As outgoing President Barack Obama pledges retaliation for election season hacks allegedly ordered by Russian President Vladimir Putin and President-elect Donald Trump vehemently denies such assertions, a team of cybersecurity experts at Recorded Future say they found an exploit on the Election Assistance Commission website that compromised administrative accounts and could have wider reaching effects.
The EAC — established in 2002 by the Help America Vote Act — exists to help local election officials by creating voluntary voting system guidance, maintaining a database of pertinent election administration information and accrediting voting machine testing laboratories.
According to Recorded Future, hackers were able to set up a "watering hole" on the EAC site, leveraging an existing vulnerability to collect the login information of at least 100 EAC user accounts, "including some with administrative privileges."
A Russian-speaking hacker who the group dubbed "Rasputin" then attempted to sell those credentials to online buyers, including foreign nations.
"Research suggests that the actor was in ongoing negotiations with a potential buyer, on behalf of a Middle Eastern government," Andrei Barysevich, Recorded Future's director of advanced collection, wrote in
a Dec. 15 blog post. "Recorded Future successfully identified the penetration source and provided all information to federal law enforcement agencies."
That information was provided to the FBI, which is working with the commission to investigate the breach, Bryan Whitener, EAC director of communications, said in a statement.
"The U.S. Election Assistance Commission has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with federal law enforcement agencies to investigate the potential breach and its effects," the Dec. 15 statement said, adding, "The EAC does not administer elections. State and local jurisdictions run elections … The EAC does not collect or store any personal information of voters. The EAC does not maintain voter databases. The EAC does not tabulate or store vote totals."
While such a breach would not directly compromise an election, it could act as the "beachhead" for a larger campaign, according to James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT).
"Due to the niche nature of the site, the vast majority of users accessing the portal would be doing so on local and state election PCs. The EAC is a central portal for all election officials, so, if the threat actor actually leveraged the portal as a watering hole, then malware could have spread onto any level of election official PCs used to access the portal," he said.
In order for that to have an effect, those hypothetically infected computers would have to be "connected to the tabulation systems, used to update or test election machines or used to input and transmit election results," Scott explained. "Then the hypothetical malware could compromise the integrity of the election at the local or state" level.
As of yet, there is no evidence any such compromise took place.
While election systems have yet to be officially classified as "critical infrastructure" under the Department of Homeland Security designation, Scott agreed the election infrastructure is certainly critical.
"The real payday will be when someone finds chatter by hackers selling access-as-a-service to the state tabulators and/or the update server at the [voting machine] manufacturers," he said, which could have a direct effect on an election and skew the will of the voters.
"It's often not the party directly in the cross hairs who gets hit — defense contractor instead of military or HVAC vendor instead of retailer — and this reinforces how much information could be leveraged by our adversaries and how much of supply chain and infrastructure risk exists outside of the voting machines themselves," said Ben Johnson, chief security strategist at Carbon Black and a former NSA computer scientist. "This should not be taken lightly."
"While I don't think we should assume this specific incident is tied to the current investigation by the intelligence community, it brings to light how complicated the entire election system is and how many different parties could be compromised in order to manipulate or at least gather intelligence on U.S. elections," he added.
For its part, Recorded Future did not attempt to determine whether or not this breach was orchestrated by Russian government officials, as the Obama administration has done.
"While this blog post may be relevant to informing some of those discussions, we make no claims whatsoever regarding operations run by any Russian intelligence service," Barysevich wrote. "Such operations are out of scope for this research and blog post."