Hackers reportedly breached election systems in a third state, in addition to the already disclosed incidents involving Arizona and Illinois, during the 2016 campaign cycle.
On Election Day 2016, a hacker successfully penetrated a server hosting Alaska’s main election website, the Anchorage Daily News reported on Monday night, citing documents obtained through a public records request.
The breach is not connected to the previously reported hacking attempt made by Russia-linked hackers to access Alaska’s primary voter registration database. Alaska was one of 21 states that were previously informed by the Department of Homeland Security of similar Russian probing activity on their election systems.
Security experts told ADN that, although the newly reported incident was a successful intrusion, the Alaska Division of Elections’ security measures appear to have prevented the attackers from changing content on the server.
ADN reports that the hacker exploited a vulnerability in the Alaska election website’s PHP script, a commonly used web development language. According to emails obtained by the Daily News, a fix for the vulnerability was published about a month prior to Election Day, but it was not properly applied. After discovering the incident, officials fixed the flaw within hours.
Due to the Alaska Election Division’s multiple layers of security, the hacker was limited from changing information, according to ADN. There’s a separate system that’s responsible for counting vote totals, which is typically isolated from the internet.
Researchers say the hacker were able to escalate privileges, “but that this stopped short of being able to write anything to the volume,” Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, told CyberScoop in an email. Hall reviewed the documents ADN obtained at the news outlet’s request.
“Reading the documents [ADN reporter Nathaniel Herz] got … it seems like this [virtual machine] was heavily restricted and just had the election results in an XML (data) file and a series of PHP scripts to display it, so there was not a lot on that particular machine that would have been juicy,” Hall explained.
The emails published by ADN show how Alaskan government officials first noticed the breach in the early morning hours of Election Day when an anonymous Twitter user named “CyberZeist” posted screenshots of a proving they had administrative access to the server.
Included in the published documents was a private December 2016 report by Reston, Va.-based cybersecurity firm LookingGlass. The report detailed CyberZeist’s known activities, including the fact that the account was tied to the hacking group “UGNazi.” In recent years, this group was responsible for also breaching websites belonging to the CIA, Nasdaq, U.S. Department of Justice and others.
LookingGlass found that CyberZeist was similarly involved in hacking attempts against Hillary Clinton’s campaign chairman John Podesta.
“CyberZeist’s recent activities – breaching Podesta’s cell phone and interest in developing DDoS capability indicate that the actor is interested in activities that garner media attention, and thus further solidifying his bona fides as an individual of note,” the LookingGlass report states.
Analysts believe CyberZeist’s hacking interest shifted to financial crime shortly after the Alaska incident.
Reached by email, a spokesperson for the Division of Elections told CyberScoop that the state did not publicly disclose the intrusion because it did not affect the state’s ability to carry out the election.
“In 2016 and now, we are actively working to prevent those adversaries from undermining voter confidence, especially as that is their stated goal,” the spokesperson said. “In non-technical sense, there was nothing to report as compromised since no element of the elections process was impeded by the event.”
The state did, however, make public comments about the attempted Russian intrusions revealed a few months prior.
The spokesperson also said that the office deemed the incident as “election disinformation,” saying that the hacker was exaggerating the level of access they had gained.
“They asserted they had gained access to our online ballot tabulation system, but we do not have an online ballot tabulation system,” the spokesperson said.
This story has been updated with comments from the Alaska Division of Elections.