US voting machine certification agency probes potential hack

The US government agency charged with ensuring that voting machines meet security standards may have been compromised, according to evidence uncovered by cyber security firm Recorded Future.

In a statement, the Election Assistance Commission confirmed it was investigating a potential security breach:

EAC has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects.

Recorded Future said it latched onto the "hack" after discovering someone offering log-on credentials for access to computers at the US Election Assistance Commission (EAC) during its regular work monitoring underground cyber markets earlier this month. It claimed it subsequently engaged the seller - whom it dubbed "Rasputin" - to assess the full scope of the unauthorised access. It reported that Rasputin had sent it a systems status report page as evidence that he had obtained access to EAC’s back-end systems.

Further analysis identified more than 100 potentially compromised access credentials, including some with administrative privileges, said the firm. These administrative accounts could potentially be used to access sensitive information as well as to surreptitiously modify or plant malware on the EAC site, an excellent staging ground for a potential watering hole attack targeting government employees.

The EAC is responsible for testing and certifying voting equipment, maintaining the National Voter Registration form, and administering a national clearinghouse on elections. The Commission also accredits testing laboratories and voting systems as well as maintaining an anonymous voter machine fraud reporting system (ie, a confidential whistleblower process).

Rasputin claimed to be accessing the system via an unpatched SQL injection (SQLi) vulnerability. He offered to sell details of this unpatched system vulnerability to a Middle Eastern government broker, according to Recorded Future.

Recorded Future said it was “working with federal law enforcement in the ongoing investigation” related to its discovery. In a blog post, the cyber security firm concludes that the hack is more likely the work of an opportunistic criminal hacker rather than state-backed hackers, while adding the caveat that others might have independently discovered and exploited the same vulnerability.

It’s unclear how long the EAC vulnerability has been active; however, it could have been potentially discovered and accessed by several parties independently. Based on Rasputin’s historical criminal forum activity, Recorded Future believes it’s unlikely that Rasputin is sponsored by a foreign government. Recorded Future’s artificial intelligence technology is continuously scanning and analysing the internet for updated threat indicators and tactics. Prior to this incident, no previous malicious activity related to EAC has been identified.

Third-party security firms warn a hack against the EAC's website could have far-reaching consequences.

Nathan Wenzler, principal security architect at AsTech Consulting, said: “The recently announced hack and attempted sale of credentials, including administrator accounts according to the reports, belonging to the Election Assistance Commission (EAC), is a particularly troubling data breach for an organisation which is mandated to ensure the integrity and security of electronic voting machines.

"Perhaps more disturbing is that the hack did not rely on any sophisticated, previously unknown zero-day exploit or a clever bit of social engineering, but rather, the attacker too advantage of a basic SQL injection vulnerability, one of the most common and simplistic vulnerabilities within web applications.”

SQL injection - one of the most commonplace web application vulnerabilities - creates a mechanism for an attacker to request arbitrary data from a database behind a web application. It’s a all well known risk that’s been around for years and El Reg has sometimes likened it to a Jedi mind trick against servers. Exploiting SQL injection flaws is a well established hacking technique that can open the door to broader system level access. The full extent of the EAC compromise remains unknown.

“I’m not convinced this is a nation state attack,” said Chris Roberts, chief security architect at Acalvio. “It doesn’t have the hallmarks of getting in, parking, harvesting and basically being ‘inside’ the system.”

“This was find-a-flaw sell-a-flaw work,” he added.

EAC’s work means a hack on its website might have exposed the results of testing on electronic voting machines, alongside other sensitive information, it says.

“With the increasing number of reports and speculation taking place around election fraud and outside influences upon voting systems, this very basic flaw exploited by the hacker may serve to add a large amount of fuel to the fire on this discussion,” AsTech Consulting’s Wenzler added.

“Further, if it is confirmed that any voting systems were outright compromised because of the information leaked in this attack, an entirely new discussion will be created questioning the validity of any results gathered by these electronic voting systems.” ®