattacks on the electronic election infrastructures in Illinois and Arizona, and federal officials last month warned states to take steps to protect their systems as the presidential campaign heats up, according to reports that surfaced this week.
The attacks, dating back to June, led to the illegal download of information on more than 200,000 Illinois voters, leading to a 10-day shutdown of the state’s voter registration system.
Hackers also penetrated systems in Arizona but apparently failed to download specific voter information.
A timeline issued by the Illinois Board of Elections confirmed that it contacted the Illinois Attorney General’s office, was contacted by the FBI, and has been cooperating with the agency.
The attack on the Illinois voter registration database began on June 23 and was discovered on July 12, according to the timeline. The voter registration database apparently was the victim of an SQL injection attack, resulting from repeatedly entering an authorized database query into a data field on a website. The Illinois AG was notified on July 19.
The attackers reportedly were hitting the database five times per second, 24 hours a day from June 23 to Aug. 12. The site was taken down as a precaution on July 13, and firewall protection prevented further data from being compromised.
Passwords of election authorities and their staffs reportedly were compromised. Personal information of voters also was compromised, but their voting signatures and histories apparently were not exposed.
State voting systems have been dealing with hacking attempts for 10 years, noted Ken Menzel, general counsel of the Illinois State Board of Elections.
However, why hackers targeted Illinois and not other states in this instance is unknown, he told the E-Commerce Times.
“Until law enforcement catches the who, I don’t think we’re going to have a sense of exactly why,” Menzel said.
There are about 7.5 million active voters in Illinois, he noted, and 200,000 is the upper end of the number of records compromised.
The Illinois Attorney General’s office is working with the board to notify voters about the breach, said AG spokesperson Eileen Boyce.
The exploitation of vulnerabilities in electronic voting systems has been a nagging worry for years.
“I think we can safely say that it’s a unanimous and universal concern that electoral systems are appropriately protected,” said Christopher Budd, global threat communication manager at Trend Micro.
Voting data can be exploited in a number of ways, he told the E-Commerce Times, including extortion, phishing schemes, and identity theft — particularly involving the deceased.
Department of Homeland Security Secretary Jeh Johnson last month hosted a conference call with top state election officials to discuss the cybersecurity issue and the need to protect voting infrastructures. The call participants included members of the U.S. Election Assistance Commission, the Department of Commerce’s National Institute for Standards and Technology, and the Department of Justice.
DHS planned to launch a Voting Infrastructure Cybersecurity Action Campaign, Johnson said during the call, enlisting experts of all levels from the government and private sector.
State officials should implement NIST and EAC recommendations on securing voting infrastructure, he advised, which include making sure voting machines are not connected to the Internet while voting is taking place.
The Russian Connection
Meanwhile, Arizona took its voter registration system offline in June, due to what the FBI characterized as a credible threat, according to Matt Roberts, spokesperson for Arizona Secretary of State Michele Reagan.
“As you might have seen, a credential used by a county user to access the Arizona Statewide Voter Registration System was compromised by malware inadvertently installed on a county computer and subsequently leaked by a known Russian hacker,” he told the E-Commerce Times.
“Our office immediately took steps to perform an exhaustive security review of the statewide voter registration system with the help of the Arizona Department of Administration and our voter registration software vendor,” Roberts said.
“We found no evidence that anyone was able to penetrate the our security to gain access to the information within the registration database,” he noted. “We have implemented enhanced measures to ensure access the system is secure, restored the system and continued its use.”