Russian-Speaking Hacker Selling Data Stolen from U.S. Election Assistance Commission (EAC)
Threat intelligence researchers have discovered that a Russian-speaking hacker broke into the U.S. Election Assistance Commission (EAC) systems, and has been trying to sell stolen access credentials — including admin-level — on the underground.
On December 1, researchers with Recorded Future discovered internet chatter that appeared to relate to an EAC breach. A hacker, called “Rasputin” by Recorded Future, was discussing the sale of more than 100 EAC access credentials to a middle-eastern government broker. Rasputin was claiming to have accessed the systems via an SQLi vulnerability, which Recorded Future was able to locate and report. This flaw has now been fixed.
The EAC was established by the Help America Vote Act of 2002. Its responsibilities include overseeing the testing and certification of electronic voting systems.
In October the US government officially accused Russia of conducting attacks against American political organizations specifically to interfere in the Presidential election. But there is no suggestion that the EAC breach could have been used in this way, and there is no suggestion that Rasputin has any direct link to the Russian government. It is probable that the breach was a standard hack, steal and sell operation by a cyber-criminal.
Nevertheless, the incident is a major embarrassment to an official body. SQLi flaws are common, and relatively easy to find and fix. “It’s not uncommon for this type of vulnerability to lead to broader system level access, however, in this case the full extent of the EAC compromise remains unknown,” report the researchers in an account posted late Thursday. However, it is equally unknown whether any other hacking body could have discovered and used the flaw earlier. Just as EAC did not discover the breach themselves (it was discovered by Recorded Future monitoring internet chat), there is always a possibility that another breach could go undetected.
In an opinion piece published in the Washington Post in October, members of the EAC including its chairman, wrote, “Recent reports regarding the ability of foreign hackers to change the outcome of the U.S. presidential election are overstated. Foreign hackers will not pick our next president – Americans will.”
There is nothing in this latest incident to suggest any need to reconsider this sentiment. “I doubt that SQL injection on any website in the world can impact presidential elections in the US,” Ilia Kolochenko, founder and CEO of High-Tech Bridge, told SecurityWeek. “You need to compromise hundreds of systems in dozens of state agencies to be able to falsify the votes. Moreover, such intrusions will be quite probably detected– the US has very competent people to assure their national cybersecurity and may serve an example to other countries.”
“We don’t think [Rasputin] actually works for any government or is super sophisticated,” said Andrei Barysevich, director of advanced collection at Recorded Future and author of the firm’s report. His own concern is that such breaches could potentially poison the website. “These administrative accounts could potentially be used to access sensitive information as well as surreptitiously modify or plant malware on the EAC site, effectively staging a watering hole attack utilizing an official government resource.
A statement from the EAC, issued late Thursday, said it was aware of the ‘potential intrusion’ and was “working with federal law enforcement agencies to investigate the potential breach and its effects.” It added, “The FBI is currently conducting an ongoing criminal investigation.”