Russia targeted all 50 states in 2016 election, Senate report says

Russians targeted election systems in all 50 states during the 2016 US presidential election, and it’s unclear what their purpose was, according to a report released by the US Senate Select Committee on Intelligence (SSCI) on Thursday.

What were the Russians intending? Your guess is as good as the SSCI’s. From the 67-page, highly redacted report:

Russian intentions regarding U.S. election infrastructure remain unclear. Russia might have intended to exploit vulnerabilities in election infrastructure during the 2016 elections and, for unknown reasons, decided not to execute those options. Alternatively, Russia might have sought to gather information in the conduct of traditional espionage activities. Lastly, Russia might have used its activity in 2016 to catalog options or clandestine actions, holding them for use at a later date.

From what’s known about Russia’s operating procedures and intentions more broadly, the country’s cyber activity is intended, overall, to undermine election integrity and American confidence in democracy, the SSCI said.

This report, entitled Volume 1: Russian Efforts Against Election Infrastructure, is the first installment in a series of reports expected to come out of the SSCI’s two-year, ongoing investigation into Russia’s 2016 tampering. There are four more installments due, coming from other areas on which its probe focused.

According to the report, the SSCI found that from at least as early as 2014 and continuing until at least 2017, Moscow directed “extensive” activity at US election infrastructure at the state and local level.

In October 2018, the Department of Homeland Security (DHS) reported that “numerous actors” were targeting election systems, “likely for different purposes,” such as to disrupt elections, steal sensitive data, and undermine confidence in the election. The DHS said it saw an upswing in the malicious activity in 2018, though it can’t really compare the activity with previous years, since it doesn’t have a complete comparative baseline. It gets its intelligence from state and local election officials, who proactively share it, as well as from intelligence and information sharing within the election community.

A tool kit of tactics

Russia’s tactics have included both the analog – the State Department was aware of agents being sent to polling sites to observe elections in 2016 – and the digital. According to the SSCI’s report, Moscow tried common cyber assaults: since at least April 2018 up until at least early October 2018, unidentified actors have tried spear-phishing, exploiting databases, and denial of service (DoS) attacks against election systems.

They’ve also successfully phished at least one state employee’s login credentials after installing keystroke-logging malware, according to a private-sector DHS partner claiming secondhand access. Fortunately, the actor was stopped by a lack of more credentials needed to get at the voter registration database.

That sounds a lot like what happened to the Democratic National Committee (DNC), where phishers managed to get credentials; break into the email account of John Podesta, chairman of Hillary Clinton’s presidential campaign; steal a bevvy of emails; and post them on WikiLeaks.

Another of many attacks described in the SSCI report came on 24 August 2018, when cybersecurity officials detected multiple attempts to get at Vermont’s Online Voter Registration Application (OLVR) registration database. The attackers tried one Cross Site Scripting (XSS) attack, seven Structured Query Language (SQL) injection attempts, and one attempted Denial of Service (DoS) attack. None of the attacks worked.

The attackers had more luck getting, and maintaining, access to some elements of multiple state or local electoral boards, though. They got access to two states’ election systems, managing to steal voter data. In Illinois, that meant the theft of up to 200,000 voters’ registrations. The records they exfiltrated included voters’ names, addresses, partial social security numbers, dates of birth, and either a driver’s license number or state identification number.

The attack was carried out via SQL injection on Illinois’s online voter registration website. The silver lining: “None of these systems were involved in vote tallying.” The tarnished lining: all that data can be used for identity theft.

The report redacts the second state’s identity, referring to it in non-redacted sections only as “State 2.” Whoever State 2 is, it staunchly believes that there was “never an attack on our systems.” In December 2018, the state’s secretary of state and election director told the SSCI, “we did not see any unusual activities. I would have known about it personally.”

An earlier SSCI assessment from January 2017 highlighted Russia’s gearing up to have people contest the election results if Secretary Hillary Clinton managed to pull off a win in the presidential election. According to that declassified report, Russian diplomats were prepared to throw voter fraud allegations into the ring, to “publicly call into question the validity of the results”. The SSCI also found that pro-Kremlin bloggers had prepared a Twitter campaign, dubbed it #DemocracyRIP, and geared up to unleash it on election night if Clinton won.

Besides Twitter activity, the SSCI says that during a 2017 election, one unidentified state saw “hot activity” on social media – particularly on Reddit – including allegations of voter fraud. That state had to try to prove later that there was no fraud.

While the DHS and FBI warned states about these cyberattacks in the summer and fall of 2016, the report said that the warnings “did not provide enough information or go to the right people.” It sounds like alarm fatigue also came into play. From the report:

Alerts were actionable, in that they provided malicious Internet Protocol (IP) addresses to information technology (IT) professionals, but they provided no clear reason for states to take this threat more seriously than any other alert received.

The SSCI says that the feds don’t want to step on any toes. States should be “firmly in the lead” when it comes to running elections. The fact that the country has a decentralized election system “can be a strength from a cybersecurity perspective,” the report says, but each operator should be “keenly aware of the limitations of their cybersecurity capabilities and know how to quickly and properly obtain assistance.”

Senator Ron Wyden, always quick to weigh in on technology issues, begged to differ. In dissenting minority views that accompany the committee’s report, he said, “I cannot support a report whose top recommendation is to ‘reinforce state’s primacy in running elections.'”

From Wyden’s comments:

We would not ask a local sheriff to go to war against the missiles, planes and tanks of the Russian Army. We shouldn’t ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia’s cyber army. That approach failed in 2016 and it will fail again.

The SSCI also recommended evaluating the grant money – $380 million – that Congress gave to states in 2018 to bolster security. Senate Majority Leader Mitch McConnell has repeatedly blocked additional election security bills, including two measures he shot down on Thursday, dismissing them as “partisan legislation.”

While politicians waste time on partisan squabbling, Russia’s still at it, according to former special counsel Robert Mueller. On Wednesday, in testimony about his own report to the House Judiciary Committee, he called the Russian government’s effort to interfere in our elections among the “most serious” challenges to the country’s democracy he’s seen. From his testimony:

It wasn’t a single attempt. They’re doing it as we sit here.