It wasn’t just the National Security Agency that knew about Russian attempts to infiltrate U.S. voting systems.
In the weeks leading to the 2016 presidential election, the then-leader of the Democratic National Committee warned the Department of Homeland Security that voter registration and absentee voting lists might have been sabotaged.
Donna Brazile, who was serving as the party’s acting chairwoman, said she also urged Republican National Committee Chairman Reince Priebus to learn more about the possible problems and to sign a joint statement with her, raising these concerns to DHS.
Priebus declined, Brazile told McClatchy on Tuesday.
“There is fear that the goal of a hacker attack on the voter list is to delete or alter names or other information and cause incidents at the polling stations,” Brazile wrote in an Oct. 18 letter to Priebus, now President Donald Trump’s chief of staff.
DHS officials assured her that investigators would contact election officials in all 50 states as part of its investigation into Russia’s attempted hacking into election machinery, which according to a new report, was broader than previously known.
State and local election officials, including those whose systems were targeted, said they were contacted but were not told about the seriousness of a potential hack or that Russia was the instigator.
“Why weren’t election officials made aware of the threat to protect their systems?” asked Kay Stimson, spokeswoman for the National Association of Secretaries of States.
A National Security Agency report completed just weeks ago outlined a Russian spear-phishing scheme that launched repeated attacks on a Florida-based elections systems vendor, VR Systems, by sending deceptive emails to more than 100 local election officials in eight states, according to a report on the news website the Intercept.
Russian meddling in the 2016 presidential election — something Trump dismisses despite his intelligence agencies attesting to Moscow’s interference — first caught national attention in June 2016, when reports emerged that a hacker had compromised the account of an employee in Gila County in Arizona but failed to access the state’s voter-registration database.
About the same time Arizona’s system suffered a first-level breach, hackers now thought to be working for Russia got into the Illinois voter-registration systems.
“Our incursion was an SQL injection. It wasn’t an email with an infected file,” said Ken Menzel, general counsel for Board of Elections, referring to an attack on the database. “Everything we had was turned over to FBI and Homeland. And I guess they analyzed the hell out of it.”
The FBI issued a flash alert to state election boards in June 2016, warning that their voter registration databases were being targeted by hackers, though it didn’t describe them as Russians.
By July, hackers were able to download data, “something on the order of 80,000 documents before we were able to stop it,” Menzel said. The information obtained by the hackers included names, addresses, drivers-license numbers and the last four digits of Social Security number.
Then, in August, an FBI alert listed identifier numbers that traced to a Russian company in forlorn Siberia called King Servers. McClatchy talked with its young owner Vladimir Fomenko, who said he was not the hacker but provided details such as how the hacker or hackers were paid.
Congress learned in September that there had been additional attempts by hackers to intrude on state voter registration databases “beyond those we knew about in July and August.” That information was delivered to lawmakers by FBI Director James Comey — fired by Trump in May and scheduled to testify Thursday on his investigation into the president’s team’s ties to Russian operatives.
Comey told Congress that states were being advised “to make sure that their dead bolts are thrown and their locks are on.” However, he said it would be very difficult to penetrate the voting systems in the United States “because it is so clunky and dispersed.”
After the DNC’s databases and voter files were tampered with, Brazile said she and three others — lawyer Michael Sussman, top DNC staffer Tom McMahon and former Democratic operative Matthew Miller — had a meeting with DHS on Oct. 17 to raise the alarm about whether voters could be purged from databases and voters’ precincts could be scrambled.
A day after that meeting, Brazile sent the letter to Priebus, asking him join her in a statement affirming voters’ rights to have their votes counted and referencing possible problems with election systems.
DHS declined to comment on the meeting with Brazile. The White House and RNC did not return messages.
“I said from Day One that the so-called meddling and interference didn’t just have to do with hacked emails,” Brazile said. “We raised all these questions.”
Democrats, including many who worked for Hillary Clinton, said the report answers some questions they had about the extent of the attack but that they do not plan to challenge the election results. Clinton’s office did not respond to a request for comment.
Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, said Russian attacks on election systems were broader than even those leaked to the Intercept.
“The Russians attempt to interfere in the election was broad based and I would like to work with communities to make sure more states come forward if they were attacked,” said Warner of Virginia. “This is one more example of this coordinated Russia effort. The notion was small or one off is just not accurate.”
Congress and the FBI are investigating whether Trump’s presidential campaign had colluded with Russia in the hacking and public release emails, documents and voicemails by Democratic and Clinton staffers.
VR Systems, based in Tallahassee, issued a statement, attributed to its CEO Mindy Perkins, late Monday suggesting it was notified by a customer about an email with an attachment that purported to come from the company but didn’t — a practice called phishing.
“We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result,” the statement said. “Phishing and spear-phishing are not uncommon in our society.”
Still unclear is the degree that U.S. intelligence agencies are sharing information about cyber threats with state officials or each other.
A unit of DHS that assists state and local election officials made its cybersecurity services available in the months leading up to the election, said a department official, who spoke on condition of anonymity because the matter is sensitive. The agency’s services included “cyber hygiene scans” conducted remotely and assessments of each jurisdiction’s risks and vulnerabilities, the official said.
The official said DHS only serves those states that seek assistance and declined to identify which jurisdictions requested help in securing their voting systems last year. The National Association of Secretaries of State said 33 states and 36 counties took assistance from DHS, but declined to name which states and counties.
The leaked NSA report did not say whether agency cyber sleuths tracked the Russian operations in the final week before the Nov. 8 election in time to issue an additional alert to state and federal officials.
EDITORS: STORY CAN END HERE
State officials moved quickly on Tuesday to assure voters that their votes were not affected.
But experts say there are limits to what state election boards can do to secure their systems in an era in which 32 states have opted to allow at least some form of online voting, despite warnings from cyber security experts that it’s not secure. More importantly, experts say, is the need to conduct audits of the vote, matching electronic votes with paper backups, or post-election forensic exams that would reveal any breaches.
Duncan Buell, a computer science professor at the University of South Carolina who has been closely involved in the issue, said “it can be very hard to even get (state elections officials) to admit that they are aware of the obvious security issues and take steps to mitigate the exposure, even when the stuff is obvious.”
Buell said the state officials with whom he has spoken “seem sincere” and “want to do the right thing,” but few have the expertise fully grasp the threat.
While state election officials often stress that certain systems aren’t connected to the internet, Buell said, neither were centrifuges in Iran’s nuclear weapons program. U.S. operatives circulated flash drives containing a Stuxnet virus that eventually found its way into the program and “broke” the centrifuges, he said.
Alex Roarty and Greg Gordon contributed to this report.