Voting Websites Security Incidents and Breaches in 2018
While targeted attacks against voters and the election process are growing in 2018, insecure websites and phishing remain the most frequent attack vectors.
Ever since Russia was accused of interfering in the U.S. 2016 presidential election, concern over the security of America's increasingly automated election system has grown – understandably reaching fever-pitch with the 2018 midterm elections in November.
Here we look at ten of the most interesting election website incidents (nine from the U.S. and one from Canada), and the issues surrounding them, over the last year.
Florida midterm elections
When: August 2018
The damage: possibly none, but an alarming demonstration of how vulnerable electoral systems can be.
How: a possible false alarm.
On August 8th, the Tampa Bay Times published an article revealing that Florida’s Democratic senator, Bill Nelson, claimed Russian hackers had compromised the state’s midterm election systems. However, the senator did not elaborate on his claims, and the department of state said they had received zero evidence to support the claim.
Although this may appear to be a non-incident, senator Nelson could very well have had reason for concern. At the Def Con hacking conference, which began the day after the Tampa Bay Times article was published, a contest was held to hack into a replica of Florida’s midterm election website. The contest was won by an 11-year old, who penetrated the system in approximately 10 minutes. The National Association of Secretaries of State said that “[The contest’s system] in no way replicates state election systems, networks, or physical security,” and that the upcoming midterms’ systems used “new and updated security protocols,” – which could imply it would take an 11-year old up to 60 minutes to penetrate them.
Sacramento campaign funds stolen
When: February-April 2018
The damage: $46,000 from the re-election campaign.
How: a compromised email address and spoofed request for funds.
Californian senator Richard Pan was the apparent victim of a successful BEC (Business Email Compromise) scheme in April this year. $46,000 was lost from the re-election campaign funds thanks to a successful breach of his email account.
After evidently compromising the senator’s email in February, the attackers monitored Pan’s emails, eventually using the address to send a request for funds to the campaign treasurer. The request was for $46,000, sent to an unnamed individual in Texas. It seems the two months of reconnaissance allowed the attackers to convincingly imitate the senator and the procedures for requesting funds, allowing the scam to succeed.
Illinois voter records
When: July 2016, July 2018
The damage: 500,000 voter records, up from earlier estimates of 76,000.
How: suspected SQL injection.
In July 2016, ahead of the US Presidential elections, the state of Illinois announced that it had notified 76,000 residents that their personal details may have been compromised. It was later estimated that up to 200,000 voters may have had their personal records compromised in this attack.
However, in July of this year, new figures released by the US Department of Justice indicated that the potential number of citizens affected was more than double this previous estimate. In a speech indicting 12 Russians for various attempted cyber attacks during the 2016 elections, Deputy Attorney General Rod Rosenstein announced that approximately 500,000 voters had their information stolen from a state election board website. While he did not directly name the state of Illinois in conjunction with this figure, Illinois is the only state known to have been successfully breached in 2016.
What isn’t known is whether any malicious use of these stolen records was made either in 2016 or 2018.
Ontario Progressive Conservative Party and Highway 407
When: January 2018, then May 2018.
The damage: Over 1 million Ontario voter and party supporter records, 60,000 Highway 407 Express Toll Route customer details, Ontario Progressive Conservative Party stability.
How: Ransomware and “Internal theft”.
Canadian provincial political party, the Ontario Progressive Conservatives PC), had their database compromised. Names, phone numbers and personal details for over 1 million voters and party supporters were lost. This incident called public attention to lack of Ontario laws for parties to protect voter data.
The party’s troubles did not end there, however. In May, Highway 407, which touts itself as “the world’s first all-electronic, barrier-free toll highway,” lost the data of 60,000 customers in an internal theft. An internal investigation linked the data loss to the Ontario PC party. Candidate Simmer Sandhu quit his position and candidacy for Brampton East amid the investigation, though he firmly denied any allegations of wrongdoing.
The hack that probably never was...in Georgia
When: November 2018, with origins in August 2016
The damage: 15 gigabytes of voter registration data, covering over 6 million Georgia voters.
How: unaddressed data exposure and server vulnerabilities.
In the beginning of November this year, Georgian gubernatorial candidate and former Georgia secretary of state, Brian Kemp, launched an investigation into the opposing Democratic party for alleged cybercrime. The allegations – that the opposition had attempted to hack the elections – were quickly dismissed as baseless by many outlets; and probably never happened.
Kemp’s Democratic opponent in the midterm elections, Stacey Abrams, called Kemp a “bald-faced liar” who cooked up the allegation to deflect attention from his record of incompetence as secretary of state, particularly in relation to presiding over the midterm elections.
But the origins of this antagonism go back to 2016. Security researcher Logan Lamb discovered that the Georgia voter registration database (6.7 million records) were being stored by Kennesaw State University (KSU) on an unsecured database exposed to the internet.
Lamb informed KSU, but the database remained exposed for several weeks. When KSU finally took down the database, it simultaneously deleted the relevant system logs. As a result, there is simply no way of knowing whether any unknown third-party accessed or even downloaded the entire database.
Richard DeMillo, director of Georgia Tech's Center for 21st Century Universities, commented, “If I were a hacker trying to affect an election in this state, that's where I would start.” With voter registration details it would be possible to disrupt accurate voting enough to sway a tight election.
In the months preceding this year’s midterm elections, several Georgia citizens and the Coalition for Good Governance brought a court case against secretary of state Kemp attempting to force him to abandon the use of aging Diebold voting machines and revert to a paper-based ballot. They complained that the Diebold machines were probably insecure and provide no paper audit trail – so any adverse effect from the exposed registration database could not be checked.
The court case failed, and Kemp won a very tight election against Abrams.
The [unhappened] August’s hack of the DNC’s database
When: August 2018
The damage: none
How: lack of internal communication
In August, the Associated Press (AP) reported, "An attempt to break into the Democratic National Committee’s massive voter database has been thwarted, a party official said Wednesday..."
Bob Lord, the DNC’s chief security officer, said the attempt showed how serious the cyberthreat is and why it’s critical that state and federal officials work together on security.
“This attempt is further proof that there are constant threats as we head into midterm elections and we must remain vigilant in order to prevent future attacks,” he said.
A security firm had found what looked like a phishing site. It appeared to mimic VoteBuilder, a DNC-managed database that contains years' worth of voter information. The fear was that a phishing campaign aimed at DNC members could direct victims to this fake site that would harvest their credentials.
But within hours of the AP story being released, the truth became known. This was a fake site, but not a phishing site. It was a site created as part of a simulated phishing training program. The problem was that nobody had told Bob Lord about it.
"The test, which mimicked several attributes of actual attacks on the Democratic Party's voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors," said Lord.
Attempted ransomware attack on Sacramento Bee’s voter records
When: January 2018
The damage: contact information and personal details for 19.4 million California voters, plus 53,000 Sacramento Bee subscribers.
A failed upload to a third-party server containing data on millions of California voters and Sacramento Bee subscribers tipped off an employee that something was amiss. This led to the discovery of a note from a cybercriminal demanding Bitcoins in exchange for the data. The Sacramento Bee had obtained the voter records for reporting purposes, so all the voter data contained therein is considered public information. The database had been left unprotected for two weeks, when a firewall failed to reactivate following routine maintenance.
The ransomware attack itself was technically unsuccessful, as the Bee refused to pay the ransom and deleted all affected records to prevent further attacks. However, the databases were still compromised, and the attackers may still have access to the information. The Secretary of State’s office said “…no confidential information – such as social security numbers, driver’s license numbers, state ID numbers, or voter signatures – is ever provided in response to a request for the state voter file”.
99% of Texas registered voters’ detailed files found online
When: August 2018
The damage: 14.8 million detailed records and voting histories of Texan voters.
How: unsecured online storage.
A New Zealand-based security researcher known as Flash Gordon discovered a huge database of Texan voter data in August this year. Roughly 16 gigabytes in size, the database contained voter files for 14.8 million registered Texan voters. The March 2018 gubernatorial primaries recorder 15.2 million total registered voters in Texas, meaning this exposure covers roughly 99% of the state.
Although the ransomware attack on the Sacramento Bee involved the potential exposure of a greater number of files, the exposed Texas voter files contain more sensitive information. In addition to the publicly available contact details, the files also contained data on various political stances, such as views on immigration and gun rights. Data analysis indicates that the database was gathered by Data Trust, founded by the Republican Party to provide data analytics during campaigns. The Data Trust issued a statement denying its systems had been breached.
19 states’ voter databases emerge for sale online
When: October 2018
The damage: 35 million or more US voters’ details across 19 states.
How: unknown, apparent active breach.
Researchers from Anomali Labs and Intel471 have discovered an immense data breach spanning 19 US states on the dark web. They found a forum post advertising various states’ voter databases for sale, for a total of $42,200. Data includes phone numbers linked with addresses, full names and voting histories. The exact number of breached records is not known, but the seller confirms 23 million records across just three of the states’ databases for sale. The figures for the remaining 16 states are not made clear, but Anomali estimated that the total could exceed 35 million.
Anomali announced, “Given the illicit vendor claims of weekly updates of voter records and their high reputation on the hacker forum, we assess with moderate confidence that he or she may have persistent database access and/or contact with government officials from each state. These types of unauthorized information disclosures increasing the threat of possible disruptive attacks against the U.S. electoral process such as voter identity fraud and voter suppression.”
How the attacker came by this data is not known. The advertisement post claims that “the data is refreshed each Monday of every week,” which suggests this is not a previously-known, static data exposure. If the claim is true, it’s possible that the seller has active access to the files, whether as a result of a security breach or a legitimate user attempting to profit from their data access.
The unknown hack on the Grand Old Party
The damage: not yet known.
How: a cyber intrusion by an unknown entity.
This probably is not the biggest or worst election incident of 2018. But it is the latest. It was only made public while this report was being compiled - that is, on 4 December 2018. AP reported, “The National Republican Congressional Committee said Tuesday that it was hit with a ‘cyber intrusion’ during the 2018 midterm campaigns and has reported the breach to the FBI.”
At this stage, nothing else is known. However, it may be linked to earlier reports in August from Microsoft, which said it had taken down several sites (created by Russians) that seemed as if they might be part an attack against ‘conservatives’ in the U.S. This in turn gained further credence in September when Google confirmed that the personal Gmail accounts of multiple senators and staffers had recently been targeted by foreign hackers.
How much is genuine, how much is political propaganda, and how much is simple election hysteria we do not yet know. But the AP report summarizes the U.S. election climate very well: “Politically motivated cyberespionage is commonplace across the world, but Americans have become particularly alert to the possibility of digital interference following the 2016 election. That hack is still fresh in the minds of many political operatives.”
We have compiled here some of the most remarkable security incidents of 2018 involving voting websites or the election processes. The list reminds about the importance of holistic, continuous and risk-based cybersecurity where application security may play a pivotal role.