The FBI’s decision to issue a nationwide alert about the possible hacking of state election offices after breaches in Illinois and Arizona is raising concerns that a nationwide attack could be afoot, with the potential for creating havoc on Election Day.
It’s possible that the motivation behind the two state hacks was less about the political system and more about cash. Voter registration data sets include valuable information — such as names, birth dates, phone numbers and physical and email addresses — that criminal hackers can bundle and flip on the black-market “dark web” for thousands of dollars.
Story Continued Below
But some cyber experts said the FBI’s alert, first revealed by Yahoo News on Monday, could be a sign that investigators are worried that foreign actors are attempting a wide-scale digital onslaught.
A former lead agent in the FBI’s Cyber Division said the hackers’ use of a particular attack tool and the level of the FBI’s alert “more than likely means nation-state attackers.” The alert was coded “Amber,” designating messages with sensitive information that “should not be widely distributed and should not be made public,” the ex-official said.
One person who works with state election officials called the FBI’s memo “completely unprecedented.”
“There’s never been an alert like that before that we know of,” said the person, who requested anonymity to discuss sensitive intergovernmental conversations.
Multiple former officials and security researchers said the cyberattacks on Arizona’s and Illinois’ voter databases could be part of a suspected Russian attempt to meddle in the U.S. election, a campaign that has already included successful intrusions at major Democratic Party organizations and the selective leaking of documents embarrassing to Democrats. Hillary Clinton’s campaign has alleged that the digital attacks on her party are an effort by Russian President Vladimir Putin’s regime to sway the election to GOP nominee Donald Trump. Moscow has denied any involvement.
Hacking state election offices could offer new tools for affecting the outcome of the vote.
Having access to voter rolls, for example, could allow hackers to digitally alter or delete registration information, potentially denying people a chance to vote on Election Day. Or news of the attack could simply fuel further distrust in the U.S. election system, which Trump has repeatedly alleged is “rigged.”
“I think he’s just unleashed the hounds,” said Tom Kellermann, head of Strategic Cyber Ventures, referring to Putin. Kellermann said the intrusions fit the “modus operandi and the ultimate goal” of a long-standing Russian digital intelligence campaign targeting foreign government officials in Europe, the U.S. and elsewhere that Kellermann has been tracking for years, which researchers believe has turned its sights on the American electoral process.
The FBI’s investigations of the Arizona and Illinois attacks have been public knowledge since July, when both states took their voter registration databases offline following detection of the intrusions. But the bureau’s Cyber Division broadened its sweep in an Aug. 18 “flash” alert that warned top election officials in every state about potential foreign intrusions of their election systems. The alert advised officials to look for a series of specific hallmarks of cyberattacks.
In Illinois, officials told Yahoo News that hackers pilfered personal data on up to 200,000 voters. The Arizona digital intruders did not make off with any information, said the news service.
Some cyber experts are skeptical that the attacks on the elections offices had any political motive, noting that hackers often rifle through government databases looking for personal information they can sell.
“It’s got the hallmark signs of any criminal actors, whether it be Russia or Eastern Europe,” said Milan Patel, a former chief technology officer of the FBI’s Cyber Division who is now at the security firm K2 Intelligence. However, he added, “the question of getting into these databases and what it means is certainly not outside the purview of state-sponsored activity.”
Still, little public digital forensic evidence has come to light so far that would link the Illinois and Arizona hackers to a Russian-backed group that researchers say broke into the Democratic National Committee and the Democratic Congressional Campaign Committee.
“No robust evidence as of yet,” respected cybersecurity consultant Matt Tait said on Twitter.
The FBI’s alert asked state officials to check whether their networks had seen any activity coming from eight specific Internet Protocol addresses, at least one of which was tied to a Russian cyber gang, according to Yahoo News.
The FBI sent the alert to the Election Assistance Commission, the federal agency that offers help to states in improving the management of their elections. The commission then sent it to state officials, spokesman Bryan Whitener told POLITICO.
The FBI declined to comment on the alert but said in a statement that it “routinely advises private industry of various cyberthreat indicators observed during the course of our investigations.”
Leo Taddeo, a former head of the cyber division in the FBI’s New York office, said such a widespread alert “indicates that this could be a systematic attack, rather than an isolated targeting of a particular database.”
Sending out the memo is the only way for officials to do a complete review of all state election systems and determine whether a “dedicated attack” is taking place on multiple networks, Taddeo added. Elections have always been run at the state and local level, and few if any federal laws govern how local officials manage and secure voter data.
At most, several federal agencies provide voluntary guidelines for local officials. In some states, voter registration information is a public record, meaning data security rules governing the handling of personal information — such as names and home addresses — don’t apply.
The FBI’s alert reflects growing government awareness of the cyberthreat to election systems.
The Department of Homeland Security had held no conversations with states about election cybersecurity until a conference call that Secretary Jeh Johnson held with state officials on Aug. 15, a person involved in state election work said.
That call came together after Johnson publicly floated the idea of classifying elections as “critical infrastructure,” a designation that grants special security assistance to vital facilities such as banks and the power grid. “We hastily reached out to DHS to try to organize a call that would at least give state officials some information on what was going on with DHS,” the person said.
On the call, DHS officials urged states to coordinate with their local FBI offices if they weren’t already doing so. The department also agreed to provide resources to states, including vulnerability-detection software. But the DHS has not provided those resources yet, and some states, such as Georgia, have balked at the offers of assistance, fearful of federal meddling.
DHS plans to announce an election cybersecurity awareness campaign soon, the person said.
A DHS spokesman declined to comment on the FBI alert.
In the meantime, digital voter registration systems appear to be functioning — mostly. Of 42 state databases that POLITICO accessed on Monday, 41 were available, although the entire website of California’s secretary of state was down.
"It is down right now," said Sam Maood, spokesman for the California secretary of state. "There’s no evidence that it’s due to hacking or any kind of data breach."
All but one of the other states either required more extensive measures to check registration or had no evident online system. The one exception, North Dakota, is the only state that doesn’t require voters to register, according to its secretary of state.
But devastating consequences could ensue if these databases fell into the hands of motivated digital attackers, election security specialists said.
“An attacker could potentially remove registered voters from the registration list in areas that are expected to vote against the attacker’s preferred candidate, creating challenges and delays when the voters show up and the polls to vote,” said Jason Straight, chief privacy officer for UnitedLex, which advises corporations on cybersecurity practices.
By ERIC GELLER
Straight called such manipulation a “much greater threat” than the possibility of hackers tampering with electronic voting machines, which election watchdog groups and researchers say are insecure and often lack proper auditing mechanisms.
Tilting elections through voting machines hacks “would require extensive use of on-the-ground operatives with social engineering and technical skills to pull off,” Straight said.
In recent years, voter rolls have become an increasingly attractive target for both cyber gangs, as well as government-backed digital spies, appearing for sale on underground web forums, or simply being found sitting unprotected online.
Hundreds of millions of voters in the U.S., the Philippines, Turkey, Kazakhstan and Mexico have been affected.
The big windfall came last October, when hackers — “probably based in Russia” — started selling a set of Americans' voter data “containing personal information on approximately 190 million persons,” said Christopher Porter, manager of FireEye iSIGHT Intelligence, a leading cybersecurity firm that examined the leak. The information exposed included full names, genders, dates of birth, physical addresses, email address and phone numbers.
The presence of the Russian cyber gang-linked IP address in the FBI alert is a possible indication that these digital thieves were at it again in Illinois and Arizona, said several researchers and a former FBI official.
While such thefts could be the work of ordinary criminals, these same experts explained that Russian cyber gangs often act at the behest of the Kremlin, either directly or indirectly. In exchange, these groups receive immunity from prosecution and “maintain their untouchable status,” said Kellermann, of Cybersecurity Strategic Ventures.
If this is indeed the case with the recent intrusions of state voter registration databases, Kellermann believes the suspected campaign to undermine the U.S. election process is “reaching a tipping point.”
“It’s high time that the U.S. government took off its own gloves,” he said.
@politico on Twitter | Politico on Facebook