Leaked NSA docs: Russian military hacked US voting software company, spearphished 122 election officials

An anonymously leaked Top Secret NSA report on Russian state hackers interfering with the US elections has been published by The Intercept, which had the documents independently analyzed by a who's-who of America's leading security experts.

The report attributes a string of cyberattacks to the Russian General Staff Main Intelligence Directorate (the GRU), a Russian military intelligence agency. Importantly, the report does not assess what, if any, effect these attacks had on the outcome of the 2016 election.

The report claims that in late October and November 2016, GRU hackers spearphished a US voting software supplier, Florida's VR Systems. Having successfully compromised some VR Systems employees' accounts, the GRU hackers launched spearphishing attacks against 122 US voting officials, trying to trick them into downloading poisoned Microsoft Word documents whose malware payloads would let the hackers completely and covertly control the officials' computers.

The report contradicts former president Obama's assurance in December that he had warned Putin not to interfere with the US election and that "we did not see further tampering of the election process" after October, 2016. It also contradicts Putin's claim, made last week, that Russia "never engaged in [election hacking] on a state level."

The report doesn't say whether or how many US officials were compromised by the spearphishing attack, nor whether the Russian military hackers were able to make any use of any such compromises. The report speculates that the hackers' target was to manipulate voter-registration databases.

According to Alex Halderman, director of the University of Michigan Center for Computer Security and Society and an electronic voting expert, one of the main concerns in the scenario described by the NSA document is the likelihood that the officials setting up the electronic poll books are the same people doing the pre-programming of the voting machines. The actual voting machines aren't going to be networked to something like VR Systems' EViD, but they do receive manual updates and configuration from people at the local or state level who could be responsible for both. If those were the people targeted by the GRU malware, the implications are troubling.

"Usually at the county level there's going to be some company that does the pre-election programming of the voting machines," Halderman told The Intercept. "I would worry about whether an attacker who could compromise the poll book vendor might be able to use software updates that the vendor distributes to also infect the election management system that programs the voting machines themselves," he added. "Once you do that, you can cause the voting machine to create fraudulent counts."

According to Schneier, a major prize in breaching VR Systems would be the ability to gather enough information to effectively execute spoof attacks against election officials themselves. Coming with the imprimatur of the election board's main contractor, a fake email looks that much more authentic.

Such a breach could also serve as its own base from which to launch disruptions. One U.S. intelligence official conceded that the Russian operation outlined by the NSA — targeting voter registration software — could potentially have disrupted voting in the locations where VR Systems' products were being used. And a compromised election poll book system can do more than cause chaos on Election Day, said Halderman. "You could even do that preferentially in areas for voters that are likely to vote for a certain candidate and thereby have a partisan effect."

[Matthew Cole, Richard Esposito, Sam Biddle and Ryan Grim/The Intercept]