Illinois’ chapter in the Russian hacking saga
June 7, 2017
WASHINGTON — Hackers breached the Illinois State Board of Elections voter registration database last summer, one chapter in the currently unfolding story of Russian cyberattacks on U.S. election related systems in 2016.
Indeed, the overall role Russia played in trying to influence the 2016 elections in cyberattacks and beyond is the subject of sprawling investigations in Congress and by Special Counsel Robert Mueller, who is probing possible collusion between Russia and the Trump campaign team. On Thursday, former FBI Chief James Comey will testify before the Senate Intelligence Committee in a likely history-making blockbuster session over whether Trump pressured him to drop his Russia inquiry.
The Illinois chapter in this saga surfaced in August.
News that the Illinois State Board of Elections was hacked — possibly by Russians — was disclosed when the Washington Post reported on Aug. 29 that “hackers targeted voter registration systems in Illinois and Arizona, and the FBI alerted Arizona officials in June that Russians were behind the assault on the election system in that state.”
Rep. Mike Quigley, D-Ill., a member of the House Intelligence Committee, unwittingly set off a bit of a firestorm during a Monday interview with the Chicago Tribune editorial board when he talked about Russian hacks of the Illinois State Board of Elections.
Quigley told the Chicago Sun-Times on Tuesday that he was not offering up anything new. “I was only talking about things that were reported last year, that’s all. . . . There was open source reporting that the Russians were involved.”
The hack had nothing to do with counting the votes in elections in Illinois. The hackers looked at voting registration data: name, address, date of birth, gender and the last four digits in the Social Security number.
The hackers searched through about 80,000 records overall, with the elections board confirming that the records of just under 3,000 voters were viewed by the hackers.
The Chicago Sun-Times has learned how the hackers got in the Illinois State Board of Elections system.
A report on the state board database breach prepared by the Illinois State Board of Elections on Aug. 26, 2016, and obtained by the Sun-Times, details how the hackers were detected by state board information technology staffers.
The big clue: “Processor usage had spiked to 100% with no explanation,” said the report, with an analysis of server logs showing the “heavy load” was “malicious in nature,” and aimed at the online voter application website.
The particular form of the Illinois cyberattack was a “SQL injection” — as in Structured Query Language — where malicious code can be planted.
As Ken Menzel, the general counsel for the state elections board put it, “we saw data being downloaded and it was going to a place where it shouldn’t have been going, so we shut them down.”
The place: The data was going to a server in the Netherlands — not one of the 109 separate election jurisdictions in the State of Illinois.
How did the hackers get in the system to do the “SQL injection?”
Menzel said “we had something that wasn’t properly battened down in one of the fields on the on-line portion of the website.” That was “a mistake on our end.”
Here’s the timeline:
Server logs showed the cyberattack began June 23 with malicious SQL inquiries. Once detected, the staff put in code changes on July 12.
“We figured out the hole they had gotten through and plugged that up,” Menzel said.
The next day, the website was taken offline. On July 19, the Illinois General Assembly and the Illinois Attorney General were notified. The AG’s office notified the FBI, which started an investigation in cooperation with the Department of Homeland Security. On July 21, the site was coming back online.
A variety of security enhancements were put in place and more monitoring for traffic from malicious sources started.
“The attackers continued to hit” state board IP addresses “five times per second until Aug. 12, when attacks abruptly ceased.”
On Monday, a story in The Intercept about a newly leaked top secret National Security Agency memo detailed how Russian hackers where even more ambitious than previously thought, penetrating a U.S. voting software supplier and hunting for entree into the computer systems of other local voting authorities.