In 2016, the Illinois Board of Elections and the state Republican Party were victims of cybersecurity breaches. But uncertainty lingers as to what the hackers wanted and whether future attacks can be prevented.
When Tim Soper received a letter from the Illinois Board of Elections in late September informing him that personal data from his voter registration may have been compromised in a cybersecurity breach, he chose to find the humor in the situation.
“Looks like Putin has my info along with Hillary's & the DNC's, lol,” Soper posted on Facebook alongside a picture of the letter. “He better bring his ‘A’ game, though, if he's gonna steal my identity; it's not easy being me.”
The cheeky comment masked real disillusionment, Soper admits. “If I didn’t make a joke out of it, I think I would get frustrated.”
For Soper, a casino manager from Morris, the breach came not as a surprise, but merely as a confirmation of what he had long suspected. “I’m sort of conditioned to the fact that our private data isn’t really private,” he says. “It’s one of those things that I’ve just kind of become used to.”
Across Illinois, as across much of the country, cyber-attacks have become an uneasy status quo. In 2016, two state-level political institutions — the Illinois State Board of Elections and the Illinois Republican Party — were the targets of successful cyber intrusions. The attacks have generated lingering questions about hackers’ identities, their motives and how best to secure sensitive data.
On July 12, the Board of Elections became aware that an unauthorized individual was accessing its voter registration system. “We caught that data was going out to a place it ought not be going,” says Ken Menzel, general counsel for the board. After discovering the breach, the Board shut down the website as a precautionary measure while they worked with the FBI and Department of Homeland Security to investigate what had happened.
According to a message the board sent to elections officials across the state, hackers had taken advantage of a vulnerability in a part of the webpage that allowed residents to check the status of their voter registration. Because the system that housed the data saved logs of all activity, the Board’s IT team was able to see the actions taken by the hackers and recreate them to discover which data had been compromised.
The IT team was able to determine with certainty that the data of about 700 voters had been accessed. For tens of thousands more voters, though, the implications of the hack were foggier. The Board of Elections knew that the hackers had obtained subsets of certain voter groups, but couldn’t say for certain which individuals were in the compromised subsets. In those cases, notices were sent to the entire group.
Additionally, some of the records that hackers obtained would have varied based on the time of the query. As a result, the identities of the voters whose data were accessed in this fashion —fewer than 3,000, says Menzel — could not be determined at all, meaning no notice letters were sent.
In total, Menzel says notice letters were sent to approximately 70,000 individuals statewide, informing them that their record “was viewed or is very likely to have been viewed.” The compromised data varied from voter to voter, but could include “name, address, date of birth, telephone number, email address, driver’s license number and/or the last four digits of your social security number,” the letters explained, adding that no voting history or voter signature images were obtained.
According to Menzel, the Board of Elections was able to find and close the vulnerability that led to its hack, and now requires those who use the database to use more complex passwords, as well as a multi-step authentication process.
The board remains puzzled as to the goal of the cyber-attack or the identity of the perpetrators. “We really don’t know anything more than the public knows as to who did this,” says Menzel.
Were the hackers Russian state actors seeking to undermine public trust in the presidential election, as other high-profile cyber attacks have been thought to be? Or were they merely mining for biographical details they could use to perpetrate identity theft?
Data from the voter registration breach could be used to commit identity fraud, particularly if hackers combine the stolen data with additional stolen or publicly available information, says Jay Kesan, a professor of intellectual property and technology law at the University of Illinois Urbana-Champaign. “They might be able to piece things together.”
To date, three individuals have filed claims of identity fraud that they believe were connected with the hack, although Menzel says that none of the three are among those whose data was known or suspected to have been stolen.
American cybersecurity firm ThreatConnect has found evidence that the attackers may have links to Russia. An FBI security alert sent to other states in the aftermath of the Illinois attack referenced several IP addresses used by the attackers. “We identified that several of the IP addresses included in the report were owned by a Russian hosting service,” says ThreatConnect senior intelligence researcher Kyle Ehmke. Furthermore, Ehmke says that two of the IP addresses were involved with earlier cyber-attacks that had sought to steal login credentials from political parties in Turkey and Ukraine.
According to the Washington Post, the FBI concluded that Russian actors were behind a similar attack on Arizona’s election system. However, the Illinois Board of Elections has received no indication from the bureau that Russia was involved with their attack. “We’ve shared everything we can with law enforcement, although law enforcement hasn’t shared everything they know with us,” says Menzel.
The Board of Elections has repeatedly stated that the attack did not directly impact the November election because the information accessed is not linked to state voting systems. Menzel also insists that there was no risk of a voter’s registration being deleted or altered, as individual counties re-upload their registration data daily.
“If something had been deleted on Tuesday, then on Wednesday, when the county uploaded its materials, it would have been restored,” he says. “Of course, whether [the attackers] knew that or not, I don’t know.”
Electoral consequences aside, any attack on a civic institution may also impact citizens’ trust in democracy, says Kesan. “In addition to the value of the information, it’s designed to create this uncertainty and uneasiness.”
There has been similar confusion as to the motive behind attacks on email accounts belonging to employees of the Illinois Republican Party.
In June, the FBI contacted the party with list of email addresses with Illinois GOP domains. The party verified that the addresses — most of which were inactive — belonged to their organization. “They told us that it could be possible that some of our emails had been compromised by an outside source,” says Aaron DeGroot, a spokesman for the party. “They did not give any idea as to who that source could be.”
The FBI advised the party to change its email passwords and to be vigilant against phishing attempts. “It was pretty basic advice,” says DeGroot.
Later in 2016, 20 email messages sent to five Illinois GOP email addresses appeared on the website DCLeaks.com. However, the Illinois GOP office says that only one of the email addresses was on the list presented by the FBI, characterizing the DCLeaks incident as unrelated to the FBI investigation.
The content of the messages, dated between August and October of 2015, included correspondence between party officials and donors, speculation on Congressional politics, event invitations and routine office business.
Seven of the leaked messages were sent from venture capitalist Peter Smith, a longtime Republican fundraiser and activist, to Illinois National Committeeman Robert Porter. In one of the emails, Smith is seen advocating for Illinois Congressman Peter Roskam as a “dark horse” candidate to replace John Boehner as Speaker of the House.
Smith became aware of the email leak when the New York Times contacted him to discuss the incident. “I wasn’t upset by it,” says Smith. “I try to do my emails with care, so I’m not doing anything I shouldn’t be doing.”
On its website, DCLeaks describes the project as “launched by the American hacktivists who respect and appreciate freedom of speech, human rights and government of the people.”
However, security firm ThreatConnect has found evidence that the site may actually be run by Russian hackers masquerading as American activists.
According to ThreatConnect, the same Russian-linked persona who illegally obtained emails from Hillary Clinton’s campaign staff also used DCLeaks to share the messages with a journalist. Additionally, methods used to obtain certain emails on DCLeaks, as well as the website’s registration information, led researchers to draw a connection to Russian cyber espionage group known as FANCY BEAR.
While it’s not known how the Illinois GOP emails were accessed, ThreatConnect is confident that the hack leads back to Russia. “All the information that’s on DCLeaks is most likely coming from that same FANCY BEAR advanced persistent threat activity,” says researcher Ehmke. He declined, however, to prescribe a level of certainty to that claim.
Peter Smith, for one, doubts the narrative of Russian involvement. “The idea that they would leave these traces is just impossible,” he says. The state GOP office declined to comment on the identity or motive behind the email leak.
A report from Deloitte and the National Association of State Chief Information Officers (NASCIO) from last year found that even as more governors are acknowledging the need for improved digital protections, a majority of states allocate less than 2 percent of their IT budgets to security.
That inability to address growing cyber risk is part of what makes state and local governments easy targets for hackers, says Brian Nussbaum, a professor focusing on cybersecurity at the State University of New York at Albany. At the federal level, defense and intelligence agencies have large security staffs with deep expertise that other federal agencies often rely on. “States really don’t have that deep well of technical assistance to draw upon,” says Nussbaum.
In 2016, Republican Gov. Bruce Rauner consolidated state IT offices into the new Department of Innovation and Technology (DoIT) and appointed Kirk Lonbom as the Chief Information Security Officer in charge of establishing a statewide data security strategy. A DoIT spokesperson stated in an email that their office is “currently finalizing cybersecurity strategies,” but declined to elaborate on the content of those strategies.
While Nussbaum approves of establishing a centralized office to oversee public data security, he also encourages officials to think of cybersecurity as more than just an IT problem, since IT teams are usually focused on maximizing “uptime” and website functionality. “Sometimes that can be at contrasting purposes with security,” he says.
Nussbaum believes more states should place cybersecurity under a broader umbrella, such as emergency management or public safety.
He acknowledges that it can be difficult to keep data secure in a fiscal environment like Illinois, where the lack of state budget has stifled much-needed improvements across state agencies. “But there are a host of things that could be improved by best practices without a lot of extra resources,” says Nussbaum — for example, ensuring that all agencies with an interest in security work together and training staff in better security practices.
Nussbaum warns that the risks of failing to do so could extend well beyond identity theft or political maneuvering.
“I think our electoral infrastructure is representative of a number of problems faced by our infrastructure management more generally,” he says. There could be stark consequences, he argues, if hackers were to exploit similar vulnerabilities in the systems that regulate the electrical grid or drinking water supply, for example.
“A lot of these things are really happening at the state and local government level,” Nussbaum says. “And that is a real challenge when the state and local governments do not have the financial and human resources they need to secure their computer systems.”
“As more and more of it becomes computerized, that’s going to be a pretty unsustainable position.”