There’s been yet another allegation of election-year hacking: Reuters reported on Friday that shortly after the November election, a key U.S. election agency was hacked, but it doesn’t appear to have been the work of the Russian government. It seems that an independent hacker stole login information from the agency’s database and attempted to sell information about the security hole to an unspecified Middle Eastern government. However, this happened after the election, and the firm that discovered the breach said that the security vulnerability has since been patched.
The government agency in question is the little-known Election Assistance Commission (EAC), which doesn’t actually run elections or tally votes. Rather, it outlines best practices and guidelines that states can voluntarily adopt while administering elections at the state level.
According to Reuters, a Russian-speaking hacker exploited a database vulnerability to obtain login credentials of more than 100 employees of the commission; he also allegedly gained access to non-public reports on possible vulnerabilities in voting machines. This happened “weeks” after Election Day, according to EAC chief Thomas Hicks, though it’s not clear precisely when.
At that point, the hacker allegedly tried to sell information about the database vulnerability itself to a Middle East government for several thousand dollars. The private security firm Recorded Future posed as a buyer, then alerted law enforcement, according to Reuters, and the vulnerability was quickly fixed.
The FBI is investigating the situation, Hicks said. Although the hacker reportedly spoke Russian, it doesn’t appear that he was acting on behalf of Russia. Recorded Future said that he was essentially a freelance hacker, who searched for vulnerabilities in all manners of private and public servers and then attempted to sell the data on the black market.
“We don’t think [the hacker] actually works for any government or is super sophisticated,” said Andrei Barysevich, director of advanced collection at Recorded Future. The hacker is alleged to have used a relatively common security exploit to extract information from the agency.
Although it’s never good news when a government agency gets hacked, this appears to have been a relatively low-impact incident. It couldn’t have conceivably affected the election results, given that the agency that was hacked doesn’t tabulate or count votes and that the hack itself happened weeks after the election.
That said, it’s always concerning when hackers access government databases, especially when those databases contain information about how U.S. voting machines work. Thankfully, there won’t be any more federal elections in the U.S. for another two years, so states will have plenty of time to patch up potential vulnerabilities in their voting systems.