Just as cybersecurity concerns over the U.S. presidential election reach a fevered pitch, the U.S. agency responsible for certifying that voting machines work properly says it may have been hacked. That’s after independent researchers say they uncovered evidence that hackers have infiltrated the agency in question – the U.S. Election Assistance Commission.
On Thursday security firm Recorded Future reported that a hacker offered to sell knowledge of an unpatched SQL injection vulnerability on the Dark Web. The vulnerability would have given an attacker access to the Election Assistance Commission (EAC) website and backend systems. In addition to knowledge of the vulnerability, the seller also included 100 potentially compromised access credentials for the system, including some with administrative privileges.
“This vulnerability would of given an adversary access to the EAC database, allowed them to plant malware on the site or effectively stage a watering hole attack,” said Levi Gundert, VP of intelligence and strategy at Recorded Future.
EAC is an independent bipartisan commission that develops voting guidelines and provides information on administering elections. The commission is also responsible for testing and certifying voting equipment and systems to ensure they meet security standards, according to the agency’s website.
Gundert said access to EAC’s systems by an attacker would be invaluable for future attacks, helping them glean sensitive information about existing electronic voting systems as well as those coming online.
The Election Assistance Commission acknowledged the vulnerability and released the following statement:
“EAC has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects… Upon detecting the intrusion, the EAC terminated access to the application and began working with federal law enforcement agencies to determine the source of this criminal activity. The FBI is currently conducting an ongoing criminal investigation.”
Little is known about the hacker selling the SQL injection flaw. According to a report by Recorded Future the seller’s native language is Russian and goes by the online handle “Rasputin.”
Researchers said they spotted Rasputin advertising the flaw on the Dark Web for between $2,000 and $5,000 on Dec. 1 and alerted authorities the next day. “Based on Rasputin’s historical criminal forum activity, Recorded Future believes it’s unlikely that Rasputin is sponsored by a foreign government,” Recorded Future said.
SQL injections are among the most common techniques employed by hackers to steal valuable information from corporate databases. Recorded Future declined to share technical specifics of the SQL injection vulnerability or EAC’s compromised platform.
This past U.S. presidential election has seen an unprecedented amount of concern over hackers attempting to sway election results. In August, the Federal Bureau of Investigation’s Cyber Division warned election officials nationwide to fortify voter registration data systems in the wake of two breaches it was able to detect earlier this summer. Earlier this week, President Barack Obama said the U.S. intelligence community has concluded Russian cyberattacks were part of an effort to influence the 2016 presidential election.
Gundert doesn’t believe the sale of the unpatched SQL injection vulnerability is tied to past election attacks. However, he said, stolen credentials and earlier attacks that may have taken advantage of the SQL injection vulnerability could fuel more serious cyberattacks in the future.
“It’s unclear how long the EAC vulnerability has been active; however, it could have been potentially discovered and accessed by several parties independently,” Recorded Future said.