Start your day with intelligence. Get The OODA Daily Pulse.

DHS & FBI Report that Election Infrastructure in all 50 States Targeted During 2016

The Department of Homeland Security and the Federal Bureau of Investigation have issued a special report acknowledging that the election infrastructure in all 50 states was targeted during the 2016 election.

The report specifically attributes the activity to the Russian government and notes:

“FBI and DHS previously observed suspicious or malicious cyber activity against government networks in 21 states that we assessed was a Russian campaign seeking vulnerabilities and access to election infrastructure. However, new information indicates that Russian government cyber actors engaged in research on—as well as direct visits to—election websites and networks in the majority of US states. This product is intended for state and local elections officials, homeland security professionals, and network defenders to better understand the scale and scope of Russian operations targeting US election infrastructure in the lead-up to the 2016 US Presidential election.”

Additionally, the report states:

“The FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections. In anticipation of the 2020 US Presidential Election, states should limit the availability of information about electoral systems or administrative processes and secure their websites and databases which could be exploited by malicious actors. Russian cyber actors in the summer of 2016 conducted online research and reconnaissance to identify vulnerable databases, usernames, and passwords in webpages of a broader number of state and local websites than previously identified, bringing the number of states known to be researched by Russian actors to greater than 40. Despite gaps in our data where some states appear to be untouched by Russian activities, we have moderate confidence that Russian actors likely conducted at least reconnaissance against all US states based on the methodical nature of their research. This newly available information corroborates our previous assessment and enhances our understanding of the scale and scope of Russian operations to understand and exploit state and local election networks.

Russian government cyber actors between June and October 2016—with most activity occurring in July—researched websites and information related to elections in at least 39 states and territories, according to newly available FBI information. The same actors also directly visited websites in at least 30 states, mostly election-related government sites at both the state and local level—some of which overlap with the 39 researched states.

The cyber actors conducted research in alphabetical order by state name with some exceptions, suggesting that at least the initial research was not targeted at specific states, according to the same newly available information. The actors mostly accessed webpages for state and local administrators of elections—Secretary of State websites were the most visited—including voter registration sites and those that host election results and candidates.

Russian government cyber actors regularly attempted to identify and exploit SQL database vulnerabilities in webservers and databases. We lack insight into the extent to which these attempts were successful. In two separate instances, Russian government operators in June 2016 accessed voter registration files and a sample ballot from a US county website.

FBI and DHS previously observed Russian government cyber actors in 2016 attempting to identify vulnerabilities and gain access to government networks in at least 21 states, based on a body of DHS and FBI reporting. At least one state is known to have been successfully compromised with data exfiltration of voter data from the state’s board of elections, according to an indictment against Russian military intelligence officers. We have no indication these actors tampered with voter registration databases or were able to access vote tallying systems. The newly available information does not change our understanding of the scale and scope of systems compromised in this operation.”