It wasn’t just the National Security Agency that knew about Russian attempts to infiltrate U.S. voting systems.
In the weeks leading to the 2016 presidential election, the then-leader of the Democratic National Committee warned the Department of Homeland Security that voter registration and absentee voting lists might have been sabotaged.
Donna Brazile, who was serving as the party’s acting chairwoman, said she also urged Republican National Committee Chairman Reince Priebus to learn more about the possible problems and to sign a joint statement with her, raising these concerns to DHS.
Priebus declined, Brazile told McClatchy on Tuesday.
“There is fear that the goal of a hacker attack on the voter list is to delete or alter names or other information and cause incidents at the polling stations,” Brazile wrote in an Oct. 18 letter to Priebus, now President Donald Trump’s chief of staff.
DHS officials assured her that investigators would contact election officials in all 50 states as part of its investigation into Russia’s attempted hacking into election machinery, which according to a new report, was broader than previously known.
State and local election officials, including those whose systems were targeted, said they were contacted but were not told about the seriousness of a potential hack or that Russia was the instigator.
“Why weren’t election officials made aware of the threat to protect their systems?” asked Kay Stimson, spokeswoman for the National Association of Secretaries of States.
A National Security Agency report completed just weeks ago outlined a Russian spear-phishing scheme that launched repeated attacks on a Florida-based elections systems vendor, VR Systems, by sending deceptive emails to more than 100 local election officials in eight states, according to a report on the news website the Intercept.
Russian meddling in the 2016 presidential election — something Trump dismisses despite his intelligence agencies attesting to Moscow’s interference — first caught national attention in June 2016, when reports emerged that a hacker had compromised the account of an employee in Gila County in Arizona but failed to access the state’s voter-registration database.
About the same time Arizona’s system suffered a first-level breach, hackers now thought to be working for Russia got into the Illinois voter-registration systems.
“Our incursion was an SQL injection. It wasn't an email with an infected file,” said Ken Menzel, general counsel for Board of Elections, referring to an attack on the database. “Everything we had was turned over to FBI and Homeland. And I guess they analyzed the hell out of it.”
The FBI issued a flash alert to state election boards in June 2016, warning that their voter registration databases were being targeted by hackers, though it didn’t describe them as Russians.
By July, hackers were able to download data, “something on the order of 80,000 documents before we were able to stop it,” Menzel said. The information obtained by the hackers included names, addresses, drivers-license numbers and the last four digits of Social Security number.
Then, in August, an FBI alert listed identifier numbers that traced to a Russian company in forlorn Siberia called King Servers. McClatchy talked with its young owner Vladimir Fomenko, who said he was not the hacker but provided details such as how the hacker or hackers were paid.
Congress learned in September that there had been additional attempts by hackers to intrude on state voter registration databases “beyond those we knew about in July and August.” That information was delivered to lawmakers by FBI Director James Comey — fired by Trump in May and scheduled to testify Thursday on his investigation into the president’s team’s ties to Russian operatives.
Comey told Congress that states were being advised “to make sure that their dead bolts are thrown and their locks are on.” However, he said it would be very difficult to penetrate the voting systems in the United States “because it is so clunky and dispersed.”
After the DNC’s databases and voter files were tampered with, Brazile said she and three others — lawyer Michael Sussman, top DNC staffer Tom McMahon and former Democratic operative Matthew Miller — had a meeting with DHS on Oct. 17 to raise the alarm about whether voters could be purged from databases and voters’ precincts could be scrambled.
A day after that meeting, Brazile sent the letter to Priebus, asking him join her in a statement affirming voters’ rights to have their votes counted and referencing possible problems with election systems.
DHS declined to comment on the meeting with Brazile. The White House and RNC did not return messages.
“I said from Day One that the so-called meddling and interference didn’t just have to do with hacked emails,” Brazile said. “We raised all these questions.”
Democrats, including many who worked for Hillary Clinton, said the report answers some questions they had about the extent of the attack but that they do not plan to challenge the election results. Clinton’s office did not respond to a request for comment.
Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, said Russian attacks on election systems were broader than even those leaked to the Intercept.
“The Russians attempt to interfere in the election was broad based and I would like to work with communities to make sure more states come forward if they were attacked,” said Warner of Virginia. “This is one more example of this coordinated Russia effort. The notion was small or one off is just not accurate.”
Congress and the FBI are investigating whether Trump’s presidential campaign had colluded with Russia in the hacking and public release emails, documents and voicemails by Democratic and Clinton staffers.
VR Systems, based in Tallahassee, issued a statement, attributed to its CEO Mindy Perkins, late Monday suggesting it was notified by a customer about an email with an attachment that purported to come from the company but didn’t — a practice called phishing.
“We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result,” the statement said. “Phishing and spear-phishing are not uncommon in our society.”
Still unclear is the degree that U.S. intelligence agencies are sharing information about cyber threats with state officials or each other.
A unit of DHS that assists state and local election officials made its cybersecurity services available in the months leading up to the election, said a department official, who spoke on condition of anonymity because the matter is sensitive. The agency’s services included “cyber hygiene scans” conducted remotely and assessments of each jurisdiction’s risks and vulnerabilities, the official said.
The official said DHS only serves those states that seek assistance and declined to identify which jurisdictions requested help in securing their voting systems last year. The National Association of Secretaries of State said 33 states and 36 counties took assistance from DHS, but declined to name which states and counties.
The leaked NSA report did not say whether agency cyber sleuths tracked the Russian operations in the final week before the Nov. 8 election in time to issue an additional alert to state and federal officials.
State officials moved quickly on Tuesday to assure voters that their votes were not affected.
But experts say there are limits to what state election boards can do to secure their systems in an era in which 32 states have opted to allow at least some form of online voting, despite warnings from cyber security experts that it’s not secure. More importantly, experts say, is the need to conduct audits of the vote, matching electronic votes with paper backups, or post-election forensic exams that would reveal any breaches.
Duncan Buell, a computer science professor at the University of South Carolina who has been closely involved in the issue, said “it can be very hard to even get (state elections officials) to admit that they are aware of the obvious security issues and take steps to mitigate the exposure, even when the stuff is obvious.”
Buell said the state officials with whom he has spoken “seem sincere” and “want to do the right thing,” but few have the expertise fully grasp the threat.
While state election officials often stress that certain systems aren’t connected to the internet, Buell said, neither were centrifuges in Iran’s nuclear weapons program. U.S. operatives circulated flash drives containing a Stuxnet virus that eventually found its way into the program and “broke” the centrifuges, he said.
Alex Roarty and Greg Gordon contributed to this report.
HOW STATES RESPONDED
Election officials in eight states using VR Systems software were potentially affected by Russia’s attempted infiltration into U.S. voting systems: Florida, California, Illinois, Indiana, New York, North Carolina, Virginia and West Virginia.
In California: Only one of the state's 58 counties, Humboldt County, had used VR Systems software in the past but not in this election cycle, said Secretary of State Alex Padilla. "There is no evidence of any breach of elections systems in California," he said.
In Florida: Seminole County Supervisor of Elections Michael Ertel confirmed that he received a call from the company on the morning of Nov. 1, a busy period of early voting.
“We immediately checked that none of our folks had opened an email,” Ertel told McClatchy. It wasn’t until this week that he learned that Russia is blamed for it.
Citrus County Election Supervisor Susan Gill got a similar warning.
“We just deleted it, we didn’t think too much more about it until this (NSA) report and the big story,” she said.
The Florida Department of State confirmed in a statement Tuesday that department officials were on a call with the FBI in late September “but there was no indication of a Florida-specific issue. They did not provide any information specific to VR Systems.”
In Illinois: Along with Arizona, it was one of two states to suffer a breach last June. It was not targeted by phishing but rather a malware that targeted the state's voter-registration database. "The incursion occurred in late June. And we discovered them very early in July when they began downloading data," said Ken Menzel, chief counsel for the Illinois Board of Elections.
In Indiana: The Secretary of State’s office said six counties use the VR Systems software to check voter identifies against registration.
“We have not been contacted. We recently have had meetings with our counties … and we haven’t heard anything from them either about being contacted” by U.S. authorities, said Valerie Warycha, a spokeswoman. “We have no knowledge that they were a subject of the breach.”
In New York: Four counties use VR Systems software on laptops or tablets as a voter-lookup tool, said Tom Connolly, spokesman for the state’s Board of Elections. The equipment was not connected to the voting system, he said, and would not have been used within 20 days of the election.
“We still to this date have not seen any evidence that there was a successful compromise of any system in New York State,” Connolly said.
In North Carolina: The State Board of Elections confirmed that 21 counties use VR Systems electronic poll-book software and is investigating attempts to compromise the software. A spokesman said he was unaware if any of the counties received or clicked on a phishing e-mail. On Election Day in Durham County, problems with polling books led to long lines at the polls, prompting some voters to depart without casting ballots.
“We did an extensive investigation, a full forensic investigation of the poll books,” Election Board Chairman William Brian Jr. said. “What the investigation showed was there was nothing wrong with the software.”
“The software is not used during early voting and does not play any role in ballot marking or vote tabulation,” the state elections board said in a statement.
In Virginia: The Department of Elections issued a statement Tuesday, confirming it is aware of the NSA document and is “currently reviewing this matter and have been in contact with federal, state, and local officials regarding this issue.”
In West Virginia: West Virginia does not have a statewide contract with VR Systems, and the office of its secretary of state said it was unsure if any counties that use the company’s software received the infected emails linked by the NSA to Russia.