UPDATE
Personal information for several million American voters has turned up on a Russian underground cybercrime forum, according to reports – and users are purportedly looking to monetize it using a recently launched State Department program meant to prevent election-meddling.
The personal information includes names, dates of birth, gender, physical addresses and email addresses, and election-specific data – such as when an individual registered to vote, voter registration numbers and polling stations – according to Kommersant, a Moscow-based newspaper.
The outlet reported Tuesday that several databases of voter data (including one encompassing 7.6 million voters in Michigan, and others covering between 2 million and 6 million voters each for Arkansas, Connecticut, Florida and North Carolina) turned up in an unnamed marketplace in late 2019. Now, that information is being offered for free in discussion forums by someone going by the handle Gorka9, according to Kommersant. The publication added that the hacker said the data was still valid as of this past March.
Security firm Infowatch confirmed that the databases seem authentic. A spokesperson for Infowatch said that the information could be used to mount influence campaigns bent on swaying U.S. voters towards one candidate or another — but more likely, it could be used to mount convincing phishing efforts.
“As is usual in cases like these, victims (registered voters) will need to be on the lookout for bad actors attempting to use the information gleaned from these databases to obtain even more information about their targets,” Chris Hauk, consumer privacy champion at Pixel Privacy, told Threatpost via email. “It is sad to believe that in this day and age that simply registering to exercise your right to vote can make you the target of hackers.”
Meanwhile, forum users told Kommersant that they have also been able to monetize the data through the U.S. State Department’s $10 million anti-influence program. The Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, is offering millions in rewards for “information leading to the identification or location of any person who works with or for a foreign government for the purpose of interfering with U.S. elections through certain illegal cyber-activities.”
One person told Kommersant that he was paid $4,000 through the program for alerting the Feds about a leaked Connecticut voter database – a claim that has not been confirmed. The State Department did not immediately respond to a request for comment.
As for how the data was obtained, one hacker told the outlet that most of the theft is carried out using server vulnerabilities that can be exploited via SQL injection, which is a method for inserting malicious code into a vulnerable, targeted database. Security researchers said that the claim is entirely plausible.
“New vulnerabilities are reported every hour and database systems are especially prone to attack due to their highly configurable and powerful interactive features,” Mark Kedgley, CTO at New Net Technologies (NNT), told Threatpost. “SQL injection is still a difficult vulnerability to test for as automated tests usually lack the knowledge of the application’s setup and operation. Encryption of data is always an unpopular route due to the heavy impact on system resources and performance. Ideally, security needs to be built in as the application is developed and then a hardened configuration applied to the database system, derived from either the CIS Benchmark or DISA STIG.”
However, in some cases, hacking may not even be required in order to garner the information, according to Paul Bischoff, privacy advocate with Comparitech. “It’s remarkably easy to get one’s hands on voter databases in most states,” Bischoff said via email. “Many of them are available to the public, including Michigan. Even though there are rules about how the data can be used, rules can be broken. Those who legitimately request receive voter data are responsible for securing it, and not everyone has the same standards of security. I wouldn’t be surprised if we see more voter databases in the hands of foreign threat actors before the 2020 general election.”
And indeed, following Kommersant’s report, the Michigan Secretary of State’s office emphasized that the data the forum users say they have on offer is public information that was likely simply recompiled.
“Our system has not been hacked,” according to a press statement from the Michigan Secretary of State Jocelyn Benson’s office. “Public voter information in Michigan and elsewhere is accessible to anyone through a FOIA [Freedom of Information Act] request,” Benson’s office said.
As a backdrop, election-meddling continues to be a security concern as the U.S. presidential election looms on the horizon. While direct hacking activity remains a concern, experts say that the bigger issue is influence campaigns bent on spreading divisiveness and disinformation — mainly through online social-media bots and troll farms. In fact, a recent Black Hat attendee survey, more than 70 percent said influence campaigns will have the greatest impact on the elections.
UPDATE: This article was updated at 10 a.m. ET on Sept. 2 to include the statement from the Michigan Secretary of State.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.