Hackers targeted voter registration systems in Illinois and Arizona, and the FBI alerted Arizona officials in June that Russian hackers were behind the assault on the election system in that state.
The bureau told Arizona officials that the threat was “credible” and severe, ranking as “an 8 on a scale of 1 to 10,” said Matt Roberts, a spokesman for the secretary of state’s office.
As a result, Secretary of State Michele Reagan shut down the state voter registration system for almost a week.
It turned out that the hackers did not succeed in compromising the state system or even any county system, but rather had managed to steal the user name and password for one Gila County elections official.
Nonetheless, the revelation comes amid news that the FBI is investigating suspected foreign hacks of state election computer systems, and earlier this month warned states to be on the alert for intrusions.
In Illinois, officials discovered an intrusion into their state voter registration system in July.
The FBI’s Aug. 18 warning follows heightened concern over Russian hacks of Democratic Party organizations and possible meddling in the presidential election.
Although the hackers did not alter any data, the intrusion into the Illinois database marks the first succesful compromise of a state election database, federal officials said.
Until now, countries such as Russia and China have shown little interest in voting systems in the United States. But experts said that if a foreign government gains the ability to tamper with voter data, for instance by deleting registration records, such a hack could cast doubt on the legitimacy of U.S. elections.
Meanwhile, the recently discovered hacks have state officials across the country scrambling to ensure that their systems have not been compromised. At least two other states are looking into potential breaches, officials said.
“This was a highly sophisticated attack most likely from a foreign (international) entity,” said Kyle Thomas, director of voting and registration systems for the Illinois State Board of Elections, in a message that was sent to all election authorities in the state.
In July, officials in that state discovered the intrusion, in which hackers were able to retrieve voter records. The amount accessed was “a fairly small percentage of the total,” said Ken Menzel, general counsel for the Illinois elections board.
State officials alerted the FBI, he said. The Department of Homeland Security also got involved, he said. The intrusion led the state election board to shut down the voter registration system for a week.
In June, the Arizona Secretary of State’s office shut down part of its website after the FBI found a potential threat to its state voter registration system, according to the Arizona Republic.
Following those breaches, the FBI issued its “flash” alert, which listed Internet protocol addresses and other technical fingerprints associated with the hacks.
“The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected,” said the FBI alert, which was first reported by Yahoo News.
The FBI declined official comment other than to note it “routinely advises private industry of various cyber threat indicators” it turns up in investigations.
The bureau has told Illinois officials that they’re looking at possible foreign government agencies as well as criminal hackers, Menzel said.
The technical details in the alert were gathered by the MS-ISAC, a multi-state information-sharing center that helps state, local and tribal government agencies combat cyber threats and that works with federal law enforcement agencies.
“I’m less concerned about the attackers getting access to and downloading the information,” said Brian Kalkin, vice president of operations for the Center for Internet Security, which operates the MS-ISAC. “I’m more concerned about the information being altered, modified or deleted. That’s where the real potential is for any sort of meddling in the election.”
And James Clapper, the Director of National Intelligence, has told Congress that manipulation or deletion of data is the next big cyber threat–”the next push on the envelope.”
But Tom Hicks, chairman of the federal Election Assistance Commission, an agency set up by Congress after the 2000 Florida recount to maintain election integrity, said he is confident that states have sufficient safeguards in place to ensure efforts at manipulation will be unsuccesful.
For one, he said, if a voter’s name does not show up on the list, the individual can still cast a provision ballot and once his or her status is confirmed, the ballot will be counted. Also, he said, in general the voting systems themselves “are not hooked up to the Internet” and so “there’s not going to be any manipulation of data.”
Nonetheless, more than 30 states have some provisions for online voting, primarily for voters living overseas of serving in the military. An official at the Department of Homeland Security cautioned this spring that online voting is not yet secure.
“We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results,” Neil Jenkins, an official in the Office of Cybersecurity and Communications at the Department of Homeland Security,
Some private-sector researchers say some of the information released by the FBI points to a potential Russian link, but they caution that their work is preliminary. Rich Barger, chief information officer at ThreatConnect, said that several of the IP addresses trace back to a website-hosting service called King Servers that offers Russia-based technical support. He also said that one of the methods used was similar to a tactic in other intrusions suspected of being carried out by the Russian government, including one this month on the World Anti-Doping Agency.
“The very fact that [someone] has rattled the doorknobs, the very fact that the state election commissions are in the cross-hairs gives grounds to the average American voter to wonder: Can they really trust the results?” said Barger.
On Aug. 15, Homeland Security Secretary Jeh Johnson held a conference call with state election officials, offering the Department of Homeland Security’s assistance in protecting against cyberattacks.
He said that DHS was “not aware of any specific or credible cybersecurity threats relating to the upcoming general election systems,” according to a readout of the call. It was not clear whether he was aware at the time of the FBI’s investigation into the Arizona and Illinois intrusions.