A federal grand jury on Friday handed down an indictment in special counsel Robert Mueller’s Russia investigation that provided new details about Russia hackers’ attempted, and in at least one case, successful infiltration of state and local election systems.
According to the indictment, the personal information of approximately 500,000 voters was stolen in a July 2016 hack, led by a Russian military officer, of an unnamed state’s board of elections website. That is more than double what was previously reported about a hack that began in June 2016 of the Illinois’ voter registration database, where officials said that fewer than 200,000 voter files were infiltrated. The indictment did not say specifically if the hack involved Illinois, but a statement from the state’s board of elections Friday said that was “likely” the attack Mueller was referring to.
The board of elections had previously notified 76,000 voters whose registration data may have been viewed, the statement said, and there have been no cases of suspicious activity with that data reported.
“The figure 500,000 referred to in the indictment may have been arrived at using a different methodology prescribed under federal criminal code,” the statement said. “As part of our review of the indictment, we will be contacting federal law enforcement to obtain more information on the number referenced in the indictment.”
Anatoliy Kovalev, a Russian military officer who worked in a GRU building, allegedly led the cyberattacks on U.S. election administrators, with Aleksandr Osadchuk, a Russian military colonel who headed one of the units of hackers named in the indictment.
“The object of the conspiracy was to hack into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from those computers, and stage releases of the stolen documents to interfere with the 2016 U.S. presidential election,” Mueller said.
The operation allegedy included researching the websites of state boards of election, secretaries of states and other election-related websites for vulnerabilities.
The Department of Homeland Security last year informed 21 states that their elections systems had been among those targeted by the Russians, many in so-called “scans” — a fairly common tactic seeking to identify the vulnerabilities in a website. However, details about the particular intrusion attempts still remain murky.
Deputy Attorney General Rod Rosenstein at a press conference Friday unveiling the charges said that the indictment contained no allegations that vote totals were changed or that election results were affected.
Mueller in his indictment provided details on the attempted intrusions in just a handful of states. He said that county election websites in Georgia, Iowa and Florida were searched for vulnerabilities by the Russian hackers in or around October 28.
Georgia was not one of the 21 states DHS last year informed of being a target of the hackers.
Kovalev and his co-conspirators — some known, and some unknown to the grand jury, the indictment said — used some of the infrastructure they used to hack the state board of elections to hack the computers of a U.S. company, known as Vendor 1, that “supplied software used to verify voter registration information for the 2016 U.S. elections.”
They then used an email account “designed to look like a Vendor 1 email address to send over 100 spearphishing emails to organizations and personnel involved in administering elections in numerous Florida counties,” according to the indictment.
“The spearphishing emails contained malware that the Conspirators embedded into Word documents bearing Vendor 1’s logo,” Mueller said.
The details of the attack on the vendor align with a top secret National Security Agency report obtained by the Intercept last year about a spearphishing attack on a election vendor. The NSA report did not refer to the vendor by name, but The Intercept identified the company as the Florida-based VR Systems. (VR Systems has denied the breach).
The spokeswoman, Sarah Revell, in response to TPM’s inquiry about the details in Mueller’s indictment Friday, said in a statement:
“To be clear, the 2016 elections in Florida was not hacked in any way. As we have stated multiple times, the Department of State was notified by the Department of Homeland Security in September 2017 that Florida was unsuccessfully targeted by hackers in 2016. This attempt was not in any way successful and Florida’s online elections databases and voting systems remained secure.”
Revell added: “The Department is focused on the continued security and integrity of Florida’s elections in 2018 and beyond.”
Asked about the spearphishing emails, she said that it was “widely reported in 2017 that some Florida counties were targeted by a phishing email and we are aware of those reports.”
“Our understanding is that security protocols for phishing emails were followed by all counties. To our knowledge, no evidence exists that any unauthorized access occurred nor were any potential hacking attempts successful,” she said.
It’s not clear yet how much overlap there is between the evidence gatheredDd by Mueller that was unveiled Friday and the probe into election meddling by the Senate Intelligence Committee, which previewed some of its Russian cyber-intrusion findings in May.
The Senate Intel summary released in May said that in at least six states, Russia’s attempts to hack election administrators went beyond the scans for vulnerabilities. A majority of those attempts, according to the committee, were “Structure Query Language (SQL)” injections, a tactic that Illinois officials previously had said was used on their elections system.
“In a small number of states, Russian-affiliated cyber actors were able to gain
access to restricted elements of election infrastructure. In a small number of
states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data,” the committee said.