Connecting state and local government leaders
The charges bring into question previous statements from vendors and state officials.
Russia’s cyber attack on state election infrastructure in 2016 was wider in scope and more successful than some victims of the attack had previously claimed, according to the U.S. Department of Justice indictment against Russian military intelligence officials announced this Friday. The document raises new questions about the previously acknowledged hack of the Illinois Board of Elections, as well as at least one private sector technology vendor that supports election infrastructure across the country.
Count 11 of this most recent indictment places Anatoliy Sergeyevich Kovalev, an officer in the Russian military, at the center of a campaign against U.S. state and local election infrastructure in the lead up to the 2016 election. The charges claim that in July 2016, Kovalev and other Russian military officials “hacked the website of a state board of elections ... and stole information related to approximately 500,000 voters, including names, addresses, partial social security numbers, dates of birth, and driver’s license numbers.”
The Illinois Board of Elections released a statement on Friday that “it is likely” that the indictment is referring to them. However, the document’s claim that Russia stole data on 500,000 voters conflicts with the state’s previous figure of 76,000 voters’ information compromised.
“The figure 500,000 referred to in the indictment may have been arrived at using a different methodology prescribed under federal criminal code,” the board said in its statement. “As part of our review of the indictment, we will be contacting federal law enforcement to obtain more information on the number referenced in the indictment.”
Even after an FBI alert to election authorities about efforts to compromise states’ websites and systems was made public in August 2016, the Russian military continued its efforts against state and local elections in the lead up to the election. The indictment specifically points to the Russian military probing “the websites of certain counties in Georgia, Iowa, and Florida to identify vulnerabilities” in October as one example.
The federal indictment also details the successful hack of a vendor that “supplied software used to verify voter registration information for the 2016 U.S. elections.” Reporting by The Intercept shows the likely vendor to be VR Systems, which has previously denied being hacked. VR Systems’ website includes testimonials from local election officials from North Carolina, Florida and Virginia.
The Justice Department claims the Russian military later used the vendor’s logo as part of a campaign to embed malware on the computers of “organizations and personnel involved in administering elections in numerous Florida counties” just prior to the election.
As previously reported by Route Fifty, states and localities received an additional $380 million in funding from Congress this year to shore up the security of their election systems. State and local leaders believe improvements to their systems even prior to that funding put them in a better position than they were in two years ago.
Illinois noted in the statement released Friday: “In addition to measures taken after the 2016 incident, the State Board of Elections currently is involved in establishing a Cyber Navigator Program funded with a federal grant from the U.S. Election Assistance Commission that will greatly enhance cybersecurity both at SBE and among all 108 local election jurisdictions in Illinois."
According to WMAQ / NBC Chicago, election officials were hoping to replace voting machines, but “state and federal requirements say the money must be used primarily on preventing a repeat of 2016.” Leadership at the U.S. Election Assistance Commission readily admit the funding provided by Congress is not enough to replace existing voting systems, but also believe the funding is supporting “creative” security efforts.
State election officials have questioned the quality of intelligence they are receiving from their federal partners at the U.S. Department of Homeland Security. Those concerns may resurface in the wake of the different numbers of potential voters affected by the Illinois Board of Elections breach.
The Senate Intelligence Committee’s bipartisan report on Russian interference in the 2016 election made several recommendations to improve election security, including better information sharing between federal partners and the states, as well as replacing “outdated and vulnerable” voting equipment. The report states that “at least 18 states had election systems targeted by Russian-affiliated cyber actors in some fashion. Elements of the [intelligence community] have varying levels of confidence about three additional states, for a possible total of at least 21."
Mitch Herckis is Senior Editor and Director of Strategic Initiatives for Route Fifty. He is based in Washington, D.C.