Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

U.S. Election Assistance Commission Hacked

U.S. Election Assistance Commission Hacked

Russian-Speaking Hacker Selling Data Stolen from U.S. Election Assistance Commission (EAC)

U.S. Election Assistance Commission Hacked

Russian-Speaking Hacker Selling Data Stolen from U.S. Election Assistance Commission (EAC)

Threat intelligence researchers have discovered that a Russian-speaking hacker broke into the U.S. Election Assistance Commission (EAC) systems, and has been trying to sell stolen access credentials — including admin-level — on the underground.

On December 1, researchers with Recorded Future discovered internet chatter that appeared to relate to an EAC breach. A hacker, called “Rasputin” by Recorded Future, was discussing the sale of more than 100 EAC access credentials to a middle-eastern government broker. Rasputin was claiming to have accessed the systems via an SQLi vulnerability, which Recorded Future was able to locate and report. This flaw has now been fixed.

The EAC was established by the Help America Vote Act of 2002. Its responsibilities include overseeing the testing and certification of electronic voting systems. 

In October the US government officially accused Russia of conducting attacks against American political organizations specifically to interfere in the Presidential election. But there is no suggestion that the EAC breach could have been used in this way, and there is no suggestion that Rasputin has any direct link to the Russian government. It is probable that the breach was a standard hack, steal and sell operation by a cyber-criminal.

Nevertheless, the incident is a major embarrassment to an official body. SQLi flaws are common, and relatively easy to find and fix. “It’s not uncommon for this type of vulnerability to lead to broader system level access, however, in this case the full extent of the EAC compromise remains unknown,” report the researchers in an account posted late Thursday. However, it is equally unknown whether any other hacking body could have discovered and used the flaw earlier. Just as EAC did not discover the breach themselves (it was discovered by Recorded Future monitoring internet chat), there is always a possibility that another breach could go undetected.

In an opinion piece published in the Washington Post in October, members of the EAC including its chairman, wrote, “Recent reports regarding the ability of foreign hackers to change the outcome of the U.S. presidential election are overstated. Foreign hackers will not pick our next president – Americans will.”

There is nothing in this latest incident to suggest any need to reconsider this sentiment. “I doubt that SQL injection on any website in the world can impact presidential elections in the US,” Ilia Kolochenko, founder and CEO of High-Tech Bridge, told SecurityWeek. “You need to compromise hundreds of systems in dozens of state agencies to be able to falsify the votes. Moreover, such intrusions will be quite probably detected– the US has very competent people to assure their national cybersecurity and may serve an example to other countries.”

“We don’t think [Rasputin] actually works for any government or is super sophisticated,” said Andrei Barysevich, director of advanced collection at Recorded Future and author of the firm’s report. His own concern is that such breaches could potentially poison the website. “These administrative accounts could potentially be used to access sensitive information as well as surreptitiously modify or plant malware on the EAC site, effectively staging a watering hole attack utilizing an official government resource.

A statement from the EAC, issued late Thursday, said it was aware of the ‘potential intrusion’ and was “working with federal law enforcement agencies to investigate the potential breach and its effects.” It added, “The FBI is currently conducting an ongoing criminal investigation.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.