The details of an apparent Russian state-sponsored cyberattack on local election officials and a vendor of U.S. voting software are shocking—but they shouldn’t be surprising. In fact, experts had been warning for months before the 2016 election about exactly the type of attack that was revealed Monday in leaked NSA documents.
According to the documents, the purpose of the attack, which occurred last August, was “to obtain information on elections-related software and hardware solutions.” The attackers “likely used data obtained from that operation to create a new email account and launch a voter-registration themed spear-phishing campaign targeting U.S. local government organizations.”
The NSA’s analysis does not draw any conclusions about whether the attack affected voting outcomes in the presidential election in November, or any other national or local races. But targeting voter registration systems is widely seen as one of the most effective ways to use a cyberattack to disrupt the electoral process. An adversary with access to voter registration information could, for example, delete names from the voter roll or make other modifications to the data that could cause chaos on Election Day. (See “How Hackers Could Send Your Polling Station Into Chaos.”)
Before the election, Rice University computer science professor Dan Wallach told MIT Technology Review that poorly secured voter registration databases were the biggest cybersecurity threat facing the U.S. voting system, since many states put them online. In September, the Associated Press reported that hackers had targeted voter registration systems in 20 states.
Also among potential targets, experts warned at the time, were electronic poll books—computerized versions of the paper lists that poll workers often use to check voters in. Most offer the option to connect to the Internet.
Though the NSA’s leaked analysis did not name the target of the attack it describes, it does make references to a Florida-based company called VR Systems, which makes electronic poll books. In a statement, the company appeared to confirm that it had been targeted, saying that “a handful” of customers had received fraudulent e-mails, but that there was “no indication that any of them clicked on the attachment or were compromised as a result.”
In October, CNN reported that federal investigators thought Russian hackers had compromised an unnamed vendor of voting software that supplied technology for Florida’s voting system. Some have now speculated that that vendor was VR Systems. Products made by VR Systems are used by eight states: California, Florida, Illinois, Indiana, New York, North Carolina, Virginia, and West Virginia.
One of those states—North Carolina, which was seen as a key swing state in the race for the presidency—did experience the type of voter-registration-related issues on Election Day that security experts warned might happen in the event of a cyberattack. In Durham County check-in systems malfunctioned in a number of precincts, leading to long lines and delays and forcing election officials to switch to slower, paper-based processes.
A spokesman for the Durham County Board of Elections told The Intercept that VR Systems’ software was not to blame for these issues, and a spokesperson for the North Carolina Board of Elections told the website that the state “did not experience any suspicious activity during the election outside of what this agency experiences at other times.”
Even so, on Tuesday Senator Mark Warner, the top Democratic member of the Senate Intelligence Committee, told USA Today that Russia’s hacking efforts are more widespread than any previous unclassified reports or the newly leaked NSA document indicate.
And the threat is ongoing. “None of these actions from the Russians stopped on Election Day,” he said.