Updated 9 p.m. ET
Russia’s military intelligence agency launched an attack before Election Day 2016 on a U.S. company that provides voting services and systems, according to a top secret report posted Monday by The Intercept.
The news site published a report, with redactions, by the National Security Agency that described the Russian spear-phishing scheme, one it described as perpetrated by the same intelligence agency — the GRU — sanctioned by the Obama administration over the 2016 cyber-mischief.
According to the NSA report, Russian hackers sent emails to people who worked at a company that provides election software and hardware, trying to trick them into giving up their user credentials. The goal was to get custom software onto their computers so that Russian spies could find out more about the workings of the network. The Intercept reports, “At least one of the employee accounts was likely compromised, the agency concluded.”
The NSA report also says the Russian attackers wanted to know more about voter registration systems. But the American spy agency acknowledges it doesn’t know how successful the Russian efforts were in that effort or what information or access the GRU may have gleaned.
A spokesman for the Office of the Director of National Intelligence declined to comment.
VR Systems, a Florida-based election systems provider referenced in the material, said in a statement:
“When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment. We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result.
“Phishing and spear-phishing are not uncommon in our society. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.
“It is also important to note that none of our products perform the function of ballot marking, or tabulation of marked ballots.”
Separately on Monday, the Justice Department announced that it is charging a 25-year-old Georgia woman who works for an intelligence agency contractor with allegedly sending classified material to a news organization.
Reality Leigh Winner of Augusta was arrested on Saturday; the FBI said in court documents that she had been accused of printing out classified material and sending it by mail to a news outlet.
Two national security officials with knowledge of the matter confirmed to NPR on Monday that the cases are connected.
Winner’s arrest follows the promise of a crackdown by the Trump administration on leaks, which have detailed a number of sometimes embarrassing details about the inner workings of the government and some of its national security arrangements.
“Releasing classified material without authorization threatens our nation’s security and undermines public faith in government,” Deputy Attorney General Rod Rosenstein said in a statement on Monday. “People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation.”
The NSA document posted on Monday offers some of the most official detail yet about Russia’s cyberactivity, which the U.S. intelligence community has previously discussed in much broader terms. It also confirmed that the Russian attacks continued after the Department of Homeland Security publicly attributed the meddling to Russia’s intelligence agencies, confirming that those statements did not deter more cyberattacks — and after Obama’s warning to Putin in September “to cut it out, there were going to be serious consequences if he did not.”
Intelligence agency leaders say that Russia’s attacks did not change any actual votes in the 2016 race, but election technology experts have been concerned for years that hackers could attempt to manipulate not only individual voting machines but other equipment used to run elections, such as those that tabulate votes or keep track of voter registrations.
While the machines that voters use to cast their ballots are not connected to the Internet, the computers used to program these machines, or to run elections, can be connected at some point, leaving them vulnerable to cyberattacks.
J. Alex Halderman, a computer security expert from the University of Michigan, is among those who have been sounding the alarm for years.
“It’s highly significant that these attacks took place, because it confirms that Russia was interested in targeting voting technology, at least to some extent. I hope further investigation can shed more light on what they intended to do and how far they got,” he says.
Halderman and others note that local election officials often contract with private vendors, such as VR Systems, to program their voting equipment. He says if those vendors are hacked, then malware could easily be spread to local election offices and ultimately to individual voting machines.
Jeremy Epstein, another voting security expert, said that even though the NSA report describes efforts to hack into voter registration systems, once a hacker has access to a local election office’s computers, they can potentially infect other aspects of the election.
“If I was a Russian trying to manipulate an election, this is exactly how I would do it,” he says.
Experts say it would be difficult to know if votes had been tampered with unless the equipment had a paper ballot backup. Those paper ballots can be used to verify whether or not the election results reported electronically were correct.
Lawrence Norden, of the Brennan Center for Justice at the New York University School of Law, notes that seven of the eight states that use VR Systems services — California, Florida, Illinois, Indiana, New York, North Carolina and West Virginia — have paper-based systems. And most of the equipment used in the eighth state — Virginia — also use paper.
Another concern is that even if a hacker did not try to change the actual election results, they could undermine confidence in the voting system by causing enough confusion at the polls to raise doubts about the results. That could happen, for example, if voters showed up at the polls to find that their names were not listed, or listed incorrectly.