Yesterday, Glenn Greenwald’s online presence, The Intercept, posted a highly classified NSA analysis of Russian activities targeting our election. Most of the commentary has focused on the spectacularly mal-named Reality Winner who stole the document from an alleged classified facility in Augusta, GA, and sent it to The Intercept. The document is interesting from several perspectives.
The document title is instructive in itself. Even The Intercept refers to it as a report on election hacking when, in fact, it really isn’t
Pay close attention to the classification: (TS//SI//OC//REL to US, FVEY//FISA). Decoded that means TS = Top Secret, the highest classification level; SI = Special Intelligence, meaning this information was derived from communications intercepts; OC = Originator Controlled, meaning this report cannot be disseminated or released without NSA’s permission; REL to USA, FVEY = This report can be released to Americans and other members of the Five Eyes intelligence alliance (Britain, Canada, Australia, and New Zealand); and FISA = This report contains information obtained under the Foreign Intelligence Surveillance Act, meaning a classified warrant was issued to spy on American(s).
This is not trivial stuff.
The report fingers Glavnoye razvedyvatel’noye upravleniye, the GRU, Russian military intelligence as the agent involved in the attempts covered in the report. This does not mean the SVR was not involved, but the prime agency seems clearly to be the GRU. This is not a huge surprise as the GRU was held to be responsible for the DNC hacks and it owns Russia’s cyberwarfare organization.
As described by the classified NSA report, the Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers.
But in order to dupe the local officials, the hackers needed access to an election software vendor’s internal systems to put together a convincing disguise. So on August 24, 2016, the Russian hackers sent spoofed emails purporting to be from Google to employees of an unnamed U.S. election software company, according to the NSA report. Although the document does not directly identify the company in question, it contains references to a product made by VR Systems, a Florida-based vendor of electronic voting services and equipment whose products are used in eight states.
The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. The NSA identified seven “potential victims” at the company. While malicious emails targeting three of the potential victims were rejected by an email server, at least one of the employee accounts was likely compromised, the agency concluded. The NSA notes in its report that it is “unknown whether the aforementioned spear-phishing deployment successfully compromised all the intended victims, and what potential data from the victim could have been exfiltrated.”
In any event, the hackers apparently got what they needed. Two months later, on October 27, they set up an “operational” Gmail account designed to appear as if it belonged to an employee at VR Systems, and used documents obtained from the previous operation to launch a second spear-phishing operation “targeting U.S. local government organizations.” These emails contained a Microsoft Word document that had been “trojanized” so that when it was opened it would send out a beacon to the “malicious infrastructure” set up by the hackers.
The NSA assessed that this phase of the spear-fishing operation was likely launched on either October 31 or November 1 and sent spear-fishing emails to 122 email addresses “associated with named local government organizations,” probably to officials “involved in the management of voter registration systems.” The emails contained Microsoft Word attachments purporting to be benign documentation for VR Systems’ EViD voter database product line, but which were in reality maliciously embedded with automated software commands that are triggered instantly and invisibly when the user opens the document…
The NSA document briefly describes two other election-related Russian hacking operations. In one, Russian military hackers created an email account pretending to be another U.S. election company, referred to in the document as U.S. company 2, from which they sent fake test emails offering “election-related products and services.” The agency was unable to determine whether there was any targeting using this account.
In a third Russian operation, the same group of hackers sent test emails to addresses at the American Samoa Election Office, presumably to determine whether those accounts existed before launching another phishing attack. It is unclear what the effort achieved, but the NSA assessed that the Russians appeared intent on “mimicking a legitimate absentee ballot-related service provider.” The report does not indicate why the Russians targeted the tiny Pacific islands, a U.S. territory with no electoral votes to contribute to the election.
The operation seems to have been primarily a reconnaissance operation to determine what would and would not work and to map out lines of communications within voting agencies. It should probably be viewed as the part of the same exercise than penetrated the online voter registration systems in Arizona and Illinois.
The NSA doesn’t make even conjecture about what the Russians were up to and for good reason. Their motives for carrying out this operation, beyond simply trolling us, is not all that clear. Noting the GRU did could ever be more than an annoyance unless an effort to create fake voters is combined with millions of humans showing up at the polls to use the fake identities and vote (one would think that if you were really afraid of Russian interference you’d be demanding Voter ID, but that isn’t the case). A plurality of states use paper ballots or punch cards. A clear majority of states using voting machines also produce a paper trail for audit purposes. Even states that use electronic voting machines don’t link the voting machine or the data drives of those machines to the internet at any point so the idea that the voting machines can be hacked via the internet is simply wrong. The worst that could happen would be to mess with the poll books to remove registered voters and force them to use provisional ballots.
This is a cautionary tale, though, for those advocating the use of email voting for absentees, ex-pats, and members of the military deployed away from home station. There is probably no way to actually secure a voting system that is, at any point, in contact with the internet because there is always a vulnerable human somewhere in the mix.