The Federal Bureau of Investigation’s Cyber Division this month warned election officials nationwide to fortify voter registration data systems in the wake of two breaches it was able to detect earlier this summer.
A “flash” warning sent by the agency about 10 days ago warned state boards of election to take the necessary precautions to safeguard their databases.
Attackers breached a Board of Election website in July while a separate intrusion was detected on another state’s Board of Election system earlier this month, according to a report today from Yahoo News, which obtained the warning.
It’s unclear how Yahoo obtained a copy of the alert, which was labeled “NEED TO KNOW recipients” and marked for limited distribution, TLP, or Traffic Light Protocol, Amber.
The flash warning doesn’t specify which states were affected but according to Yahoo, which cites “sources familiar with the document,” Arizona’s board of elections database and Illinois’ board of election database were hit.
Hackers allegedly downloaded the personal data of 200,000 voters in Illinois in July before officials were forced to shutter the state’s voter registration system for 10 days. An Arizona state official claims that systems belonging to Arizona’s Board of Elections were targeted – malicious software hit its machines – but never successfully stole any data, Yahoo says.
Ken Menzel, general counsel for the Illinois State Board of Elections, told reporters back in July that he believed the attack, which took down Illinois’ voter registration system on July 12 for about two weeks, was the result of foreign hackers. Menzel told the Chicago Tribune this week that he believes the information of fewer than 200,000 was accessed. While no files were erased or modified and no voting history information or voter signature images were captured, drivers’ license numbers and the last four digits of Social Security numbers may have been accessed, however.
The flash alert discusses information released by the Multi-State Information Sharing & Analysis Center (MS-ISAC) earlier this month. According to the memo, an attacker used penetration-testing tools such as Acunetix, SQLMap, and DirBuster, to scan one Board of Election site.
According to the alert, the attacker used Acunetix, a common web application scanner, to scan a Board of Election site for vulnerabilities, then used SQLmap, an open source penetration testing tool, to target a SQL injection vulnerability on the site.
“The majority of the data exfiltration occurred in mid-July,” the alert reads, a timeline that coincides, almost exactly, with the figure given by Menzel.
At the time, the bulletin urged states to search their logs for activity by eight “suspicious” IP addresses associated with the tools. The IP addresses trace back to servers in the Netherlands and the United States that are operated by hosting providers based in Bulgaria and Russia that specialize in virtual private servers and dedicated servers.
“Attempts should not be made to touch or ping the IP addresses directly,” the alert cautions.
The memo also encourages site hosting providers to ensure that all software, “especially content management software” has been patched, to conduct vulnerability scans on local government and law enforcement websites, and to make sure the database management system has limited permissions, among other preventative measures.
The Flash alert hit inboxes three days after Homeland Security Secretary Jeh Johnson told state officials they could solicit the expertise of government cybersecurity experts. Johnson told members of the National Association of Secretaries of State (NASS) and other chief election officials at the time that voting systems should meet federal cybersecurity recommendations and that if they wanted, officials could have experts scan their voting systems for vulnerabilities.
In this politically tense climate and roughly 70 days out from the presidential election, the incident of course takes on a different light.
Johnson’s comments were likely spurred by several allegations this summer by Republican presidential candidate Donald Trump. Trump has called the integrity of U.S. election system into question multiple times just this month and maintains the system may be rigged against him.
Johnson told officials in his call that the Department of Homeland Security wasn’t “aware of any specific or credible cybersecurity threats relating to the upcoming general election systems” but nonetheless offered the assistance of the Department’s National Cybersecurity and Communications Integration Center (NCCIC).