The government organization that oversees the integrity of voting machines and election administration databases was hacked, according to a report released Thursday.
Recorded Future, a Boston-based cybersecurity company, identified a hacker by the pseudonym Rasputin who stole login information from the US Election Assistance Commission (EAC) and offered it for sale.
Prior to this incident, no cybercriminal activity involving the EAC had been found.
According to the report, Rasputin was in ongoing negotiations to sell 100 login credentials, some with the most powerful administrative privileges over the EAC's databases, to a Middle Eastern government broker for several thousand dollars. Recorded Future does not believe Rasputin was sponsored by a foreign government.
Whether the hack could delegitimize the results of the election is difficult to say. Levi Gundert, a researcher with Recorded Future, told BuzzFeed News, "We don't know when the initial compromise occurred or how long the hacker had access, but it wouldn't appear that those credentials would have the ability to materially impact the election."
As for what a potential buyer could have done with the credentials, the company wrote, "These administrative accounts could potentially be used to access sensitive information as well as surreptitiously modify or plant malware on the EAC site, effectively staging a watering hole attack utilizing an official government resource."
A watering hole attack involves hackers targeting a specific group by infecting sites members of that group often visit.
The EAC's database also includes the specifications of electronic voting like where and which companies manufacture them or where they are in the process of security certification, Gundert said. US adversaries could use as advance knowledge to interfere with US elections.
Because of other vulnerabilities in the EAC's system, it is possible that the full extent of the hack is not fully known, according to the report. Recorded Future has sent information on the hack to federal law enforcement.
According to Gundert, the difficulty of securing government databases makes it unlikely that this was Rasputin's only trove of sensitive information.
The commission did not immediately respond to requests for comment.