Leaked Report Claims Voter Registration App Firm Hacked by Russians

The U.S. government concluded that Russian intelligence hacked into an American vendor of voter-registration software. Following publication, a National Security Agency contractor is arrested for allegedly leaking the document.

election tech security

The National Security Agency concluded in May that the Russian General Staff Main Intelligence Directorate, or GRU, used phishing attacks to likely compromise at least one account at a U.S. election firm, according to a report in The Intercept published on June 5.

The attackers used information gathered from the firm to target 122 local-government organizations, sending Trojan-infected Word documents that used a Visual Basic script to exploit victims who opened them, the report stated. The documents’ file names suggested their contents had to do with a voter-registration system known as EViD, created by VR Systems of Tallahassee, Florida.

The degree to which the attack was successful is unknown. According to the report, the NSA did not know if any local government officials’ systems were compromised by the attack. VR Systems claimed that the company knew of no customers who had been compromised.

“When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment,” the company said in a statement published on June 5.

“We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result.”

The company noted that it does not make systems that either mark ballots or tabulate marked ballots.

The report came the day before former FBI Director James Comey is set to testify before the U.S. Senate Intelligence Committee on Russia’s interference with the U.S. presidential election and the Trump administration’s contacts with Russia.

On June 5, the same day as The Intercept’s article, the U.S. Department of Justice announced that a federal contractor, Reality Leigh Winner, 25, was charged with mailing a classified document to a news publication. A Twitter feed bearing portrait of Winner and created in 2015 had posts and retweets critical of then-candidate Donald Trump, according to an article published by NPR.

The incident has raised concerns that The Intercept did not properly protect its source. Investigators quickly narrowed down the field of suspects by noting that the scans provided by the publication suggested that the information came from a printout. Winner was one of six people who had printed out the Top Secret document.

“A further audit of these six individuals’ desk computers revealed that Winner had e-mail contact with the News Outlet,” stated the Department of Justice’s affidavit in the case.

Winner admitted to sending the documents to a news outlet, according to the affidavit.

By giving the government a color copy of the document, The Intercept gave them everything they needed to identify the device from which, and the exact time at which, the document was printed. A series of near-invisible yellow dots are created by many new printers, registering the printer’s ID number and the time at which it was printed.

In this case, the document came from a printer with model number 54, serial number 29535218 and was printed on May 9, 2017 at 6:20 am, according to a post explaining the technology by Robert Graham, CEO of Errata Security.

Transmission of classified information to a person not authorized to access the information is a violation of U.S. Code, section 793(e).

“Releasing classified material without authorization threatens our nation’s security and undermines public faith in government,” Rod J. Rosenstein, the U.S. deputy attorney general, said in a statement by the U.S. Department of Justice announcing the charges against Winner. “People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation.”

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...