A provider of voting software and related technology services appears to have been a main entrance by which Russian military hackers burrowed their way into an unknown number of local government networks in an effort to influence the 2016 U.S. Presidential election.
The revelation is contained in an explosive report published today by British news website The Intercept, which relied on a top-secret memo allegedly stolen by a National Security Agency (NSA) contractor and sent anonymously to the journalists.
That contractor has since been charged with espionage, authorities announced today.
Still, the report – dated May 5, 2017 – outlines how Kremlin hackers in August of 2016 used phishing scams to target at least seven employees at VR Systems Inc., of Tallahassee, Fla., in an effort to gain access to the workers’ login credentials.
“Two months later, on October 27, they set up an ‘operational’ Gmail account designed to appear as if it belonged to an employee at VR Systems, and used documents obtained from the previous operation to launch a second spear-phishing operation ‘targeting U.S. local government organizations,’” The Intercept article states, quoting from the NSA report. “These emails contained a Microsoft Word document that had been ‘trojanized’ so that when it was opened it would send out a beacon to the ‘malicious infrastructure’ set up by the hackers.”
“The NSA assessed that this phase of the spear-phishing operation was likely launched on either October 31 or November 1 and sent spear-fishing emails to 122 email addresses ‘associated with named local government organizations,’ probably to officials ‘involved in the management of voter registration systems,’” the NSA report states.
IT services providers are increasingly being targeted by hacking operations, which see the managed services providers as an ideal entry point for accessing client networks.
In April, a well-known Chinese hacking group, APT10, was found to be specifically targeting MSPs in an effort to steal sensitive data and intellectual property from enterprise customers.
VR Systems sells and supports software for management of elections, including voter registration data and worker training; website publishing and hosting; and the EViD electronic poll book for onsite management of polling places.
VR Systems was hired by numerous government elections organizations, across eight states.
“Available as a tablet, an all-in-one station or customized for an existing device, more than 14,000 EViDs were in use during this past election season,” the company’s website states.
An official at VR Systems declined to comment specifically to The Intercept about the NSA document, but acknowledged in a statement that phishing and spear-phishing are common in that vertical.
“We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats,” Ben Martin, the firm’s chief operating officer, is quoted as saying. “We have policies and procedures in effect to protect our customers and our company.”
While U.S. intelligence officials have said they can point to no evidence proving that the Russian hacking campaign affected actual vote counts, the leaked NSA report suggests the potential exists that the campaign was more successful than has previously been publicized.
Though VR Systems doesn’t provide or manage the actual touchscreen voting machines, the company’s tools do have wireless Internet connectivity and Bluetooth functionality, which could have enabled hackers to infiltrate disparately protected, local elections networks.
According to the NSA document, NSA investigators found that the second spear-phishing campaign involved emails that appear to have introduced malware into networks of local elections groups.
“The emails contained Microsoft Word attachments purporting to be benign documentation for VR Systems’ EViD voter database product line, but which were in reality maliciously embedded with automated software commands that are triggered instantly and invisibly when the user opens the document,” The Intercept reported. “These particular weaponized files used PowerShell…allowing vast control over a system’s settings and functions.”
“It is unknown,” the NSA notes, according to the report, “whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor.”
VR Systems – identified in the NSA report only through references to its products – was one of at least two election technology services providers targeted in the Russian campaign.
The second company was not identified in the document.
Send tips and news to [email protected].