In the months before the 2016 presidential election, one U.S. state received a notification from a federally-backed cybersecurity group, warning about suspicious cyber activity directed at its networks. The state IT officials did not share the alert with other state government leaders and as late at January 2018, the same officials reported nothing “irregular, inconsistent, or suspicious" took place before the vote.
In fact, GRU, Russia’s military intelligence agency, had scanned one of the state’s “election-related” domains, according to a new Senate report.
In another state, leaders did not turn over to the Senate which of its systems had been targeted by Russians. Officials told Senate investigators they hadn’t seen evidence of scanning or attacks on its election infrastructure. Instead, they told the committee that they had seen a “probing” of its state systems. Again, DHS told the committee that GRU had scanned the state’s Secretary of State website.
And in a third state, officials told Senate investigators they had not noticed a connection between their systems and the IP addresses listed in a warning from the federal government. And again, DHS told the committee that GRU scanned the state’s government domain.
A July 25 report from the Senate Select Committee on Intelligence detailed how Russian actors targeted state networks and election infrastructure in 20 anonymous states and Illinois. The Russians scanned networks, attempted SQL injections, relied on phishing and sent malicious emails. But the report also explains how numerous states had no idea that their networks were essentially being cased by hackers or lacked the technology to tell them so.
In addition, the report outlines how state officials repeatedly refused federal government aid, were unaware of extensive scanning activities until they received government notification and sometimes did not even recognize the very malicious activity feds had warned about.
The committee concluded it was likely every state had been targeted.
Tom Kellermann, chief cybersecurity officer at Carbon Black, an endpoint security company, and a former commissioner on President Barack Obama’s commission on cybersecurity, said states view security through a “very old-fashioned, a very antiquated lens” of network security and need to move beyond their perimeter.
“It’s not all about network security,” Kellermann said. “Firewalls and encryption are not sufficient to stop the threats of today, nor is antivirus.”
Lisa Monaco, a former homeland security adviser, told the committee that DHS found some states didn’t have their voter databases encrypted or backed up. Others in industry agreed that state security officials often failed to follow basic advice.
“Ninety-nine percent of cybersecurity is basic hygiene,” said Eric Cornelius, chief technology officer of Blackberry Cylance, a AI-based threat prevention and detection company.
Understanding the interference
The report, which is the first volume on the committee’s findings on Russian interference, is heavily redacted and provides insights into the “extensive” Russian-backed cyber actions taken against Illinois and 20 other anonymous states.
Officials from the Department of Homeland Security told the committee that the hacking attempts consisted of “research” on “general election-related web pages, voter ID information, election system software, and election service companies.”
The committee found that the Russian government activities against the U.S. election infrastructure began in 2014 and stretched in to “at least 2017” at the state and local level. There is no evidence that vote tallies changed.
“What it mostly looked like to us was reconnaissance,” Michael Daniel, former special assistant to the president and cybersecurity coordinator, told the committee. “I would have characterized it at the time as sort of conducting the reconnaissance to do the network mapping, to do the topology mapping so that you could actually understand the network, establish a presence so you could come back later and actually execute an operation.”
For example, at least 16 states in the report had state government or election infrastructure scanned by the Russian-backed cyber actors. Scanning a network - effectively casing a building before a robbery or rattling door knobs to learn which ones are unlocked - can’t effectively be defended against, cybersecurity experts told Fifth Domain. However, officials can rely on numerous security measures to ensure its doors are secure.
“What you can do is you can put a fence around your house and you can lock your doors,” said Cornelius.
In one state, identified only as “state 6” in the report, cyber actors scanned the entire state’s IT network. The state told the committee that the “affected systems” were the state Secretary of State’s web application and the election results site.
“If the penetration had been successful, actors could have manipulated the unofficial display of the election tallies,” the report said. State officials said they believed they would have noticed changes. This is not the same as altering vote tallies on a voting machine.
DHS reported that the same state was also targeted repeatedly with SQL injections, a type of attack designed to access databases. It received the most SQL attacks of any state, but they were unsuccessful, the report said.
“In the world of cybersecurity, SQL injection is very much cybersecurity 101,” Cornelius said. “It is highly known, highly documented [and] easy to mitigate. There’s no reason that those types of vulnerabilities should exist in these times.”
The report shows that leaders from another state, referred to as state 10, told committee officials that they received a “three-pronged attack” with SQL-injection. That state was hit by SQL injection attempts on all its fields 1,500 times from an IP-address in the Netherlands, a U.S.-based address hit them on several fields and a SQL attempt from a Poland-based IP hit another field six or seven times.
State 10 also said its firewall blocked malicious activity against its online voter registration system. DHS confirmed GRU SQL injection attempts against the state’s voter services website and confirmed it was blocked by the firewall.
“If someone doesn’t have defenses in place for that, it just automatically becomes an attack,” said Kevin Ford, chief information security officer at CyberGRX, a third-party risk management company. “I wouldn’t really call that a scan…for vulnerabilities, I would call that an outright attack.”
And Illinois didn’t have those defenses in place, in what may have been the most aggressive attack of the cycle.
On June 23, 2016, Russian actors launched a SQL attack against the state’s online voter registration website, the first known breach by Russian-backed of election infrastructure during the 2016 election, the report said. It took three weeks for IT staff to discover the breach after the site experienced spikes in the data flow on the database server. State officials said the discovery took so long because of the “low-volume nature of the attack” at first.
In the end, the committee report says that the cyber actors penetrated Illinois’ voter registration database and viewed up to 200,000 voter registration records. The amount of voter registration data the intruders ultimately scraped from the database is “unknown,” the committee wrote.
The committee report also unveiled that the intruders were “in a position to delete or change voter data” but added it didn’t have evidence that the actors tampered with or erased the records.
The implications of this unfettered access to voter registration data can have significant implications for democratic elections and could discourage voters from going to the polls, experts argue. Cyber intruders could alter names, birthdays or addresses so they don’t match a voter’s ID, causing headaches for voters at the polls.
“And as a result, you’ll become disenfranchised when you go to vote,” Kellermann said. “They’ll tell you ‘your information doesn’t match, and you’re not allowed to vote.’ And how many people are going to go fight that, argue with that, turn around and come back and prove that?”
Another state, described as state 4, had a statewide voter registration database breached as a result of a phishing attack on a county employee. According to the report, this actor also had an opportunity to modify county voter registration data, but not state data. DHS and the FBI said that there was “no definitive tie to the Russian government.”
Counties in another state, referred to as state 2, also received warnings from the feds about potential phishing attacks. And yet another state, known as state 14, also received “potentially malicious” emails.
States skimp on government warnings
A handful of states told the committee that their systems had been scanned but the Russians didn’t enter. In what the report refers to as state 9, for example, state officials told the committee that the actors “didn’t go in, but we don’t know why.”
Kellermann said that states shouldn’t be so sure that Russians didn’t enter the networks.
“They’re all about deception, they’re all about deploying secret passageways,” Kellermann said. “They’re all about setting your front yard on fire while they sneak in the kitchen window.”
Throughout the report, DHS told the committee it found cyber activity against states well-beyond what states reported to the committee.
Many states were not aware they were being targeted until notifications from the federal government arrived months before the election. And even then, states still didn’t catch the activity. For example, state 18 officials told the committee that they noticed no connection between their state systems and IP addresses listed in the notifications from the federal government. Later, DHS told the committee that GRU scanned state 18’s government domain.
“This is now - and will continue to remain - a talent problem. If you don’t have people on staff who are knowledgeable in this, telling you to throw money at a technical problem is an irrelevant solution because tomorrow the technical problem will be different,” Cornelius said.
Understanding different trends in cybersecurity and how those basic pieces transform into more advanced threats requires “skilled human beings,” Cornelius said.
“States and governments, and businesses in general, need to be investing in people,” he said.
For example, state 7 officials told the committee that they weren’t worried about network security in larger counties, but they did worry about security in under-sourced areas like in places where “the part-time registrar...is also the town attorney and the town accountant and is working out of a 17th-century jail.”
In state 2, the FBI was in touch with several counties in state 2 about breaches, specifically warning about spearphishing attacks. The FBI told the counties that there was help available from DHS. According to the report, the four counties “had not accepted DHS services” as of June 11, 2018.
“There needs to be better cooperation between federal government and the states,” Ford said.
He added, “a small state is not going to be able to defend itself well against a large, advanced persistent threat like Russia.”
The report also details the states’ views of DHS involvement, with several claiming the department didn’t contact the appropriate officials or didn’t provide the proper context of the threat.
“In many cases, DHS had notified state officials responsible for network security, but not election officials, of the threat,” the committee wrote. “Further, the IT professionals contacted did not have the context to know that this threat was any different than any other scanning or hacking attempt, and they had not thought it necessary to elevate the warning to election officials.”
DHS disputed that account. Jeannette Manfra, then-Acting Deputy Undersecretary of Homeland Security, told the committee that DHS held three conference calls in the final months of the 2016 election with top election officials in all 50 states.
States need to change how they look at security
Last year, Congress passed $380 million in election security grants for states. In recent weeks, congressional Democrats have been pushing for another round of election security funding.
Kellermann said states need to invest in three areas moving forward: application control on their databases and voting machines, end-point detection to view behavioral anomalies and create threat hunting teams that search for activity they haven’t seen yet.
“That’s the only way you stop Russians, you start looking for them,” Kellermann said.
And the threats are not just Russian. In the last few weeks several leaders in the federal government said that the United States faces cyber threats from numerous nation-states across the world.
“What they need to be focusing on is end-point security, not network security, with dealing with a threat that we’re facing today,” Kellermann said. “Particularly a threat that is not just being leveraged by the Russians but being leveraged by other nation-state actors.”
Justin Shattuck, director of threat research at Baffin Bay Networks, a threat protection company, said that states need to deploy intrusion detection systems to “log and alert on anomalies.”
“For most, an [intrusion detection system] is going to go far, even on some kind of initial anomalies… [like] if you’re making outbound connections when you shouldn’t be,” said Shattuck.
Kellermann also pointed to the “spot on” election security recommendations from the Cybersecurity and Infrastructure Security Agency, an organization within DHS tasked with protecting critical infrastructure from cyber threats, which recommends action ranging from network segmentation to setting baselines for network and host activity.
“Those best practices must be adhered to by all states and all localities and if they don’t have the funding necessary to do it,” take money recovered from criminal asset forfeiture or money laundering cases, Kellermann said.
“There is a clear and present danger to the future of not only U.S. democracy, but global democracies.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.