The Federal Bureau of Investigation has issued a flash alert warning that foreign hackers are targeting the US election and voter registration systems. The agency has uncovered evidence of hackers having penetrated at least two state election databases in the recent weeks. The FBI has alerted the election officials across the country to take new steps to ensure security of their computer systems.
The alert issued earlier this month by the FBI's Cyber Division mentions of "attempted intrusion activities" by unknown threat actors. These hackers have tried to penetrate the Board of Election systems of two US states. One of these attacks was detected in July and the second in August this year. Using widely known security tools, unknown hackers managed to exfiltrate the details of 200,000 voters in Illinois. The latest incident saw a Russian hacker gaining login access to Arizona election systems. However, there is no evidence of data theft.
Russian hackers identified in an attack on US election systems
The alert came after the authorities decided to temporarily shut down the voter registration systems. "We got word from the FBI that a credential was leaked by a Russian hacker. The hacker apparently was a known entity to law enforcement," a spokesman for the Arizona secretary of state told the Wall Street Journal. While unconfirmed, many have linked the recent attacks to the Russian state-sponsored threat group that has previously targeted the Democratic Party.
There have been several incidents in the past one year where we have seen hackers finding and exploiting flaws in the US election websites. Thanks to misconfigured databases and security flaws, election websites have remained vulnerable to cyber attacks and voter information has also been exposed by these attacks.
In the alert addressed to "need to know" recipients, the FBI calls on the other states to notify the agency if any attacks are suspected.
The FBI received information of an additional IP address, 188.8.131.52, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 184.108.40.206 used in the aforementioned compromise.
In late June 2016, an unknown actor scanned a state's Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor, detailed in the indicators section below.
The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected. Attempts should not be made to touch or ping the IP addresses directly.