Matt Blaze's
Science, Security, Curiosity
How to Hack an Election Without Really Trying
Unraveling the NSA "Russian Election Hacking" story.

This Monday, The Intercept broke the story of a leaked classified NSA report [pdf link] on an email-based attack on a various US election systems just before the 2016 US general election.

The NSA report, dated May 5, 2017, details what I would assume is only a small part of a more comprehensive investigation into Russian intelligence services' "cyber operations" to influence the US presidential race. The report analyzes several relatively small-scale targeted email operations that occurred in August and October of last year. One campaign used "spearphishing" techniques against employees of third-party election support vendors (which manage voter registration databases for county election offices). Another -- our focus here -- targeted 112 unidentified county election officials with "trojan horse" malware disguised inside plausibly innocuous-looking Microsoft Word attachments. The NSA report does not say whether these attacks were successful in compromising any county voting offices or what even what the malware actually tried to do.

Targeted phishing attacks and malware hidden in email attachments might not seem like the kind of high-tech spy tools we associate with sophisticated intelligence agencies like Russia's GRU. They're familiar annoyances to almost anyone with an email account. And yet they can serve as devastatingly effective entry points into even very sensitive systems and networks.

So what might an attacker -- particularly a state actor looking to disrupt an election -- accomplish with such low-tech attacks, should they have succeeded? Unfortunately, the possibilities are not comforting.


First, a bit of background. US elections are highly decentralized affairs, with each state responsible for setting its own standards and procedures for registering voters, casting ballots, and counting votes. (The federal government sets broad standards for things like accessibility, but is basically not involved in day-to-day election operations). In most states, the elections themselves are run by local county governments. which are responsible for creating ballots, setting up and managing local polling places, and counting and reporting the results of each race. There are just over 3000 counties in the US.

This decentralization is both good news and bad news for election integrity and security. The good news is that there is no "one stop shopping" for an attacker who wants to compromise voting systems across the country (although it may be sufficient to compromise only a relatively small number of carefully-selected counties to tip a close race). Every county is managed a bit differently, by different people, with different systems and equipment, and an attacker must deal with each one individually. The bad news is that county governments are typically funded by local taxes, with election offices competing with essential services like road maintenance and public safety for resources. More often than not, they are stretched thin, and may not even have their own full-time dedicated computer security specialists on staff.

Almost every aspect of an election - from maintaining voter registration rolls, to defining what is on the ballot, to configuring voting machines (including updating their firmware), to tallying the results, is generally managed by computers operated by the local county election office. Typically, the county's voting machine vendor supplies a unified suite of proprietary software (generally running on some version of Windows) that handles most of these functions.

The effect is that the computers in county election offices are very attractive targets for anyone who wants to compromise an election. These machines are typically networked together, so the computer used to manage the voter registration list might be connected to the same network used to configure voting machines and tally results (and these might even be the same computers). Depending on the particular configuration in a given county, compromising one user on one of these networks may be enough to give an attacker control over essentially all election functions. Controlling county election computers is the holy grail for an election hacker.

These are not merely hypothetical risks. Voting system software -- from every major vendor -- is notoriously insecure and plagued by exploitable vulnerabilities. (See, for example, the security reviews done for California and Ohio a decade ago; not much has changed since then). We found practical attacks that allowed a compromise of any single component to spread "virally" across every aspect of the election process. But compromising a county voting office's network (as the attack last fall attempted to do) bypasses the need to even exploit these kinds of vulnerabilities. Worse, these systems are notoriously difficult to meaningfully audit once they've been compromised; attackers can often cover their tracks by altering audit logs along with whatever other mischief they are doing.

All that said, merely attacking a few county election offices is still a long way from being able to reliably pick the winner in a national election. But changing the election outcome may not have been the attacker's goal here.

We generally think of election integrity as being a matter of preventing things like altered vote tallies and "ballot stuffing". That's the classic threat posed by, say, a dishonest candidate who wants to "steal" a public office. But a hostile state actor -- via an intelligence service such as Russia's GRU -- might be satisfied with merely disrupting an election or calling into question the legitimacy of the official outcome. With elections so heavily dependent on complex software-based systems, this kind of disruption can be very easy to do.

A hostile state actor who can compromise a handful of county networks might not even need to alter any actual votes to create considerable uncertainty about an election's legitimacy. It may be sufficient to simply plant some suspicious software on back end networks, create some suspicious audit files, or add some obviously bogus names to to the voter rolls. If the preferred candidate wins, they can quietly do nothing (or, ideally, restore the compromised networks to their original states). If the "wrong" candidate wins, however, they could covertly reveal evidence that county election systems had been compromised, creating public doubt about whether the election had been "rigged". This could easily impair the ability of the true winner to effectively govern, at least for a while.

In other words, a hostile state actor interested in disruption may actually have an easier task than someone who wants to undetectably steal even a small local office. And a simple phishing and trojan horse email campaign like the one in the NSA report is potentially all that would be needed to carry this out.

Unfortunately, the leaked NSA report doesn't tell us much about what actually happened or what the attackers were trying to do. The analysis appears to have been limited to examination of the email accounts used to send the phishing and trojan horse malware email. It did not include any forensic analysis of the county election networks used by the 122 targets (or even identify what counties those targets were from). We have no idea if the attacks succeeded at allowing the GRU to control any county's network or what exactly they were trying to do. It's possible (and I'd guess likely) that these questions have been or are being investigated, but the report doesn't tell us. We also don't know if there have been other hacking attempts beyond the fairly small-scale operation described in the report.

So what should we do? In the immediate term, we need to find out the extent to which county election systems have been compromised. Every voting machine as well as every computer on every county election office network in the US needs to be carefully forensically examined, and any evidence of compromise investigated. That might be an expensive and laborious process, but it is our only hope of unraveling the extent to which our elections were tampered with (if they were at all), to say nothing of cleaning up any malware left behind for the next election.

In the longer term, we need better, more secure, robust and auditable voting systems. Many states are still using insecure touch-screen "DRE" systems that have been shown to suffer from serious, exploitable vulnerabilities and that provide no ability for meaningful recounts. Our democracy deserves better than that, and we now have even more reason to demand it.

Update 13 June 2017: According to this Bloomberg News article, the attack (and the investigation) was indeed more widespread than this particular NSA document would suggest, and involved voter registration databases and possibly other election systems in at least 39 states. It remains unclear if the ultimate intended targets were the registration systems themselves (which would disrupt election operations) or other county backend voting infrastructure (including voting machines and tallying software) that might share the same networks (which could compromise the tally). The full extent is simply unknown at this point. This underscores the the need to throughly forensically examine every one of the thousands of state, local and county voting system and network in the US for evidence of malware and tampering. This would be a non-trivial undertaking, and does not appear to have been been done yet, at least at any scale. But until this occurs, there is simply no way to be sure of any damage, or if any systems might still be running left behind compromised software during the next election.

Update 14 June 2017: One point I neglected to mention, and that is probably the most important lesson of all of this: whether the GRU attack succeeded or not at disrupting its targets, it is inescapably clear that election technology must include nation-state actors as part of the threat model they protect against. This perhaps seems obvious -- of course hostile rival nations can be expected to try to tamper with elections -- but isn't really something these systems have been designed to resist. The security mechanisms in voting technologies, such as they are, are designed chiefly to protect against local corruption -- dishonest politicians or election officials seeking to unfairly advantage a candidate -- rather than sustained attacks from rival national intelligence services (which enjoy comparatively unlimited resources). Our systems, administered across thousands of local government jurisdictions, simply don't stand a chance against such a threat. For a timely example, just today it was reported that Georgia's voting systems have been largely unsecured

The current generation of voting technology used in the US has, since its introduction after the turn of the century, enjoyed something of a "honeymoon" from serious attack up until now. It's abundantly clear that the honeymoon is over.