On Monday, an official FBI alert from August 18 was leaked to Yahoo News. The alert stated the FBI had uncovered evidence showing that at least two state election systems were penetrated by hackers in recent weeks. The FBI quickly issued warnings to election officials across the country to ramp up security on their systems.
It appears from the Flash Alert that the public was not supposed to know about it.
This FLASH has been released TLP: AMBER: The information in this product is only for members of their own organization and those with DIRECT NEED TO KNOW. This information is NOT to be forwarded on beyond NEED TO KNOW recipients.
The FBI then goes on to describe the nature of the attack and lists the IP addresses associated with the intrusion.
The FBI received information of an additional IP address, 126.96.36.199, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 188.8.131.52 used in the aforementioned compromise.
The following information was released by the MS-ISAC on 1 August 2016, which was derived through the course of the investigation. In late June 2016, an unknown actor scanned a state’s Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor, detailed in the indicators section below.
“This is a big deal,” said Rich Barger, chief intelligence officer for ThreatConnect, a cybersecurity firm, who reviewed the FBI alert at the request of Yahoo News. “Two state election boards have been popped, and data has been taken. This certainly should be concerning to the common American voter.”
According to the FBI, the hack is the work of a ‘foreign entity.’ However, they have not named the country of origin. This has not stopped other officials from quickly blaming the Russians.
Also absent from the alert are the names of the states involved in the hack.
According to the report from Yahoo News:
The bulletin does not identify the states in question, but sources familiar with the document say it refers to the targeting by suspected foreign hackers of voter registration databases in Arizona and Illinois. In the Illinois case, officials were forced to shut down the state’s voter registration system for ten days in late July, after the hackers managed to download personal data on up to 200,000 state voters, Ken Menzel, the general counsel of the Illinois Board of Elections, said in an interview. The Arizona attack was more limited, involving malicious software that was introduced into its voter registration system but no successful exfiltration of data, a state official said.
“The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected,” the alert reads. “Attempts should not be made to touch or ping the IP addresses directly.”
While the alert lists the IP addresses from which the attacks originated, it is highly unlikely that the hackers would use any traceable address.
“This is a wake-up call for other states to look at their systems,” said Tom Hicks, chairman of the federal Election Assistance Commission.
This news comes on the heels of a report earlier this month in which a professor from Princeton University and a graduate student proved electronic voting machines in the U.S. remain astonishingly vulnerable to hackers — and they did it in under eight minutes.
Professor Andrew Appel, a Princeton University computer science professor who has studied election security, and grad student Alex Halderman took just seven minutes to break into the authentic Sequoia AVC Advantage electronic voting machine Appel purchased for $82 online — one of the oldest models, but still used in Louisiana, Pennsylvania, New Jersey, and Virginia.
Appel notes that the only “reasonably safe” voting method is paper ballots as they can be counted alongside the electronic tally. However, crucial swing states, as Appel notes, rely on more vulnerable paperless touchscreen voting which does not back up any of the numbers.
“Then whatever numbers the voting computer says at the close of the polls are completely under the control of the computer program in there,” Appel wrote in a recent blog post entitled “Security Against Election Hacking.” “If the computer is hacked, then the hacker gets to decide what numbers are reported. … All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking. This is our biggest problem.”
The fact that the FBI is now admitting to the vulnerability of the election should raise serious concern for Americans. Before 2016, talk of vote rigging, or hacking elections, remained on the fringe — in spite of whistleblowers showing the easily provable insecure nature of electronic voting machines.
As the famous quote, often attributed to Joseph Stalin, notes:
The people who cast the votes don’t decide an election, the people who count the votes do.
And now, with electronic voting and this news of how easily hackable it is, even the vote counters may not decide.