Fears of election hacks and reports of data leaks were possibly some of the most talked about topics during the US presidential election 2016 and its campaign period. Turns out the US agency that was responsible for ensuring that voting machines were secure and that election officials were following best practices was itself breached by a hacker in November.
US election hack concerns grow after confirmation of agency breach
Led by Presidential appointees, the Election Assistance Commission certifies voting systems and develops security measures and best practices for election officials across the country.
Recorded Future, a security firm working with law enforcement, has said that the US Election Assistance Commission was penetrated after the elections. Recorded Future "was monitoring underground electronic markets where hackers buy and sell wares and discovered someone offering logon credentials for access to computers" at the Election Commission.
Reuters reported that the security firm then engaged in a conversation with the hacker by posing as a potential buyer. They discovered that the hacker had managed to obtain credentials of over 100 people at the Commission, Levi Gundert, VP of Intelligence at the company, and Andrei Barysevich, Director of Advanced Collection, confirmed.
Exploiting a common database vulnerability (SQL injection), hacker had managed to gain access to the Commission network. The Russian-speaking hacker was then trying to sell information about this vulnerability to a "Middle Eastern government for several thousand dollars." However, research group alerted the law enforcement pushing for a patch for the vulnerability. (It has been patched this Thursday)
The Commission hasn't responded to the hacking incident and FBI spokeswoman said her agency could only comment after a confirmation from the Commission.
Barysevich said that the security firm doesn't believe that hacker "actually works for any government or is super-sophisticated." He used a well-known vulnerability (that the Commission had failed to fix) to obtain a list of usernames and passwords, which he also managed to crack. The report doesn't mention the type of hashing used, but if a hacker that security firm is calling "unsophisticated" can crack them, then the Commission must be storing the passwords with weak encryption.
Researchers added that the hacker had an "unusual business model," and moved rapidly to sell "access," but didn't steal data himself, making the firm believe he wasn't state-sponsored.
He did, however, gained access to non-public reports on flaws in voting machines. Matt Blaze, an electronic voting expert and professor at the University of Pennsylvania told Reuters that "in theory, someone could have used knowledge of such flaws to attack specific machines."