After Illinois hack, FBI warns of more attacks on state election board systems

Share this…

Concern about more attacks mounting as presidential elections approach. Someone using servers in the US, England, Scotland, and the Netherlands stole voter registration from one state’s Board of Elections website in June and attacked another state’s elections website in August, according to a restricted “Flash” memorandum sent out by the FBI’s Cyber Division. The bureau issued the alert requesting other states check for signs of the same intrusion.

The “Flash” memo, obtained by Yahoo News, was published three days after Secretary of Homeland Security Jeh Johnson offered state officials assistance in securing election systems during a conference call. According to Yahoo’s Michael Isikoff, government officials told him that the attacks were on voter registration databases in Illinois and Arizona. The Illinois system had to be shut down in July for two weeks after the discovery of an attack; the registration information of as many as 200,000 voters may have been exposed. No data was stolen in the Arizona attack, but malware was reportedly planted on the site.


While saying the Department of Homeland Security was unaware of any specific threat to election systems, Johnson offered states assistance from the National Cybersecurity and Communications Integration Center (NCCIC) “to conduct vulnerability scans, provide actionable information and access to other tools and resources for improving cybersecurity,” a DHS spokesperson said, describing the conference call. “The Election Assistance Commission, NIST, and DOJ are available to offer support and assistance in protecting against cyber attacks.”

The successful hack of the Illinois system began with a scan of the state election board’s site with Acunetix, a commercial vulnerability scanning tool used to discover SQL injection vulnerabilities and other site weaknesses. The attacker used information on an SQL injection bug to then use SqlMap, an open source tool, to access user credentials and data, and the DirBuster tool to discover hidden files and directories on the Web server. Yahoo reports that officials suspected “foreign hackers” for the attack.

Ars attempted to contact Acunetix for comment, but received no response.

The IP addresses listed as sources for the attacks are associated with commercial dedicated and virtual private server hosting companies: US and UK servers provided by King Servers LTD; Fortunix Networks LP, a custom hosting company with servers in Edinburgh; and Liteserver in Tilburg, the Netherlands. The use of virtual private servers (likely purchased with WebMoney, bitcoin, or some other anonymous currency) and off-the-shelf tools doesn’t suggest any significant amount of sophistication on the part of the attackers. But state government sites like those affected so far are typically not hardened against attack, so sophistication wouldn’t necessarily be required.