Posted below is part of a very troubling article by Matthew Cole, Richard Esposito, Sam Biddle, and Ryan Grim for The Intercept:
RUSSIAN MILITARY INTELLIGENCE executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.
The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light. . . .
The report indicates that Russian hacking may have penetrated further into U.S. voting systems than was previously understood. It states unequivocally in its summary statement that it was Russian military intelligence, specifically the Russian General Staff Main Intelligence Directorate, or GRU, that conducted the cyber attacks described in the document:
Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.
This NSA summary judgment is sharply at odds with Russian President Vladimir Putin’s denial last week that Russia had interfered in foreign elections: “We never engaged in that on a state level, and have no intention of doing so.” Putin, who had previously issued blanket denials that any such Russian meddling occurred, for the first time floated the possibility that freelance Russian hackers with “patriotic leanings” may have been responsible. The NSA report, on the contrary, displays no doubt that the cyber assault was carried out by the GRU.
The NSA analysis does not draw conclusions about whether the interference had any effect on the election’s outcome and concedes that much remains unknown about the extent of the hackers’ accomplishments. However, the report raises the possibility that Russian hacking may have breached at least some elements of the voting system, with disconcertingly uncertain results.
The NSA and the Office of the Director of National Intelligence were both contacted for this article. Officials requested that we not publish or report on the top secret document and declined to comment on it. When informed that we intended to go ahead with this story, the NSA requested a number of redactions. The Intercept agreed to some of the redaction requests after determining that the disclosure of that material was not clearly in the public interest.
The report adds significant new detail to the picture that emerged from the unclassified intelligence assessment about Russian election meddling released by the Obama administration in January. The January assessment presented the U.S. intelligence community’s conclusions but omitted many specifics, citing concerns about disclosing sensitive sources and methods. The assessment concluded with high confidence that the Kremlin ordered an extensive, multi-pronged propaganda effort “to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency.”
That review did not attempt to assess what effect the Russian efforts had on the election, despite the fact that “Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards.” According to the Department of Homeland Security, the assessment reported reassuringly, “the types of systems we observed Russian actors targeting or compromising are not involved in vote tallying.”
The NSA has now learned, however, that Russian government hackers, part of a team with a “cyber espionage mandate specifically directed at U.S. and foreign elections,” focused on parts of the system directly connected to the voter registration process, including a private sector manufacturer of devices that maintain and verify the voter rolls. Some of the company’s devices are advertised as having wireless internet and Bluetooth connectivity, which could have provided an ideal staging point for further malicious actions.
As described by the classified NSA report, the Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers.
But in order to dupe the local officials, the hackers needed access to an election software vendor’s internal systems to put together a convincing disguise. So on August 24, 2016, the Russian hackers sent spoofed emails purporting to be from Google to employees of an unnamed U.S. election software company, according to the NSA report. Although the document does not directly identify the company in question, it contains references to a product made by VR Systems, a Florida-based vendor of electronic voting services and equipment whose products are used in eight states.
The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. The NSA identified seven “potential victims” at the company. While malicious emails targeting three of the potential victims were rejected by an email server, at least one of the employee accounts was likely compromised, the agency concluded. The NSA notes in its report that it is “unknown whether the aforementioned spear-phishing deployment successfully compromised all the intended victims, and what potential data from the victim could have been exfiltrated.”. . .
Although the NSA report indicates that VR Systems was targeted only with login-stealing trickery, rather than computer-controlling malware, this isn’t necessarily a reassuring sign. Jake Williams, founder of computer security firm Rendition Infosec and formerly of the NSA’s Tailored Access Operations hacking team, said stolen logins can be even more dangerous than an infected computer. “I’ll take credentials most days over malware,” he said, since an employee’s login information can be used to penetrate “corporate VPNs, email, or cloud services,” allowing access to internal corporate data. The risk is particularly heightened given how common it is to use the same password for multiple services.