KGOU

Mueller Report Raises New Questions About Russia's Hacking Targets In 2016

Apr 19, 2019
Originally published on April 19, 2019 10:10 am

While the headlines about special counsel Robert Mueller's report have focused on the question of whether President Trump obstructed justice, the report also gave fresh details about Russian efforts to hack into U.S. election systems.

In particular, the report said, "We understand the FBI believes that this operation enabled [Russian military intelligence] to gain access to the network of at least one Florida county government" during the 2016 campaign.

That came as news to Paul Lux, president of the Florida State Association of Supervisors of Elections — which has been working closely with federal authorities to protect their election systems against such attacks.

"I haven't heard even a whisper" about such a breach, Lux told NPR, noting that the report referred to a county "government" office network, not specifically to an "elections" office, although the two are frequently connected.

It's unusual that such a breach would occur and Florida officials would not know about it. For the past two years, election officials around the country have been working with both the Department of Homeland Security and the FBI to share information about potential security threats. They have set up several national communications networks specifically for that purpose.

But in a statement Thursday, the Florida Department of State also said that it "has no knowledge or evidence of any successful hacking attempt at the county level during the 2016 elections. Upon learning of the new information released in the Mueller report, the Department immediately reached out to the FBI to inquire which county may have been accessed, and they declined to share this information with us."

Federal officials would neither confirm nor deny the Florida hacking incident, but one official familiar with the process told NPR that details that would identify the victims of such a cyberattack would not be shared with others besides the victim. Instead, the official said federal authorities would only share relevant information that could be used to protect others against similar incidents.

Voting booths at a polling station in Christmas, Fla., on Election Day 2016. A Florida-based company that provides election equipment to localities was hacked by Russia during the 2016 election, the Mueller report found.
Gregg Newton / AFP/Getty Images

Other 2016 Russian targets in Florida

It has been known for some time that a company that supplies many Florida counties with voter registration systems was the target of a spear-phishing campaign by the Russians in 2016. The hackers then used the information gleaned from the company's network to send malicious emails to more than 120 of its customers in Florida.

The company — identified elsewhere as VR Systems, based in Tallahassee — has said that it warned customers shortly before the 2016 elections to be on the lookout for the fake emails and not to open any attachments.

The Mueller report said that a document attached to the e-mails was "coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer." VR Systems told NPR in 2017 that to the best of its knowledge, none of its customers had opened the malicious emails.

The special counsel's report also said that Russian intelligence had installed malware on the vendor's network, something VR Systems denies.

In a statement issued Thursday, the company's chief operating officer Ben Martin said, "We disagree with the Special Counsel report because top cybersecurity experts, along with the Department of Homeland Security, have tested our network multiple times since 2016 and they found no indication of a breach or installation of malware on our company network."

Martin said the company has taken steps since then to ensure the security of its systems, adding: "While we are proud of these efforts, we know that no system is ever completely secure and we work tirelessly every day to protect our systems and our customers."

In fact, VR Systems is one of more than two dozen election companies that serve on a new government coordinating council working with DHS and the FBI on cybersecurity. The council was created in response to Russia's efforts in 2016 to interfere with the election.

VR Systems also was the supplier of electronic poll books that malfunctioned on Election Day in Durham County, N.C., in 2016. The state believes user error by election and poll workers was responsible but says it has not definitively determined the cause.

The state's Board of Elections said in a statement issued Thursday that it had contacted VR Systems to verify that it is the vendor referred to in the Mueller report (the company name is redacted) and to seek assurances that its poll books, which are still used in some North Carolina counties, are secure.

The Mueller report notes another successful breach in the summer of 2016, involving Illinois' voter registration system.

According to the report, Russian hackers successfully exploited a vulnerability in the state's Board of Elections website, giving them access to the records of millions of Illinois voters. The hackers were able to get personal information from 500,000 voters before the state detected and stopped the breach.

The report also noted that Russian military intelligence officers scanned multiple state and local election websites looking for vulnerabilities, including more than two dozen during a two-day period in July 2016.

There's no evidence that any of these hacking attempts — successful or not — affected the actual operations or outcome of elections in 2016. But some cybersecurity experts have raised the possibility that hackers planted malicious software that remains undetected. Moreover, the mere existence of cyberattacks against voting systems has served to undermine voters' confidence in elections.

Illinois officials say they believe their system is now secure, but a Board of Elections spokesman, Matt Dietrich, also said, "We never ever say that we are 100% safe. All we ever say is that we believe that we are one step ahead of any hackers who are out there."

Copyright 2019 NPR. To see more, visit https://www.npr.org.