A computer security expert says he found that a forensic image of the election server central to a legal battle over the integrity of Georgia elections showed signs that the original server was hacked.
The server was left exposed to the open internet for at least six months, a problem the same expert discovered in August 2016. It was subsequently wiped clean in mid-2017 with no notice, just days after election integrity activists filed a lawsuit seeking an overhaul of what they called the state’s unreliable and negligently run election system.
In late December 2019, the plaintiffs were finally able to obtain a copy of the server’s contents that the FBI made in March 2017 and retained — after the state allegedly dragged its feet in securing the image.
State officials have said they’ve seen no evidence that any election-related data was compromised. But they also long refused to submit the server image for an independent examination.
Logan Lamb, a security expert for the plaintiffs, said in an affidavit filed in Atlanta federal court on Thursday that he found evidence suggesting the server was compromised in December 2014. Lamb said the evidence suggests an attacker exploited a bug that provided full control of the server.
Lamb also said he determined that computer logs — which would have been critical to understanding what might have been altered on or stolen from the server — only go back to Nov. 10, 2016 — two days after Donald Trump was elected U.S. president. Two years later, Brian Kemp won the Georgia governor’s race by a narrow margin over Democrat Stacey Abrams.
Kemp oversaw Georgia’s elections during both races as secretary of state. Election administration was handled at Kennesaw State University by an outfit that Kemp’s office dismantled after the server-wiping incident.
Additionally, Lamb found evidence that election-related files were deleted from the server on March 2, 2017, just after a colleague of his alerted KSU officials that the election server remained vulnerable to hackers.
It was Lamb who initially alerted Merle King, director of the elections center at KSU, in August 2016 of a gaping security hole that left the server vulnerable to tampering.
The fact that the access logs were deleted suggests possible foul play, Lamb wrote.
“I can think of no legitimate reason why records from that critical period of time should have been deleted,” he said in his sworn statement.
The plaintiffs have accused state election officials of repeatedly and intentionally destroying evidence that could show unauthorized access to state election infrastructure and the potential manipulation of election results.
A protective order prevented Lamb from speaking to a reporter about his findings. A spokesman for Georgia’s secretary of state, Brad Raffensperger, had no immediate comment and attorneys for the defendants did not respond to emailed questions and a telephone message.
In his original and less methodical examination of the server after he discovered it exposed online, Lamb said he found personal data for Georgia’s 6.7 million voters as well as passwords used by county officials to access election-staging files.
For the 2020 election, Georgia officials are replacing antiquated touchscreen voting machines that have long been discredited by computer scientists. But the Coalition for Good Governance, one of the plaintiffs in the case, rejects the computerized ballot-marking devices the state has purchased to replace them.
It maintains, paralleling the findings last year of a National Academies of Sciences report, that the only secure voting solution are hand-marked ballots processed by scanners that leave a human-readable paper trail that can be audited later. Most U.S. voters will use systems with a voter-verifiable paper trail in November.
“The defendants have since day one tried to do everything possible to obstruct the public, the plaintiffs and the court from seeing the shambles of what they had in an incredibly compromised election system,” said the coalition’s Executive Director Marilyn Marks.
Now, she said, state officials argue that because of their new system, problems with the old system aren’t relevant anymore.
“Of course, that’s not true,” she added. “This was the hub of their entire elections structure.”
U.S. District Judge Amy Totenberg, who is presiding over the case, has expressed grave concerns about the vulnerability of Georgia’s election system and has scolded state officials for being slow to remedy serious vulnerabilities.
Lamb, a former Oak Ridge National Laboratory researcher, said he found evidence in examining the server image that software running on the voting machines being phased out in Georgia were vulnerable to known attacks.
He also said that in the December 12, 2014, intrusion he detected, the attacker patched the Drupal server vulnerability 20 minutes after the break in. That’s typical of a seasoned hacker who wants to prevent others from similarly gaining entry to a compromised machine.
The FBI obtained the server image as part of an investigation into the security researchers who alerted KSU to the server’s security hole. Those researchers were never accused of any wrongdoing. It is not clear, however, if the FBI ever examined the image to try to determine whether it had been compromised, a significant question given federal findings of interference by Russian military intelligence agents in the 2016 election.
An FBI spokesman in Atlanta, Kevin Rowson, declined to comment on the matter.
Documents obtained by an independent researcher from the FBI in a Freedom of Information Act request and shared with The Associated Press provide no indication that the bureau ever examined the KSU server image for evidence of tampering by malicious outsiders. The investigation apparently was limited to Lamb and his associate. An FBI document dated Oct. 23, 2017, said the matter would be shelved once the hard drive containing the image was placed in a case file. It said no investigative activity had been conducted in the case for two months.
Related: Hacking Elections: Georgia’s Midterm Electronic Voting in the Dock