A Texas firm that sells software program that cities and states use to show outcomes on election night time was hit by ransomware final week, the newest of almost a thousand such assaults over the previous yr towards small cities, massive cities and the contractors who run their voting methods.
Lots of the assaults are carried out by Russian prison teams, some with shady ties to President Vladimir V. Putin’s intelligence providers. However the assault on Tyler Applied sciences, which continued on Friday night time with efforts by outsiders to log into its purchasers’ methods across the nation, was notably rattling lower than 40 days earlier than the election.
Whereas Tyler doesn’t truly tally votes, it’s utilized by election officers to combination and report them in not less than 20 locations across the nation — making it precisely the form of delicate goal that the Division of Homeland Safety, the F.B.I. and United States Cyber Command fear may very well be struck by anybody attempting to sow chaos and uncertainty on election night time.
Tyler wouldn’t describe the assault intimately. It initially gave the impression to be an atypical ransomware assault, by which information is made inaccessible until the sufferer pays the ransom, normally in harder-to-trace cryptocurrencies. However then a few of Tyler’s purchasers — the corporate wouldn’t say which of them — noticed outsiders attempting to realize entry to their methods on Friday night time, elevating fears that the attackers is perhaps out for one thing greater than only a fast revenue.
That has been the concern haunting federal officers for a yr now: that within the days main as much as the election, or in its aftermath, ransomware teams will attempt to freeze voter registration information, election ballot books or the pc methods of the secretaries of the state who certify election outcomes.
With solely 37 days earlier than the election, federal investigators nonetheless should not have a transparent image of whether or not the ransomware assaults clobbering American networks are purely prison acts, looking for a fast payday, or Trojan horses for extra nefarious Russian interference. However they haven’t had a lot success in stopping them. In simply the primary two weeks of September, one other seven American authorities entities have been hit with ransomware and their information stolen.
“The possibility of a neighborhood authorities not being hit whereas making an attempt to handle the upcoming and already ridiculously messy election would appear to be very slim,” mentioned Brett Callow, a risk analyst at Emsisoft, a safety agency.
The proliferation of ransomware assaults that lead to information theft is an evolution in Russian ways, past the form of “hack and leak” occasions engineered towards the Democratic Nationwide Committee and Hillary Clinton’s marketing campaign chairman, John Podesta, in 2016. By design, whether or not the assaults are prison or state sponsored will not be clear, and the attacker doesn’t all the time have to achieve success all over the place. Only a few well-placed ransomware assaults, in key battleground states, might create the impression that voters all over the place wouldn’t be capable of forged their ballots or that the ballots couldn’t be precisely counted — what the cybersecurity world calls a “notion hack.”
“We have now been hardening these methods since final summer season,” Christopher Krebs, who runs the Cybersecurity and Infrastructure Safety Company for the Division of Homeland Safety, mentioned this month. He famous that the company was attempting to ensure native election officers printed out their digital ballot books, that are used to examine in voters, in order that that they had a backup.
The US has made “great progress” within the effort, Mr. Krebs added, by “getting on this downside early.”
Nonetheless, some officers fear that President Trump’s repeated assertion in regards to the election that “we’re not going to lose this besides in the event that they cheat” will be the 2020 equal of “Russia, if you’re listening” — seen as a signal to hackers to create just enough incidents to bolster his unfounded claims of widespread fraud.
So far Mr. Trump has focused on mail-in ballots and new balloting systems, but on election night there would be no faster way to create turmoil than altering the reporting of the vote — even if the vote itself was free of fraud.
That would be a classic perception hack: If Mr. Trump was erroneously declared a winner, for example, and then the vote totals appeared to change, it would be easy to claim someone was fiddling with the numbers.
The Russians tried this, and almost got away with it, in Ukraine’s presidential election six years ago. That is one reason the F.B.I. warned last week that the days after the election could result in “disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.”
The F.B.I. warning made no mention of Mr. Trump’s own declarations that if Mr. Biden wins, the election must be illegitimate, or his baseless attacks on the use of mail-in ballots. But on Saturday night at a rally in Pennsylvania, the president openly speculated how an uncertain outcome could throw the election into the courts or Congress, both places where he believes he has an advantage.
That is why the surge in ransomware has become such a rising concern. Should an attack be well-timed enough to make it difficult to count votes or certify tallies, it would add to the uncertainty — just what the Russians, and perhaps Mr. Trump himself, are seeking.
Part of the problem is that the full scale of ransomware attacks is not always disclosed.
It was three years after the 2016 election that the Department of Homeland Security, the F.B.I. and even Florida state officials learned that Palm Beach County — which played a critical role in deciding the 2000 election — had its election offices seized by ransomware just weeks before the election.
Over the past 18 months, cybercriminals — primarily based in Russia and Eastern Europe — have hit the American public sector with more ransomware attacks than in any other period on record, according to Emsisoft, which tracks the incursions. A record 966 ransomware attacks hit the American public sector last year — two-thirds of them targeting state or local governments.
Sept. 27, 2020, 6:24 p.m. ET
Among them: A Texas county that voted for Hillary Clinton in 2016 as well as counties that helped determine the 2016 election in Ohio, Pennsylvania, Florida and Georgia, and other cities and counties that will most likely play a critical role in deciding close Senate races in South Carolina, Kentucky, Colorado and Maine in November.
The F.B.I. concluded that ransomware “will likely threaten the availability of data on interconnected election servers” in November, according to a bureau analysis leaked this summer. The agency cited two recent examples: a ransomware attack in Oregon that locked up county computers and crippled backup data, and another in Louisiana in which cybercriminals hacked the secretary of state’s offices, then waited three months to detonate their ransomware the week of Louisiana’s statewide elections for governor and legislative seats last November.
The Louisiana election proceeded unscathed because officials had the foresight to separate voter rolls from internal networks. Still, some analysts feared the attack was a dry run for Nov. 3.
Sometimes victims pay — as a small town in Florida did. Sometimes they refuse, as Atlanta did — though it ended up spending more than the ransom demand reconstructing its systems.
The latest victim, Tyler Technologies, has been vague about the details of its attack. Citing a continuing investigation, the company declined to elaborate on the ransom demands, say whether it paid or offer any details about the attackers. And while the company claimed that none of its products “support voting or election systems,” its Socrata dashboard software is used by some election officials to aggregate and share election results.
That display software is precisely the kind of soft target that intelligence agencies warned could be subject to foreign manipulation on Election Day. In the Ukraine case in 2014, Russian hackers got into the software that reported the country’s election results to the media, altering it to falsely claim victory for a far-right candidate. Ukrainians caught the hack just in time and reported the correct results on television that night. Tellingly, Russian state media still reported that the far-right candidate had won the presidency.
It was a classic perception hack because even if the actual ballots are untouched, an attack that delayed the vote or cast doubt on the ultimate results could create enough uncertainty in voters’ minds that somehow the election was illegitimate.
The Republican-led Senate Intelligence Committee report into the 2016 election even warned against the kind of proclamations Mr. Trump is making about “rigged” elections from the White House press room and at rallies.
“Sitting officials and candidates should use the absolute greatest amount of restraint and caution if they are considering publicly calling the validity of an upcoming election into question,” the report said, noting that doing so would only be “exacerbating the already damaging messaging efforts of foreign intelligence services.”
Christopher A. Wray, the F.B.I. director, countered the president’s claims on Thursday, telling lawmakers that his agency had “not seen, historically, any kind of coordinated national voter fraud effort in a major election, whether it’s by mail or otherwise.” He was immediately attacked by the White House chief of staff, Mark Meadows. “With all due respect to Director Wray, he has a hard time finding emails in his own F.B.I.,” Mr. Meadows said on Fox News.
Still, American officials are walking a thin line. They are trying not to ramp up too many fears about ransomware for fear of amplifying the uncertainty.
But at the same time, security researchers have noted with growing alarm that the ransomware attacks hitting American systems are evolving in disturbing ways. Attackers are not just locking up data, they are stealing it, dumping it online in some cases, and selling access to victims’ data on the dark web and privately to nation-state groups. Researchers at Intel471, a threat intelligence firm, recently discovered that Russian cybercriminals had been selling access to victims’ data to North Korean hackers, and Russian cybercriminals have a long track record of working hand in hand with the Kremlin.
When the Treasury Department imposed sanctions on members of an elite Russian cybercrime group last December, they outed the group’s leader as a member of Russia’s Federal Security Service, or F.S.B., a successor to the K.G.B.
Three years ago, the Justice Department accused two F.S.B. agents of working closely with two cybercriminals to hack 500 million Yahoo accounts. Russian agents allowed cybercriminals to profit from the attack, while mining their access to spy on journalists, dissidents and American officials.
“There is a pax mafiosa between the Russian regime and its cybercartels,” said Tom Kellermann, the head of cybersecurity strategy at VMWare, who sits on the Secret Service’s cyberinvestigations advisory board. “Russia’s cybercriminals are treated as a national asset who provide the regime free access to victims of ransomware and financial crime. And in exchange, they get untouchable status.”
“It’s a protection racket,” Mr. Kellermann said. “And it works both ways.”