In separate attack, Russian hacker targeted US election agency
Another day, another hack. This time it involves the Election Assistance Commission (EAC), the US government agency that vets polling security, and the suspected culprit is an unknown Russian hacker.聽
While cybersecurity experts don't believe the breach is connected with the alleged Kremlin operation to manipulate the presidential election, it does add to the growing list of digital attacks originating from Russia that aim to disrupt and infiltrate critical American institutions and agencies.
News of the EAC hack emerged as President Obama is facing mounting pressure to retaliate against Moscow over the US government's claims that it carried an operation to聽interfere with the presidential election.
In this separate case, it appears that a聽Russian-speaking hacker was caught on a criminal marketplace聽trying to sell access to聽EAC systems. It's unknown if that access led to any data breaches.
Compromising EAC networks could allow someone access to sensitive data about US voting systems and the ability to steal the commission's data. But hacking the agency's system would not provide access to聽individual voting systems, polling stations, or vote tallies.
Still, the revelation is a troubling reminder that a lone hacker using a relatively simple technique can break into government agencies. Even though a breach at the EAC wouldn't compromise actual votes, it does send a troubling message about the level of cybersecurity at the agency that tests and certifies voting equipment.
鈥淭hey are tasked by our government to protect and make sure that our voting systems are secure, and yet they were breached.聽It's incredible.鈥 says聽Andrei Barysevich,聽director of advanced collections for the cybersecurity firm Recorded Future, which discovered the breach.
The firm, which tracks the darker corners of the web to uncover criminal activity, discovered the hacker, who it dubbed "Rasputin," attempting to sell access to EAC systems.聽Recorded Future posed as a buyer, gathered information about the vulnerability, and sent it to the FBI and to the EAC so it could fix the vulnerability.
EAC that it is aware of the potential intrusion. The commission also noted that it doesn鈥檛 collect information about voters or count any ballots. It supports the electoral process, it doesn鈥檛 actively participate in it.
Mr. Barysevich says the Russian hacker injected malicious code into the EAC website to gain access to its systems.聽This is a rudimentary technique that most popular websites defend against.
"I think that our government has to sit down and take a close look at what's going on and why we're continuously going through the same problems over and over and over again," says Mr.聽Barysevich.聽鈥淢aybe they were too focused on making sure that external systems 鈥 voting machines 鈥 are safe and secure that they somewhat forgot about their own infrastructure."
