Leaked report shows Russian attempts to hack US election

Targets were local government officials likely to have voting-related duties

How vulnerable are – or were – elections to hacking? If you are starting from a base of differentiating between “risky” voting using electronic voting machines and “safe” voting using paper ballots, then election outcomes are almost certainly far more at risk than you believe.

The naivety and foolhardiness of assuming the vulnerability lies at the final point of vote-casting is shown up by a thought-provoking and insightful piece this week from investigative news site the Intercept. The story is based on a leaked top secret US National Security Agency (NSA) report on Russian attempts to hack the 2016 US presidential election.

In the report the NSA states that Russian military intelligence – the GRU – “executed a cyberattack on at least one US voting software supplier and sent spear-phishing emails to more than 100 local election officials” in the final days of the 2016 presidential election.

The recent report, dated May 5th, provides the strongest evidence yet of direct Russian involvement in attempts to sway the US election, but does not draw conclusions as to whether the attacks were successful.


The attacks were surprisingly mundane. These were not highly sophisticated James Bond-villain masterpieces of coding evil, but just – as one of the security experts consulted by the Intercept notes – of "medium sophistication" that "practically any hacker can pull off".

But while such spear-phishing may be common garden variety,  the results are no less valuable than more sophisticated attacks, and much easier to perpetrate. Dupe a targeted user, in this case, apparently employees of VR Systems, a Florida company that makes voting equipment and supplies services, to try and get account log-in information and other data. Then use compromised accounts to gather further data and go after further targets.

What’s key here is that the data gained from compromised accounts can be more useful than deploying a piece of malware. One expert, formerly on one of the NSA’s own hacking teams, said that given a choice as a hacker “I’ll take credentials most days over malware”.

Log-in details

Credentials can open further treasure troves of information. That data will often include additional account and corporate log-in details and other information which can enable a hacker to access cloud services, accounts, or virtual private networks, especially as so many people reuse their passwords.

The NSA report indicates that the secondary targets, sent emails from a faked account, were local government officials likely to have voting-related responsibilities.

They were sent emails with attached but “weaponised” Word documents that would have appeared to come from VR Systems but instead, “were in reality maliciously embedded with automated software commands that are triggered instantly and invisibly when the user opens the document”.

These would enable a hacker to permanently access and take whatever they wanted from the computer’s files.

The conclusions drawn by the Intercept's range of experts is that hackers would not need to access voting machines to compromise an election.

The process of maintaining voter rosters, confirming voter identity at polling stations, and tabulating returns all involve computers and data files. If rosters were tampered with, voters could find themselves removed from registrations when they arrive to vote. This might mean they are denied the right to vote or must go through a complex process to be given a provisional ballot, all deterrents to casting a vote.

Couple this with other documented vote-limiting tactics from the US presidential election – such as closing polls before many working class voters are likely to be able to get to the polls, or requiring various pieces of identification – and votes can be reduced for a candidate or party.

Of equal if not greater concern, hackers might target a company like VR Systems to be able to manipulate the tabulation of votes, another expert told the Intercept.


“An attempt to directly break into or alter the actual voting machines would be more conspicuous and considerably riskier than compromising an adjacent, less visible part of the voting system, like voter registration databases, in the hope that one is networked to the other,” the article states.

In the case of VR Systems, its polling station equipment – which is separate to the actual voting machine – is connected to the internet and results can, therefore, connect to a potentially hacked county database, or other networked sites.

The potential for any of these scenarios should cause deep concern across the world, and not just because a state actor seems to have been involved in documented hacking attempts, with unknown results.

Governments and technology vendors have been dismissive of the likelihood of hacked elections on the basis that voting machines are the only weak spot and are adequately safeguarded. Yet this NSA report indicates how a hacked low-level employee might become an easy backdoor into a disrupted and compromised election.

With several important elections looming globally, we need to rethink voting security. It’s clearly not just the voting machines, stupid.