In any other year, hackers breaking into a couple of state government websites through common web vulnerabilities would hardly raise a blip on the cybersecurity community's radar. But in this strange and digitally fraught election season, the breach of two state board of election websites not only merits an FBI warning---it might just rise to the level of an international incident.
On Monday, an FBI alert surfaced warning state boards of election to take precautions against hackers after two election board websites were breached in recent months. According to Yahoo News, those breaches likely targeted Arizona and Illinois board of election sites, both of which admitted earlier this summer that they'd been hacked. Cybersecurity researchers are already speculating that the attacks link to Russia, pointing to the string of recent, likely Russian attacks that have hit the Democratic National Committee and the Clinton campaign. And according to NBC News, unnamed intelligence officials have already pinned the attack on Russia, with one of those officials going to so far as to tie the hacks directly to Russian intelligence agencies.1
"Someone is trying to hack these databases, and they succeeded in exfiltrating data, which is significant in itself," says Thomas Rid, a cybersecurity-focused professor in the War Studies department at King's College of London and author of Rise of the Machines. "In the context of all the other attempts to interfere with this election, it's a big deal."
In its warning sent to state-level election boards, the FBI described an attack on at least one of those two election websites as using a technique called SQL injection. It's a common trick, which works by entering code into an entry field on a website that's only meant to receive data inputs, triggering commands on the site's backend and sometimes giving the attacker unintended access to the site's server. In this case, it seems to have allowed the hackers to steal 200,000 voter records from the Illinois board of elections, and to cause the Illinois board to close registration for ten days.
The use of that common SQL injection vulnerability hardly signals the involvement of sophisticated state-sponsored hackers, much less specifically Russian ones. But the security firm ThreatConnect, which has been investigating IP addresses that the FBI said were associated with the attacks, has found a few still-murky clues that point in Russia's direction. ThreatConnect found that one of the IP addresses named by the FBI mapped in 2015 to Rubro.biz, a Russian-language website it describes as a cybercriminal black market. (However, WIRED found that the IP address now points to a website appearing to be associated with the Turkish AKP political party. This, too, could be a red-herring, as neither WIRED nor ThreatConnect has yet confirmed the legitimacy of that apparently Turkish website.) And the VPN used by the attackers appears to have been King Servers, the firm says, a service with a Russian language website.
"There are elements to suggest there are Russian fingerprints on this," says Rich Barger, ThreatConnect's director of threat intelligence. But he cautions that the firm's research is "very nascent. We’re still working on it."
Neither the Illinois nor Arizona board of elections immediately responded to WIRED's request for comment. But if foreign hackers are indeed involved in the attack---still a major "if"---the 200,000 voter records reportedly breached in the attacks may represent the least of the American electoral system's worries. After all, US voter registration records have been practically public for years, often sold to data brokers who resell it to political campaigns and marketers. More serious is the notion, first raised by the public revelation of the Democratic National Committee hack in July, that a foreign power like Russia might be trying to influence or disrupt American politics.
We knew this could happen. Security researchers have warned for years that American voting systems are disturbingly vulnerable to digital attacks. The breaches of state board of election sites represent yet another reminder that elements of U.S. elections aren't ready to face determined hackers. But attacking voter registration systems, or even paralyzing registration for weeks as in Illinois' case, may not represent a practical threat to American elections so much as a psychological one, says King's College's Thomas Rid. After all, even deleted voter records can be accounted for with provisional ballots, as in recent primary messes in California and New York. But a foreign government using digital attacks to inject doubt in the election's results could help destabilize American politics well after November.
"The thing that I’m worried about is not the technical disruption of the election itself. That’s still extremely unlikely," says Rid. "The pattern we see is to call things into question, to sow doubt, to create uncertainty. This could be another way to create uncertainty in the minds of a lot of people...You can’t patch this psychological vulnerability."
And in an election year when the Republican candidate has repeatedly called the race rigged, that kind of psychological damage is more serious than any one hack.
1Updated Tuesday 8/30/2016 9:55am with news that U.S. intelligence officials have tied the hack to the Russian government.
