Since early April when Special Counsel Robert Mueller’s redacted report on the investigation into Russian interference in the 2016 presidential election was released, a storm of confusion and controversy has raged over what happened in Florida during that election. A cryptic passage in the Mueller report outlines how Unit 74455 of Russia’s military intelligence arm GRU sent “spear-phishing emails to public officials involved in election administration and personnel involved in voting technology.”
The Mueller report states that in August 2016, the GRU targeted employees of a voting technology company that “developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network.” The voting technology vendor’s name was redacted in the report.
According to the Mueller report, an FBI investigation revealed that in November 2016 the GRU “sent spear-phishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election” and malware embedded in Word documents in those emails enabled the GRU to gain access to “at least one Florida county government.”
Russian phishing campaign targets VR Systems
While the Florida county breach was startling new information, the spear-phishing efforts mentioned in Mueller’s report were reported prior the Mueller report’s release. In early 2017, former military contractor Reality Winner supplied to The Intercept evidence that the NSA had discovered that Russian military intelligence had sent spoofed emails (purportedly from Google) to an unnamed U.S. election software company. However, according to The Intercept, the NSA report contained references to a product made by VR Systems, a Florida-based vendor of electronic voting systems. The NSA report on the incident found seven “potential victims” of the phishing emails but said it is unknown whether the emails successfully compromised the company and what potential data could have been exfiltrated.
According to The Intercept, the NSA did find that the Russian hackers sent spear-phishing emails crafted from a Gmail account to appear as if the emails were from an employee of VR Systems to 122 email addresses “associated with named local government organizations,” probably to officials “involved in the management of voter registration systems.” The emails were made to look like benign documentation related to VR Systems’ electronic pollbook, known as EViD, but in fact were embedded with malware that used Microsoft’s PowerShell scripting software to install a backdoor to enable the hackers to monitor the victims and install further malware. (An electronic pollbook is hardware, software or a combination of the two that allows election officials to review or maintain voter register information to verify voter information. Pollbooks do not count votes.)
Similar allegations resurfaced in a July 2017 indictment by the Special Counsel’s office against 12 Russian nationals who were charged with computer hacking conspiracies during the 2016 election. The indictment alleges that Russia had targeted a vendor of software systems used to verify voter information, known only as Vendor 1. The indictment also said that the GRU “used an email account designed to look like a Vendor 1 email address to send over 100 spear-phishing emails to organizations and personnel involved in administering elections in numerous Florida counties.”
No intrusion, no breach
VR Systems provides voting hardware and software to election jurisdictions in eight U.S. states, including at least 17 North Carolina counties. One of those North Carolina counties, Durham County, claimed it experienced software issues with VR Systems’ EViD electronic pollbook on election day in 2016, which forced poll workers to switch to paper poll books, causing voting delays that resulted in long wait lines at the polls.
Following the Mueller report’s release, North Carolina’s State Board of Elections wanted to know whether VR Systems was the company redacted from the Mueller report, whether VR Systems’ previous assurances about the security of its products were still valid, and whether its products will be secure in the future. The Board of Elections sent a letter to VR Systems on April 18 asking for “immediate, written assurance” about the security of its products.
In a successful legal action VR Systems brought against the State Board of Elections last year to prevent the board from decertifying its pollbooks, the company said during discovery that its EViD system had never been breached and if it had been, it would have discovered remnants of the attacks. Moreover, VR Systems said it had investigated what it admits was a Russian spear-phishing campaign against it but stated that none of its employees had opened the malicious emails and therefore no breach occurred.
In its April 22 response to the State Board of Elections letter, VR Systems said it “has no independent knowledge and is unable to confirm or deny whether it is Vendor 1” cited in the July 2017 Russian indictments or the redacted vendor in the Mueller report. The company said neither the DHS, the FBI, nor the NSA has contacted it about the specific “hacking” incident (quotation marks were VR Systems’).
In the letter, VR Systems defended its security by pointing to the fact it worked with DHS and a third-party cybersecurity vendor. The vendor found no indications of any kind of breach of or malware installed on its systems, the company maintains. VR Systems said it offered to pay for third-party experts to examine those computers but the State Board of Elections refused the offer.
As NPR reported, a statement issued on April 18 VR Systems said, “[w]e disagree with the Special Counsel report because top cybersecurity experts, along with the Department of Homeland Security, have tested our network multiple times since 2016 and they found no indication of a breach or installation of malware on our company network.”
On May 8, 2019 Senator Ron Wyden (D-OR), long an advocate for tougher election security measures, sent a letter to Mindy Perkins, CEO of VR Systems raising both the Mueller report and the failure of VR Systems’ pollbooks in North Carolina, saying that the Mueller report’s claim about the malware infection of an election vendor did not jive with VR Systems’ denial that it had incurred a security breach. Wyden asked VR Systems to supply any reports or assessments that back up its claims. Wyden also asked VR Systems whether the company employed a CISO or comparable technologist in August 2016 and whether it had implemented the NIST Cybersecurity Framework in August 2016 or since.
Following Wyden’s letter to Perkins, company COO Ben Martin told Politico that after The Intercept published Reality Winner’s leak in 2017, the company engaged security firm FireEye to conduct a forensic examination of its own systems and network. “Based on analysis by FireEye, there was never an intrusion in our EViD servers or network,” Martin said.
If not VR Systems, who?
On May 14, Republican Florida Governor Ron DeSantis fostered even more confusion by hosting a press conference to say he had learned during an FBI briefing that two Florida counties were breached during 2016, not one as the Mueller report indicated. DeSantis then sent the controversy into overdrive by adding that he had signed a nondisclosure agreement with the FBI barring him from publicly stating which counties were involved, although the counties themselves had been notified. “I think they [the FBI] think that if we name the counties, then that may reveal information to the perpetrators that we know kind of what they did,” Mr. DeSantis said. Two days later, the entire Florida congressional delegation was briefed by the FBI and they, too, are barred from publicly stating which two counties are involved.
Based on an intensive push by the media and citizen advocates, a tiny jurisdiction in the Florida panhandle, Washington County, and a larger central Florida county, Sumter County, issued what the Tampa Bay Times called “non-denial denials” that they were the two counties in question. Both supervisor of elections offices said they could neither confirm nor deny they were the counties penetrated by the GRU in 2016. In that same Tampa Bay Times article, however, both the current and previous supervisors of elections in Sumter County denied their jurisdiction was ever hacked, and the current supervisor of elections in Washington County denied to the Florida newspaper last year that her office was hacked.
If what VR Systems maintains is true, that the GRU did not implant malware on its systems as the Mueller report indicates, then a host of questions arise about who the redacted vendor mentioned in the Mueller report is and how the Russian hackers gained access to at least one Florida county.
The easiest answer to the latter question is that regardless of whether VR Systems was hacked, the information available suggests a phishing email with a malware attachment was sent directly by the GRU to at least one Florida county and was spoofed to look like it came from VR Systems. VR Systems itself says that this scenario is likely the case.
In a May 14 statement, the company said, “After receiving a media inquiry based on Governor Ron DeSantis’ comments, we immediately called our contact at the FBI who confirmed what we said all along. VR Systems was not the source of any penetration into any county supervisor of elections systems. Based on this information, we stand by our assessment that a spear-phishing email impersonating our company was the likely source.”
This scenario is consistent with a spoofed VR Systems email that The Intercept obtained and published in June 2018. It also aligns with a Sun Sentinel newspaper investigation that found that at least 13 and as many as 20 election offices out of all the 67 Florida counties admitted they received a GRU phishing email from a Gmail account that appeared to come from VR Systems. (Importantly, Sumter County, one of the counties suspected of being breached by the GRU, denied receiving a GRU phishing email to the Sun Sentinel.)
Skilled hackers hide their tracks
Whether any Florida counties were penetrated via malware-laden phishing emails sent directly from the GRU, and not from a compromised VR Systems network, some election-related security professionals contend that there is also little doubt VR Systems was compromised. Jake Williams, founder of computer security firm Rendition Infosec and a former member of the NSA’s elite Tailored Access Operations (TAO) hacking team, thinks VR Systems can’t deny it was compromised. “There’s no question that some portion of their data has been compromised,” he tells CSO.
If that’s the case, another explanation for the apparent contradiction between what the Mueller report says and what VR Systems argues is that VR Systems may not really know the truth, which could be due to a lack of skill in understanding what happened or may be a lack of sufficient network monitoring or non-existent forensics. “Knowing how these systems are built, and knowing how little information is preserved, a lot of these systems don’t log the forensic information. It’s mindboggling how there is a fundamental lack of [security] skills,” Harri Hursti, founding partner of Nordic Innovation Lab and a noted election security expert, said. Moreover, it appears that some election vendors, despite what their marketing materials may say, are likely vulnerable to attack. “These are not hardened systems at all,” Hursti said.
Even VR Systems’ reliance on FireEye’s assessment that no malware could be found on its network is not solid proof that the GRU didn’t implant malware on its systems back in 2016 because it’s not clear whether FireEye or any other reputable security firm was monitoring VR Systems’ systems back in 2016. “No one has asked them if before 2016 ‘did you have independent security evaluation of your software?’” Hursti said.
Finding evidence of a breach by the GRU post-fact appears to be, moreover, likely an insurmountable challenge for a company like VR Systems given the ability of the GRU to deploy top-notch stealth attacks and engage in cutting-edge measures to erase or alter their tracks. “Something that quacks like a duck, walks like a duck might not be a duck,” according to Hursti. He offered an example of a recent incident where a Microsoft messenger worm was found in a voting server. It was quickly removed and the system was brought back up right away. “Maybe the attacker put it there to get them to reboot the server. Might be a duck but the duck is hiding,” he said. “You have to think of the sophistication of the attacker.”
Were other voting machine vendors hacked?
Finally, there is the prospect that the vendor mentioned in the Mueller report is not VR Systems at all. Some election security and intelligence experts have privately floated the notion that multiple vendors were targeted and possibly breached in 2016, even if the Mueller report mentions only one vendor. “It wouldn’t surprise me if there is another vendor who was compromised,” Rendition Infosec’s Williams said. “I don’t think there’s any question that that should be a concern.”