Election officials in Humboldt County are checking their voter data after a leaked National Security Agency document alleged that Russian operatives hacked one of the county’s voting software contractors.
According to a NSA memo published Monday by the news website The Intercept, Russia’s military intelligence unit, the GRU, successfully hacked a Florida voting software company, VR Systems, last summer. That hack then led to a broader hacking attempt of local election boards around the country just days before the November election.
But the county Office of Elections had a contract with elections company Hart InterCivic, and Hart used VR Systems for its electronic poll books, the devices poll workers use to check in voters at the ballot.
There’s no evidence that voting data in Humboldt County — or any other California county — was accessed by hackers. The county may not have even been a target of the hacking attempt.
But news of the hack and the local connection to VR Systems has raised concerns, and officials are responding quickly. County Clerk Kelly Sanders is scheduled to hold a conference call Wednesday morning with the Governor’s Office of Emergency Services and the IT staff of the California Secretary of State to conduct in-depth diagnostic checks into the county elections systems, she said in an interview.
“Election integrity is very important to us here in Humboldt County and we’re taking additional steps to make sure that nothing had been infiltrated,” Sanders said.
In the process outlined by the leaked NSA document, hackers successfully tricked VR Systems employees into giving up their email login information and used it to gain access to company files. Then, on Oct. 31 or Nov. 1, hackers sent emails to 122 email addresses associated with local governments from a fake address purporting to be VR Systems. The emails included an attached Microsoft Word document infected with malware that appeared to be a user manual but if opened could give hackers wide access to a computer.
The 122 email addresses may have been obtained from VR Systems data, the NSA document said.
Sanders said in initial checks, elections officials haven’t discovered any evidence that employees received an email with the infected Word document, and they’ve discovered no irregularities in their data.
VR Systems equipment is not related to vote counting — just the voter registration process and maintaining the file of registered voters.
Secretary of State Alex Padilla said his office hasn’t found any other counties besides Humboldt that used VR Systems equipment so far.
“There is no evidence of any breach of elections systems in California,” Padilla said in an email. “The security of our elections from cyber threats is a top priority for our office and we constantly work to strengthen the integrity and security of our elections.”
In a statement, VR Systems said its employees “immediately notified all our customers and advised them not to click on the attachment” when the company was first notified of the email.
“We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result,” the statement said. “We have policies and procedures in effect to protect our customers and our company.”
California is one of eight states where local jurisdictions use VR Systems equipment, according to the company’s website. In December, VR Systems advertised its products at the annual conference of California elections officials.
A VR Systems spokesperson did not respond to a question about which California counties had contracts with the company. Hart InterCivic could not be reached for comment Tuesday afternoon.
Joe Canciamilla, the clerk-recorder and registrar of voters in Contra Costa County — which has no connection with VR Systems — said in an interview that the episode could encourage jurisdictions to spend more on technology to protect voting data. But he pointed out that even if hackers were able to break into voting results, the U.S. vote-tallying process is so decentralized that it would be almost impossible to swing an election.
“Planting fake stories and manipulating people’s opinions is much easier than manipulating the voting process,” Canciamilla said.
The alleged source for the NSA document, a 25-year-old government contractor in Georgia named Reality Leigh Winner, was charged with transmitting classified information Monday, just hours after the document was published. According to an FBI affidavit, Winner admitted sending the document to The Intercept.
If convicted, she could face up to 10 years in prison. It’s the first prosecution for releasing classified info under President Donald Trump, who’s vowed to take a tough line on government leakers.
Sanders said she hadn’t experienced anything like the hacking scare in the 12 years she’s worked in the county elections office.
“We’d like to make sure we go that extra step to make sure the voters in our community are confident in their votes,” she said.