Russia’s interference in the 2016 presidential election included a far more extensive effort to hack into state-controlled voting systems than the federal government has previously acknowledged, according to the indictment of 12 Russian military officers unveiled Friday.
The targets of that effort, the indictment says, included a US company that provides local election offices across the country with software used to verify voters’ identities, the indictment said. The company is not identified.
The Russian military hackers also succeeded in stealing the personal details of 500,000 voters in a single state, according to the indictment — the first time the government has acknowledged that voter information was actually seized by Russian hackers during the runup to the 2016 election.
In announcing the indictment, Deputy Attorney General Rod Rosenstein repeated, as he has in previous comments, that there is no indication that the hackers altered any vote totals. But the depth of the Russian intrusion into systems intended to safeguard the integrity of elections once again raises concerns about whether local jurisdictions, whose technical abilities vary widely, and the companies they contract are able to fend off the determined efforts of nation-state hackers with vast resources at their disposal.
“It is very concerning” that a private US election vendor was hacked, said Michael Sulmeyer, a former Department of Defense cybersecurity policy adviser and the director of the Belfer Center’s Cyber Security Project. “But it isn’t shocking. Both sides of the equation have to take responsibility: the vendors must improve the security of the products they’re selling, and the purchasers must demand it.”
While the indictment did not identify the company, the Intercept, relying on a National Security Agency analysis leaked by Reality Winner — who has since pleaded guilty to that leak and currently awaits sentencing — says it’s Florida-based VR Systems, which provides voting equipment to multiple jurisdictions. The company didn’t respond to requests for comment.
Russian military intelligence is also thought to have tried to trick county election workers in North Carolina and Florida into installing malware that was included in Microsoft Word documents, purportedly from VR, on their computers. It’s not clear if any of those emails were ever opened. At least some were stuck in spam filters.
The indictment’s revelations about efforts to compromise state voting systems comes at a delicate time for federal officials tasked with protecting election integrity. Earlier this week, two officials of the Department of Homeland Security told Congress that to date no efforts to hack into the state systems have been detected during the current election cycle.
But the size of the 2016 intrusions revealed in Friday’s indictment are sure to raise questions about how well the federal government is able to track such hacks and how forthright the government is about sharing that information.
In 2016, Russian military hackers scanned the election-related websites of at least 21 different states for vulnerabilities. But while DHS alerted IT staffers about specific technical threats, the agency didn’t share that information with top officials of those states until nearly a year after the election, claiming those state officials didn’t have security clearances entitling them to see information that had been developed by the country’s intelligence agencies.
The new details in Friday’s indictment also caught state officials by surprise. The indictment says, for example, that the Russians “hacked the website of a state board of elections (“SBOE 1”) and stole information related to approximately 500,000 voters, including names, addresses, parts of social security numbers, dates of birth, and driver’s license numbers” around July 2016.
A source familiar with the hack said that the state involved was Illinois, which had previously acknowledged its voter registration database had been compromised around that time. Matt Dietrich, the Public Information Officer of the Illinois State Board of Elections, said “it’s pretty likely they’re referring to us when they talk about a state board of election being hacked.”
However, he noted, half a million voters was far more than the number of victims Illinois believed had been affected in the state.
“We notified 76,000 voters,” Dietrich told BuzzFeed News. “The IT department here doesn’t know where the 500,000 number comes from. But it’s possible they could be referring to other states.”
Sulmeyer, of the Belfer Center’s Cyber Security Project, said the theft was a significant one. “We’re talking theft at scale,” he said. “Those records can be mined, and the perpetrators can do a lot more social engineering with that data.”
After the FBI identified some of the infrastructure that the Russian hackers had used in that operation, the indictment says, the officer leading that operation, Anatoliy Kovalev, deleted his search history. He and others in the operation also deleted other, unidentified evidence, the indictment says.
The hackers tried and failed to change administrative controls in the Illinois voter registration database, Dietrich said, but didn’t bother trying to change voter data.
In its report on the subject, the Senate Intelligence Committee said that in a “small number of states,” Russian hackers “were able to gain access to restricted elements of election infrastructure” and “were in a position to, at a minimum, alter or delete voter registration data.”
Illinois is the only state to publicly acknowledge that its voter registration databases was accessed by Russian government hackers. Arizona’s was also breached, but White House officials have said that was the work of unrelated criminals. The Arizona secretary of state’s office didn’t respond to request for comment.
“We had no advance notice this was coming,” Dietrich said of the indictment. “We haven’t had any contact with them about this other than we cooperated with the FBI from the start. They were brought in almost immediately after we recognized the breach.”
The Department of Homeland Security said it could not confirm the number of people affected in the breach. The special counsel’s office declined to comment on the discrepancy.
“It’s possible it’s because they have access to the data that the Russians have, that illinois didn’t,” said Lawrence Norden, a voting security expert at New York University’s Brennan Center.
It’s unclear what the Russian hackers planned to do with the information they accessed, or even if they had a plan, but experts warned that even though a lot of voter registration data is public, accessing a centralized database of voter information could help an adversary influence an election outcome in ways other than directly changing vote tallies.
They did, at least, have some sense of local targeting, the indictment said, probing individual counties in Georgia, Iowa, and Florida for vulnerabilities on Oct. 28, 2016, 11 days before the election.
“There’s other stuff in the indictment that indicates they were gathering information about targeting voters,” Norden said. “We don’t have enough information about what they were doing,” Norden said. “I don’t think the indictment tells us.”