Modern field guide to security and privacy

In separate attack, Russian hacker targeted US election agency

While experts say the attack isn’t connected to recent political hacks, it highlights a troubling lack of digital security within US government organizations.

Bria Webb/Reuters
Americans voted at a polling station on election day in Harlem, N.Y.

Another day, another hack. This time it involves the Election Assistance Commission (EAC), the US government agency that vets polling security, and the suspected culprit is an unknown Russian hacker. 

While cybersecurity experts don't believe the breach is connected with the alleged Kremlin operation to manipulate the presidential election, it does add to the growing list of digital attacks originating from Russia that aim to disrupt and infiltrate critical American institutions and agencies.

News of the EAC hack emerged as President Obama is facing mounting pressure to retaliate against Moscow over the US government's claims that it carried an operation to interfere with the presidential election.

In this separate case, it appears that a Russian-speaking hacker was caught on a criminal marketplace trying to sell access to EAC systems. It's unknown if that access led to any data breaches.

Compromising EAC networks could allow someone access to sensitive data about US voting systems and the ability to steal the commission's data. But hacking the agency's system would not provide access to individual voting systems, polling stations, or vote tallies.

Still, the revelation is a troubling reminder that a lone hacker using a relatively simple technique can break into government agencies. Even though a breach at the EAC wouldn't compromise actual votes, it does send a troubling message about the level of cybersecurity at the agency that tests and certifies voting equipment.

“They are tasked by our government to protect and make sure that our voting systems are secure, and yet they were breached. It's incredible.” says Andrei Barysevich, director of advanced collections for the cybersecurity firm Recorded Future, which discovered the breach.

The firm, which tracks the darker corners of the web to uncover criminal activity, discovered the hacker, who it dubbed "Rasputin," attempting to sell access to EAC systems. Recorded Future posed as a buyer, gathered information about the vulnerability, and sent it to the FBI and to the EAC so it could fix the vulnerability.

EAC confirmed in a statement that it is aware of the potential intrusion. The commission also noted that it doesn’t collect information about voters or count any ballots. It supports the electoral process, it doesn’t actively participate in it.

Mr. Barysevich says the Russian hacker injected malicious code into the EAC website to gain access to its systems. This is a rudimentary technique that most popular websites defend against.

"I think that our government has to sit down and take a close look at what's going on and why we're continuously going through the same problems over and over and over again," says Mr. Barysevich. “Maybe they were too focused on making sure that external systems — voting machines — are safe and secure that they somewhat forgot about their own infrastructure."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.