RICHMOND, Va. — Russian hackers with the Kremlin’s military intelligence unit targeted Virginia’s election infrastructure in 2016 – a cyber operation now confirmed by current and former state election officials.
The Russian effort searched for vulnerabilities within Virginia’s online election infrastructure, authorities familiar with the matter said. The specific Russian actions targeting Virginia have not been previously reported.
Analysts within the Department of Homeland Security eventually traced the suspicious activity to the GRU, the Russian military spy agency.
The attempts to break into Virginia’s election systems did not change any votes, steal any personal information, or affect any voting during the presidential election, the officials stressed.
Yet Richmond first received notice of the Russian reconnaissance only after hackers looked for weaknesses within the state’s election websites.
Federal investigators disseminated a critical cyber bulletin known as a FLASH alert only days after malicious actors broke into Illinois’s voter database in the summer of 2016.
The alert detailed how the Illinois Board of Elections reported an unusual surge in online traffic – traffic later traced back to Russia.
After an FBI investigation of the suspicious surge, authorities discovered hackers accessed and reviewed confidential Illinois voter data. The finding marked an alarming and unprecedented Russian incursion into an the American voting system.
In an interview Monday, Virginia Elections Commissioner Christopher E. Piper confirmed the Illinois incident led Virginia to exert greater scrutiny of its election systems in Richmond.
Only after the FBI identified specific IP addresses involved in the Illinois attack did Virginia officials realize the same malicious actors tried to access Virginia voting systems.
But there was one key difference – the surreptitious Russian intelligence effort failed to compromise critical Virginia voting data.
“They were just looking for a way in, and they couldn’t find one,” Piper said of the Russian hackers.
“These scanning attempts are a lot like a burglar walking up to your house – looking in the window, jiggling the door handle. They couldn’t find a way in, so they moved onto the next house.”
But the effort did remain undetected under the state’s old security regimen – a weaker set of defenses than the heightened current cooperation between state officials and U.S. intelligence agencies.
A report from the Senate Intelligence Committee suggests the consequences of Russia scanning efforts could have been far different had the FBI failed to issue its urgent nation-wide alert on Aug. 18, 2016.
Authorities in Richmond reported, “it seemed the actors were ‘cataloging holes to come back to later,’” indicating the effort most likely reached an initial investigative stage.
Michael Daniel, a special assistant to President Obama and cyber security coordinator for the National Security Council, characterized the Russian efforts as “network mapping.”
Daniel said in an interview with the Senate committee that the Russian scans acted as a way to “actually understand the network, establish a presence so you could come back later and actually execute an operation.”
The specific scans ultimately impacted 21 states, according to the final findings of the Senate report. Only Illinois is explicitly identified in the text of the document.
The remaining states are randomly numbered State 2 – State 21.
Virginia is State 7, a WUSA9 review of the committee documents found.
The report said State 7 held an off-year election, and also decommissioned a specific type of vulnerable electronic voting machine in 2017. Virginia is the only state in the country where both statements apply.
Officials familiar with the findings of the report confirmed the connection last week, with Commissioner Piper later confirming the linkage in an on-the-record interview.
“Virginia’s impacted web domains were both on the elections website,” Piper said. “And they both are secure, absolutely.”
The Senate report states, “cyber actors using infrastructure identified in the August FLASH scanned public-facing websites, including the ‘static’ [Virginia] election site.”
The report also says, “DHS reported GRU scanning attempts against two separate [Virginia] domains related to election infrastructure.”
But Piper demurred on whether he’s seen foreign incursion efforts since he became Virginia’s elections commissioner in January 2018.
“I can’t discuss any specific security events, but I can tell you that we work very hard not just on the front lines, assuring Virginia’s defenses,” Piper said. “But should there be any breach, we’re ready to go.”
Figures obtained through a Freedom of Information Act request show Virginia has currently spent $2.7 million of a $9 million federal grant to improve the state’s election security.
The development comes after WUSA9 first reported Virginia spent none of the grant before the 2018 midterm elections.
“We are trying to be good stewards of taxpayer dollars, and between now and the 2020 general election, we’ll spend an additional $4.3 million more,” Piper said.
State legislators assisted recent efforts to secure Virginia’s elections, passing a bill that mandates new minimum security standards for all localities.
Virginia also implemented two-factor authentication to access the state’s voter database systems. Authorized personnel can only access the system through a password and a physical item – limiting the possibility of an intrusion from outside actors.
Ultimately, Homeland Security analysts concluded Russia likely attempted to access voting systems in all 50 states before the 2016 presidential election.
While the Senate intelligence report describes substantial progress in election security as America approaches 2020, the authors note “the threat [from Russia], however, remains imperfectly understood.”
“This problem isn’t going away,” Piper said. “It’s not something that after 2020 we can sit back and go, ‘OK, we fixed it.’ That’s not how it’s going to work. So, we have to be prepared for this issue to be ongoing, beyond 2024, beyond 2028.”