FBI: Look out – hackers are breaking into US election board systems

SQL injection attack used to slurp voters' info


IT admins have received a flash warning from the FBI to harden up their systems following attacks against servers run by two US state election boards.

The security advisory states that the security breaches in June and August emanated from IP addresses around the world and involved Acunetix, SQLMap, and DirBuster tools. It tells sysadmins to monitor logs for escalations of privileges, unusual SQL errors indicating injection attacks, and directory traversal attempts, such as:

GET /Login//..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd
GET /Login//../../../../../../../../etc/passwd

The alert reads:

In late June 2016, an unknown actor scanned a state's Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor.

The IP addresses used in the infiltration belong to virtual servers hosted by Bulgaria's Fortunix Networks, Illian in the Netherlands, and Russia's King Networks: 185.104.11.154, 185.104.9.39, 204.155.30.75, 204.155.30.76, 204.155.30.80, 204.155.30.81, 89.188.9.91, and 5.149.249.172.

"It was an eye opener," one senior law enforcement official told Yahoo! News. "We believe it's kind of serious, and we're investigating."

The June SQLi attack targeted the Illinois Board of Elections, and was used to swipe the personal data of 200,000 citizens, according to Ken Menzel, the general counsel of the Illinois Board of Elections. The database was taken offline for 10 days to fix the vulnerabilities exploited to gain access.

For what it's worth, as in many US states, in Illinois you can buy copies of the electoral register, which has every voter's personal record in it – so it's likely whatever the hackers gained was already public information. However, the next cyber-break-in could tamper with people's details rather than swipe them, or use a compromised database as a stepping stone to more important systems.

Menzel said he had been told by the FBI that "foreign hackers" compromised systems and that there was a "possible link" with the attack against the Democratic National Committee servers, which is believed by some to have been carried out by Russian state actors.

The other attack, carried out in August and believed to be against Arizona, was less successful but still concerning to the FBI.

Before anyone panics, it looks likely that this was a simple attack to steal personal information, rather than an attempt to change the course of the election. While the hacking of voting machines is a major concern, particularly in states that don't give paper receipts for votes, these are separate from the Election Board data.

Nevertheless, on August 15, Homeland Security Secretary Jeh Johnson had a conference call with state election officials, warning them to be on their guard against online attack. Johnson said that officials should take care that voting machines weren't connected to the internet and were fully patched against flaws. He pledged help for state officials in securing their systems, including having the DHS send specially trained staff to help. ®

Similar topics


Other stories you might like

  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading

Biting the hand that feeds IT © 1998–2022