Modern field guide to security and privacy
Americans voted at a polling station on election day in Harlem, N.Y.
Bria Webb/Reuters
|
Caption

In separate attack, Russian hacker targeted US election agency

While experts say the attack isn’t connected to recent political hacks, it highlights a troubling lack of digital security within US government organizations.

Another day, another hack. This time it involves the Election Assistance Commission (EAC), the US government agency that vets polling security, and the suspected culprit is an unknown Russian hacker. 

While cybersecurity experts don't believe the breach is connected with the alleged Kremlin operation to manipulate the presidential election, it does add to the growing list of digital attacks originating from Russia that aim to disrupt and infiltrate critical American institutions and agencies.

News of the EAC hack emerged as President Obama is facing mounting pressure to retaliate against Moscow over the US government's claims that it carried an operation to interfere with the presidential election.

In this separate case, it appears that a Russian-speaking hacker was caught on a criminal marketplace trying to sell access to EAC systems. It's unknown if that access led to any data breaches.

Compromising EAC networks could allow someone access to sensitive data about US voting systems and the ability to steal the commission's data. But hacking the agency's system would not provide access to individual voting systems, polling stations, or vote tallies.

Still, the revelation is a troubling reminder that a lone hacker using a relatively simple technique can break into government agencies. Even though a breach at the EAC wouldn't compromise actual votes, it does send a troubling message about the level of cybersecurity at the agency that tests and certifies voting equipment.

“They are tasked by our government to protect and make sure that our voting systems are secure, and yet they were breached. It's incredible.” says Andrei Barysevich, director of advanced collections for the cybersecurity firm Recorded Future, which discovered the breach.

The firm, which tracks the darker corners of the web to uncover criminal activity, discovered the hacker, who it dubbed "Rasputin," attempting to sell access to EAC systems. Recorded Future posed as a buyer, gathered information about the vulnerability, and sent it to the FBI and to the EAC so it could fix the vulnerability.

EAC confirmed in a statement that it is aware of the potential intrusion. The commission also noted that it doesn’t collect information about voters or count any ballots. It supports the electoral process, it doesn’t actively participate in it.

Mr. Barysevich says the Russian hacker injected malicious code into the EAC website to gain access to its systems. This is a rudimentary technique that most popular websites defend against.

"I think that our government has to sit down and take a close look at what's going on and why we're continuously going through the same problems over and over and over again," says Mr. Barysevich. “Maybe they were too focused on making sure that external systems — voting machines — are safe and secure that they somewhat forgot about their own infrastructure."