Eight states have election offices that use software from targeted company
By Emery P. Dalesio and Geoff Mulvihill
Associated Press
RALEIGH, N.C. (AP) — Officials in some states are trying to figure out whether local election offices were targeted in an apparent effort by Russian military intelligence to hack into election software last fall.
The efforts were detailed in a recently leaked report attributed to the U.S. National Security Agency.
North Carolina is checking on whether any local systems were breached, while the revelation prompted an election security review in Virginia. Both are considered presidential battleground states.
In Illinois, officials are trying to determine which election offices used software from the contractor that the report said was compromised.
The three are among eight states where election offices had contracts with VR Systems, a Florida-based company that provided software to manage voter registrations. The others are Florida, California, Indiana, New York and West Virginia.
The report, dated last month, asserts that hackers obtained information from company employees and used that to send phishing emails to 122 local election officials just before the election last November in an attempt to break into their systems.
So far, there is no indication that voting or ballot counting in any states were affected. Officials in at least five counties in Florida — a key political swing state — received the emails, the Miami Herald reported. It’s not clear where else the emails may have been sent.
But the revelation, published by the online news outlet The Intercept, set off questions in the states where VR provides software.
North Carolina state elections board director Kim Westbrook Strach said her office had not been contacted by any federal officials about whether any of the 21 county election offices that use VR software were targeted. Still, her office was contacting county boards about potential breaches.
The news of a reported Russian hacking attempt surprised Bill Brian, elections board chairman in Durham County, which experienced problems with VR Systems’ electronic poll books on Election Day. The issue forced officials to abandon the system, issue paper ballots and extend voting hours, but officials there said that trouble did not appear to have been caused by hacking.
“We have not had any big, ‘Uh oh, we’ve got a problem with computers,’” said Brian, a Republican.
In Virginia, state Elections Commissioner Edgardo Cortes, said he could not comment on whether any local officials were targeted by the phishing emails, but he said he was not aware of any breaches. Still, the disclosure of the NSA document has prompted a review of election security, he said.
There is no indication to date of the reported Russian attempt “resulting in any contact with local election officials in West Virginia,” said Steven Adams, spokesman for the secretary of state.
In some states, VR software was used in only a handful of voting jurisdictions.
New York election officials said just four counties used the software last year and that federal authorities had not contacted the state about any of them being targeted.
California officials said only Humboldt County, in the far northern part of the state, used VR software during last year’s election. Sam Mahood, a spokesman for Secretary of State Alex Padilla, declined to say if the office was investigating whether the county was targeted.
So far, Humboldt County has found no evidence that anyone in the elections office received the phishing emails, County Clerk Kelly Sanders said. The county used the software to sign in voters.
Illinois officials have asked local elections offices whether they used VR’s software in 2016. By midday Wednesday, only one county said it had.
Last September, the Department of Homeland Security told the AP that hackers believed to be Russian agents had targeted voter registration systems in more than 20 states. No evidence of tampering emerged in the worst-hit state, Illinois. Hackers who penetrated its network with a method called SQL injection spent three weeks rooting around before they were discovered in July. Officials said nothing was added, changed or deleted.
The general counsel for the Illinois state elections board, Ken Menzel, said the state cooperated with the FBI and other federal authorities in the investigation but was not told who might have been responsible. He said the intrusion had been traced to some servers in the Netherlands and he heard speculation of Russian involvement.
“The feds did not see fit to enlighten us to the extent that the feds know more than that,” he said. “That wasn’t part of our need-to-know.”
Kay Stimson, a spokeswoman for the National Association of Secretaries of State, whose members oversee elections in several states, said the group wants to know why federal officials did not warn potential victims at the time the attacks were allegedly happening.
Stimson said that with more specific information that breaches were possible, states could have offered help to local election officials and created firewalls to make sure any local problems would not have caused problems at the state level.
The Department of Homeland Security did not respond to a request for comment.