The officials were targeted with spear phishing emails that claimed to provide documentation for an e-voting system.
Members of Russia’s military intelligence service targeted 122 U.S. local election officials with spear phishing emails days before the 2016 president election, according to a classified National Security Agency document leaked to The Intercept.
On August 24, 2016, the Russian hackers targeted a U.S. election software company with phishing emails — according to The Intercept, that company appears to be Florida-based VR Systems.
At least one employee’s account was compromised, according to the report.
Just over two months later, on October 27, 2016, the hackers set up a Gmail account designed to look like it belonged to a VR Systems employee, then targeted 122 people who managed local government voter registration systems with phishing emails.
The emails held Microsoft Word attachments that claimed to provide documentation for VR Systems’ EViD product line, but actually delivered malware that could have provided the attackers with “persistent access” to the victims’ computers.
Mimecast director of product management Steve Malone told eSecurity Planet by email that this is just another example of how impersonation attacks are being exploited at an alarming rate — according to Mimecast’s most recent quarterly Email Security Risk Assessment, impersonation attacks rose 400 percent quarter over quarter.
“Employees are always the weak link and technology protection can only go so far,” Malone said, noting that while technology can help, the most important thing is to educate employees to make sure they think before clicking on a link in an email.
In response to the report, U.S. Senator Mark Warner told USA Today that “the extent of the attacks is much broader than has been reported” by The Intercept, and that the attacks continued after election day.
The focus thus far has been on Russian hackers targeting the U.S. election with cognitive attacks such as propaganda and social media likes in order to sway voters’ opinions, Comodo senior research scientist Kenneth Geers said by email. “Now it appears they were active at a much deeper level, tactically and technically closer to the actual vote count,” he said.
Noting that VR Systems had contracts in key swing states like North Carolina and Virginia, Geers added, “If half of the assertions in this Intercept article are true, we should start thinking about rerunning the 2016 U.S. presidential election.”
The Insider Threat
Reality Leigh Winner, 25, a contractor with Pluribus International Corporation who held a Top Secret clearance, was arrested at her home on June 3 in connection with the leak.
The U.S. Justice Department reports that “Winner admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a ‘need to know,’ and with knowledge that the intelligence reporting was classified.”
Dtex Systems CEO Christy Wyatt said by email that the incident should serve as a reminder across all industries that the insider threat is alive and well. “Insider crimes are never going to go away completely, but public and private sector organizations can greatly reduce the risk of falling victim to them,” she said.
“Any organization that relies on sensitive information to function needs to conduct solid background checks, have policies and personnel in place that ensure compliance, and utilize technologies that alert security teams when and where insider violations are occurring,” Wyatt added.