Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
Analysis: FBI Warning About Voter Database AttacksScript Kiddies or Russia? Internet Already Awash with Voter Records
No other American election has encompassed so much cybersecurity intrigue. The latest news, first reported by Yahoo News, finds that the FBI warned state electoral boards on Aug. 18 to safeguard their voter registration records after two states were targeted by cyberattacks.
News outlets have already reported the attacks against Illinois and Arizona. The FBI warning likely reflects rising concern within the U.S. government around the security of the election in light of the attacks against various Democratic Party organizations in June. Those attacks have widely been pinned on Russian intelligence, although no definitive evidence has emerged (see Did Russia - or Russian-Built Malware - Hack the DNC?).
The four-page advisory says one state's systems were targeted using SQL injection, a script-kiddie method for pulling information out of a database. The attack, one of the most common web-based ones, takes advantage of SQL databases that don't filter certain types of commands, which can be exploited to direct the database to spill its contents.
Illinois lost 200,000 voter records, according to Yahoo's report. As a result of the attacks, Illinois shut down its voter registration system on July 13. "This was a highly sophisticated attack most likely from a foreign (international) entity," according to a message sent to Illinois election authorities that was shared on Facebook. Arizona also shut down parts of its voter registration system, and malicious software was found.
While the U.S. government has a heightened sensitivity over election-related cyberattacks, these incidents should still be put in perspective, according to one cybersecurity expert.
Thomas Rid, a professor in the Department of War Studies at King's College London, initially called the FBI alert "big" but later clarified on Twitter: "This is 'big' - but I should not have said so. Our overreaction to a trivial and inconsequential SQL trick is the real problem here."
The FBI warning gives specific IP addresses where the attacks originated, which are now being studied by security analysts. Attackers often use proxy or hacked computers to launch attacks, so IP addresses can be misleading on their own as evidence of the real origin of an attack.
Security companies and organization have vast caches of data on malicious IP addresses, which can sometimes provide useful historical information. Attribution, however, is always tricky. For example, some experts have taken issue with the technical data that some say show the Democratic Party's problems stemmed from Russian interference.
Arizona officials say the FBI told them that Russians were behind the attacks against the state's network, the Washington Post reported. The attackers did not compromise an Arizona state or county network but had stolen a username and password for an election official in Gila Country, the publication reported.
Personal Data at Risk
But if voter-registration system hackers wanted voter registration records, they could have tried an easier approach than a SQL injection attack - such as just using Google.
Voter registration records contain personal information including name, address, birthdates and party affiliation. In many states, the information is completely public and also available to political campaigns. As a result, that data often gets splashed all over the internet.
For example, Tom Alciere of New Hampshire runs a batch of websites containing the voter registration records for Florida, Colorado, Connecticut, Delaware, Michigan, Ohio, Oklahoma and Rhode Island.
Alciere is factual but unapologetic about the websites: "In a free country, a person can freely communicate true facts lawfully obtained from a public record," according to a Q&A pertaining to the state of Florida.
The FBI alert is predated by a much larger repository of voting information appearing online in December. That's when security researcher Chris Vickery found a 300 GB database containing 191 million U.S. voter records, which was virtually the entire country's population of eligible voters - and then some. The database wasn't password-protected, and anyone could access it (see 191 Million U.S. Voter Registration Records Exposed?).
The publication CSOonline traced the database, finding it was developed by NationBuilder, a company that develops software for campaigns and nonprofit organizations. NationBuilder offers a database of 190 million voters for its customers. It appeared that someone obtained this database and then posted it online. The database was eventually removed.
Motivation Remains Unclear
If it's faster to get the personal information of tens of thousands of voters online than it is to get a pizza delivered, would a state-sponsored attacker bother with plucking a couple of hundred thousand Illinois records and also trying to breach Arizona's systems?
Rid suggests that just interfering with any voting system is going to garner a lot of attention, even if the technical details of the attack are mundane.
"Any voting system hack is therefore likely to have an out-of-proportion psychological effect," he writes on Twitter.
1--Interfering with any voting-related system is bound to get a lot of attention, even if actual technical facts don't merit that attention— Thomas Rid (@RidT) August 29, 2016
Still, the attacks beg questions as to whether the probes could be a prelude to a deeper one intended to affect the integrity of election systems. To be sure, even a well-timed ransomware attack could potentially cause disruptions in November if it scrambled voter records.
Hackers targeting election data is a worrisome turn of events, but a breach of voter records isn't likely to hurt the election process, says Andrew McDonnell, vice president of security solutions at AsTech Consulting in San Francisco. Disrupting the U.S. election using cyberattacks would take a lot more effort, he contends.
"All I see is yet another database breach," McDonnell says. "If the hackers are going to turn this into election tampering somehow, the apparatus that fraud would require is of greater concern to the electoral process than this breach. It's not at all trivial to turn lists of registered voters into fraudulent election results."