Russia's military intelligence agency launched an attack days before the Nov. 8, 2016 General Election on a Florida-based company that provides election services and systems, including voter registration, according to a leaked NSA report.
The attempted hack came in the form of an email disguised as an updated user guide from that company, VR Systems. An attachment held the malware.
Pasco County Supervisor of Elections Brian Corley was one of several Tampa Bay area elections personnel who received the email. He said while there's no indication anyone opened the attachment, a hack would not have affected votes.
"The great thing about Florida in 2016 was we have used, since 2008 , paper ballots and you cannot hack a paper ballot,” Corley said.
The Pasco elections supervisor said he was immediately suspicious when the email with an “updated user guide” as an attachment came into his inbox on Oct. 31, 2016, eight days after early voting had begun in most Florida counties.
“I remember thinking to myself, ‘wait a minute, they wouldn’t be sending out an updated user guide now, it would make no sense…We would have gotten any enhancements months previous. And it wouldn't have gone just to me and one other country that I saw, it would have gone to a listserv of hundreds of people.”
He said VR Systems, which serves 64 of the 67 Florida counties, provides an electronic poll book which pulls up your voting information at the polls. Corley said that voter registration information is public record anyway.
“It's still troubling, and we take it very seriously,” Corley said. "But the end result is that we can see that it didn't impact anything at this point.”
VR Systems released a statement on Monday:
“When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment. We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result.
“Phishing and spear-phishing are not uncommon in our society. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.
“It is also important to note that none of our products perform the function of ballot marking, or tabulation of marked ballots.”
Chris Chambless, president of the Florida State Association of Supervisors of Elections, also sent out an email to election supervisors Tuesday about the reports:
By now I’m sure you’ve read the numerous reports of the recently leaked NSA report on Russian Hacking and hopefully you have taken the time to read the statement released by VR Systems. First, I want to remind you that contrary to the headline of many of the published reports, there has not been a verified report of any “hacking of US voting system.”
As VR stated, these news reports detail an attempt to gain information through the use of Phishing (The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.) or Spear Phishing (The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.) and highlights the fact “that none of VR systems products perform the function of ballot marking, or tabulation of marked ballots.” However, there is a very important lesson to be learned from this event; the importance of the use of enterprise grade Antivirus, email SPAM filtering. It is also vitally important to routinely apply the latest patch or updates to ensure the greatest threat protection available. I cannot stress this too much, as our office receives thousands of fraudulent phishing and spam emails daily, which could cripple our organization without the use of these email resources.
In Summary, I would like to quote a recent blog entry by Mike Ertel, Seminole County Supervisor of Elections.
“2016 Debunk the Bunk (long, but important epilogue): You will be reading news reports today of a purported attempt to access Florida voter registration records by the Russian military. A couple of core facts about this story:
1) Florida voter registrations are public records. Anyone can get them by simply asking their local elections office.
2) The data and physical security measures our office employs for our technology infrastructure are top-notch. We have dug a cyber moat around the data so we can ensure access of sensitive information and systems by only those granted access.
3) We were aware of the cited phishing email the very moment it happened and took measures to ensure we were not impacted.
4) Like everyone who uses email, we are subject to dozens of phishing email scams daily -- we're sophisticated enough to catch them.
5) Important: Even if the bad guys would have accessed our local registration files (which they didn't), those files are in no way connected to vote counting.
6) I've said it hundreds of times, "you can't hack paper." Seminole County votes on trusted paper ballots.
7) In summation: Our election was not hacked by Russians. This whole exercise, however, does highlight two vital tenants of our republic: Elections are best run in our decentralized manner, allowing a greater obstacle for shenanigans; and competent, savvy, independent and principled elections administrators are looking out for you.
8) Like I always close... if anyone is trying to scare you into thinking your legitimate vote won't (or didn't) count, contact your local elections administrator.”