BuzzFeed News

Reporting To You

US Agency That Certifies Voting Machines Was Hacked, Firm Says

A hacker was in the process of selling login credentials to the government organization that certifies the security of voting technology, according to a new report.

Last updated on December 15, 2016, at 8:50 p.m. ET

Posted on December 15, 2016, at 8:18 p.m. ET

Voters cast their ballots in the Illinois primary in Hinsdale, Ill. I
M. Spencer Green / AP / Via recordedfuture.com

Voters cast their ballots in the Illinois primary in Hinsdale, Ill. I

The government organization that oversees the integrity of voting machines and election administration databases was hacked, according to a report released Thursday.

Recorded Future, a Boston-based cybersecurity company, identified a hacker by the pseudonym Rasputin who stole login information from the US Election Assistance Commission (EAC) and offered it for sale.

Systems status report page from the EAC
Recorded Future / Via recordedfuture.com

Systems status report page from the EAC

Prior to this incident, no cybercriminal activity involving the EAC had been found.

According to the report, Rasputin was in ongoing negotiations to sell 100 login credentials, some with the most powerful administrative privileges over the EAC's databases, to a Middle Eastern government broker for several thousand dollars. Recorded Future does not believe Rasputin was sponsored by a foreign government.

Election and software systems test reports
Recorded Future / Via recordedfuture.com

Election and software systems test reports

Whether the hack could delegitimize the results of the election is difficult to say. Levi Gundert, a researcher with Recorded Future, told BuzzFeed News, "We don't know when the initial compromise occurred or how long the hacker had access, but it wouldn't appear that those credentials would have the ability to materially impact the election."

As for what a potential buyer could have done with the credentials, the company wrote, "These administrative accounts could potentially be used to access sensitive information as well as surreptitiously modify or plant malware on the EAC site, effectively staging a watering hole attack utilizing an official government resource."

The EAC's projects reports page.
Recorded Future / Via recordedfuture.com

The EAC's projects reports page.

A watering hole attack involves hackers targeting a specific group by infecting sites members of that group often visit.

The EAC's database also includes the specifications of electronic voting like where and which companies manufacture them or where they are in the process of security certification, Gundert said. US adversaries could use as advance knowledge to interfere with US elections.

Because of other vulnerabilities in the EAC's system, it is possible that the full extent of the hack is not fully known, according to the report. Recorded Future has sent information on the hack to federal law enforcement.

Rasputin's activity on the Dark Web since the beginning of 2015, as monitored by Recorded Future.
Recorded Future / Via recordedfuture.com

Rasputin's activity on the Dark Web since the beginning of 2015, as monitored by Recorded Future.

According to Gundert, the difficulty of securing government databases makes it unlikely that this was Rasputin's only trove of sensitive information.

The commission did not immediately respond to requests for comment.


ADVERTISEMENT