Two State Elections Databases Have Been Hacked. The Russians Aren’t the Only Suspects.

Looks more like “ordinary criminal hacktivists than nation-state intelligence agencies.”

Alexandre Marchi/Zuma


Arizona Secretary of State Michele Reagan was in the backyard of her home last June when she got a call from her chief of staff. “The first words out of his mouth were, ‘Can you sit down?'” Reagan told Mother Jones. He then said that her office had been “contacted by the FBI, and it looks like there’s a computer password and username that belongs to our database for sale on the dark web.”

Reagan is the chief elections officer for the state of Arizona, and the credential that was for sale on the “dark web“—a collection of websites that hide their IP addresses to obscure where they’re hosted and who runs them—would potentially give the buyer access to a database containing personal information for nearly 4 million voters. With help from the FBI, the Arizona Department of Homeland Security, and the Arizona Department of Administration, Reagan and her staff determined that an employee in Gila County, Arizona, had opened a Microsoft Word document attached to an email. That document likely contained software that may have tracked the employee’s key strokes, which eventually led to the attacker getting a username and password to one of the state’s election-related databases.

Arizona and Illinois have both seen their election databases probed by hackers during a summer dominated by headlines of Russian hackers attacking the Democratic National Committee and other Democratic Party institutions, and releasing thousands of pages of emails, memos, and donor information related to the Clinton campaign. In addition, at least 23 states‘ systems have reportedly been scanned for vulnerabilities, according to Politico, and 33 have asked the Department of Homeland Security for help securing their systems.

Last Friday, the US government officially accused “senior-most officials” in Russia of being behind the DNC hacks, but it has stopped short of blaming Russia for the repeated scans of state election databases. That hasn’t stopped the two issues from becoming conflated, with many in the political community arguing that the election database episodes are connected to the DNC hacks. “Russians Hacked Two U.S. Voter Databases, Officials Say,” NBC News reported on August 30. “‘No doubt’ Russia behind hacks on U.S. election system: senior Democrat,” Reuters reported October 2, citing Rep. Adam Schiff (D-Calif.). Democrats have long urged the White House to publicly blame Russia for all the hacks, and they repeatedly suggest that Russia is trying to help Donald Trump become president.

“Believe me, they’re not doing it to get me elected,” Clinton said. “They’re doing it to try to influence the election for Donald Trump.”

“Believe me, they’re not doing it to get me elected,” Clinton said during Sunday night’s presidential debate. “They’re doing it to try to influence the election for Donald Trump.”

But security researchers have poured cold water on the connection between Russia and election databases. “There’s not a shred of evidence that [the] Russian government was behind the stealing of one password and one username of an election official in Gila county, Arizona,” wrote Jeffrey Carr, a cybersecurity consultant and author of Inside Cyber Warfare: Mapping the Cyber Underworld

Matt Tait, a UK-based cybersecurity researcher, told Mother Jones that the information contained in the FBI alert sent to state election officials in August suggests what’s happening to state election systems is more “commonly associated with ordinary criminal hacktivists than nation-state intelligence agencies.” He says Russia could be behind the state election hacks, “but we should be very cautious before casually concluding a sophisticated adversary is behind a hack using a very simple and widely available attack tool.”

Reagan says the FBI told her that Arizona’s database probe was the work of a “known hackerand one who was “frequently” monitored. According to their internal rating system, this hacker was scored an 8 out of 10.

The FBI’s press office wouldn’t comment on specific investigations related to state election systems, but it told Mother Jones in an email that “in furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help system administrators guard against the actions of persistent cyber criminals.”

“It was concerning enough to them to say somebody needs to check your database,” Reagan says. She and her staff took the database offline and had it thoroughly inspected over the course of 10 days. They made sure they found no evidence anybody had accessed it, stolen any information, or altered or inserted any software that would remain in the database once they put it back online.

Election officials in Illinois weren’t so lucky. Over the summer someone had successfully hacked one of the state’s election databases for a month before it was detected by election board staffers, and the attacker managed to steal the personal information of nearly 90,000 voters. The records of those voters were viewed and perhaps copied, according to state election officials, but there isn’t any indication the information was altered or destroyed.

The Arizona and Illinois incidents spurred the FBI to warn election officials on August 18 that two unnamed states’ systems had been probed for vulnerabilities. The warning, first reported on August 29 by Yahoo News, shared specific technical details of the attacks and urged state election officials to scan their systems’ logs for certain IP addresses and commands used by the attackers to access the state election databases.

Carr, the cybersecurity consultant, published a post on August 30 on Medium entitled, “The Arizona Election Hack Story Is an Embarrassment to Everyone Involved.” He argued that the tools and methods outlined in the FBI warning were not conclusive of Russian involvement, and that neither were other factors, like the use by hackers of IP addresses hosted by Russian companies. Researchers, automated scanning systems, security companies, and search engines routinely scan servers for various reasons. So when Reagan says her IT staff detected 192,000 attempts in the month of September alone to get into the Arizona secretary of state’s public-facing website—11,000 of which looked like someone trying to “do harm”—Carr is dismissive.

“There are all sorts of reasons why a network might get pinged,” he said. “And none of them are related to targeted attacks. It is not an attack.”

In a tweet, Tait noted, “Lots of folk going to look silly when FBI arrest the (not Russian) high school kid who hacked Arizona’s election site with free download tool.”

But the central question involves voter confidence in the integrity of the electoral system and election results. Rich Barger, the chief intelligence officer at security research firm ThreatConnect—one of the firms that has tied the DNC hack to Russia—told the Washington Post on August 29 that “the very fact that [someone] has rattled the doorknobs, the very fact that the state election commissions are in the crosshairs, gives grounds to the average voter to wonder: Can they really trust the results?”

Reagan agrees. “From going around and talking to people in Arizona, that’s what everyone’s biggest fear was,” she says. She acknowledged that “identity theft is bad and we’re all on the lookout for it.” But she found that the greatest worry from Arizona voters was whether the election results were “going to be legit.”