July 2016—August 18, 2016: Hackers target the election databases in two US states, but the motives and identities of the hackers are unclear.

In July 2016, the FBI uncovers evidence that two state election databases may have been recently hacked, in Arizona and Illinois. Officials shut down the voter registration systems in both states in late July 2016, with the Illinois system staying shut down for ten days.

160701JehJohnsonpublic

Jeh Johnson (Credit: public domain)

On August 15, 2016,  Homeland Security Secretary Jeh Johnson heads a conference call with state election officials and offers his department’s help to make state voting systems more secure. In the call, he emphasizes that he is not aware of “specific or credible cybersecurity threats” to the November 2016 presidential election.

Three days later, the FBI Cyber Division issues a warning, titled “Targeting Activity Against State Board of Election Systems.” It reveals that the FBI is investigating hacking attempts on the Arizona and Illinois state election websites. The warning suggests the hackers could be foreigners and asks other states to look for signs that they have been targeted too. Out of the eight known IP addresses used in the attacks, one IP address was used in both attacks, strongly suggesting the attacks were linked.

An unnamed “person who works with state election officials calls the FBI’s warning “completely unprecedented. … There’s never been an alert like that before that we know of.” In the Arizona case, malicious software was introduced into its voter registration system, but apparently there was no successful stealing of data. However, in the Illinois case, the hackers downloaded personal data on up to 200,000 state voters.

160701TomKellermannBBCNews

Tom Kellermann (Credit: BBC News)

It is not known who was behind the attacks. One theory is that the Russian government is responsible. A former lead agent in the FBI’s Cyber Division said the way the hack was done and the level of the FBI’s alert “more than likely means nation-state attackers.” Tom Kellermann, head of the cybersecurity company Strategic Cyber Ventures, believes Russian President Vladimir Putin is ultimately behind the attacks, and thinks it is connected to the hacking of the Democratic National Committee (DNC) and other recently targeted US political targets. Kellermann says of Putin, “I think he’s just unleashed the hounds.”

But another leading theory is that common criminals are trying to steal personal data on state voters for financial gain. Milan Patel, former chief technology officer of the FBI’s Cyber Division, says, “It’s got the hallmark signs of any criminal actors, whether it be Russia or Eastern Europe.” But he adds, “the question of getting into these databases and what it means is certainly not outside the purview of state-sponsored activity.” Some cybersecurity experts note that hackers often target government databases for personal information they can sell.

160701RickBarger

Rich Barger (Credit: Threat Connect)

So far, the motive and identity of the hackers remains uncertain. Rich Barger, chief intelligence officer for ThreatConnect, says that one of the IP addresses listed in the FBI alert previously surfaced in Russian criminal underground hacker forums. However, sometimes these groups work alone, and other times they work for or cooperate with the Russian government. Barger also claims the method of attack on one of the state election systems appears to resemble methods used in other suspected Russian state-sponsored cyberattacks. But cybersecurity consultant Matt Tait says that “no robust evidence as of yet” connects the hacks to the Russian government or any other government.

US officials are considering the possibility that some entity may be attempting to hack into voting systems to influence the tabulation of results in the November 2016 election. A particular worry is that all of six states and parts of four others use only electronic voting with no paper verification. Hackers could conceivably use intrusions into voter registration databases to delete names from voter registration lists. However, this is still considered only a remote possibility. But the FBI is warning states to improve their cybersecurity to reduce the chances this could happen.

News of these attacks and FBI alerts will be made public by Yahoo News on August 29, 2016. (Yahoo News, 8/29/2016) (Politico, 8/29/2016)

July 26, 2016: A cybersecurity group claims to have new evidence that Guccifer 2.0 is actually a team of Russian hackers.

Guccifer 2.0 is a hacker who claims he broke into the Democratic National Committtee (DNC) computer network and then gave the emails he found to WikiLeaks. He also claims to be an East European with no connection to Russia.

160726ThreatConnectLogopublic

Threat Connect Logo (Credit: public domain)

However, the cybersecurity research group ThreatConnect claims to have new evidence linking Guccifer 2.0 to an Internet server in Russia and to a digital address that has been linked to previous Russian online scams. They conclude that Guccifer 2.0 is actually an “apparition created under a hasty Russian [denial and deception] campaign” to influence political events in the US.

Their report concludes, “Maintaining a ruse of this nature within both the physical and virtual domains requires believable and verifiable events which do not contradict one another. That is not the case here.” For instance, Guccifer 2.0 claims to have broken into the DNC network in the summer of 2015 using a software flaw that didn’t exist until December 2015.

Furthermore, the Guccier 2.0 entity is “a Russia-controlled platform that can act as a censored hacktivist. Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives.” (The Daily Beast, 7/26/2016)

 

August 12, 2016: Whoever hacked DNC and other Democrat-related emails in the last year may have also targeted Republicans.

The Daily Beast reports that cybersecurity experts believe the hacker or hackers who stole emails from the DNC (Democratic National Committee) are behind a website known as DCLeaks. The site went public in June 2016 to little media attention. But the site contains emails from hundreds of Republican and Democratic US politicans, including staffers to Republican Senators John McCain and Linsey Graham, plus staffers to former Republican Repesentative Michelle Bachmann.  An unnamed “an individual close to the investigation of the Democratic Party hacks” says the evidence is growing that both parties have been targeted. “Everyone is sweating this right now. This isn’t just limited to Democrats.”

160812McCainGrahamKevinLamarqueReuters

Senators John McCain (left) and Linsey Graham (right) (Credit: Kevin Lamarque / Reuters)

The cybersecurity company ThreatConnect has been investigating the recent hacks of US political targets, and they call DCLeaks a “Russian-backed influence outlet.” In particular, they have linked it to Fancy Bear (a.k.a. APT 28), a hacking group also accused of hacking the DNC, an believed by many to be working for the Russian government. “DCLeaks’ registration and hosting information aligns with other Fancy Bear activities and known tactics, techniques, and procedures.” They also claim that the hacker or hacking group known as Guccifer 2.0, who claims to be behind the hacking of the DNC emails that WikiLeaks publicly posted in July 2016, is linked to DCLeaks.
The Daily Beast reports that “researchers, at ThreatConnect and elsewhere, also now believe that Guccifer 2.0 was WikiLeaks’ source and that the group is acting as a front for the Russian government.” (The Daily Beast, 8/12/2016)