An investigation into an apparent distributed denial-of-service attack on a Knox County, Tennessee, primary election earlier this month revealed that hackers aimed to gain unauthorized access to a county web server.
When Knox County held its mayoral primary on May 1, its website, where it was reporting results, went down. Officials at the time said that heavy traffic overwhelmed the website that that it was “highly suggestive” of a DDoS attack.
The county hired cybersecurity firm Sword & Shield to investigate the incident. The company’s report, released late last week, reveals that not only was the county website subjected to an unmanageable level of traffic, but hackers also actively sought to exploit a vulnerability in the website.
David Ball, the county’s deputy director of IT, told CyberScoop by email that the hackers did successfully access the server but didn’t do much else.
“There is evidence that hackers were able to gain access for the purpose of ‘looking around,’ but there was no evidence of any attempt to alter data,” Ball said.
County officials and Sword & Shield have stressed that the incident didn’t affect vote tallies or the overall integrity of the election. The tabulation process is separate and air-gapped, as detailed in the report. The server that the hackers accessed only contained temporary data that would ultimately be public knowledge, and not primary source data, Ball said.
Sword & Shield was brought on to determine the root cause of the website crash — DDoS attack or otherwise. In its report, the firm says that there was indeed a substantial increase in traffic and connection errors on Knox County’s website on May 1. IP addresses from about 65 countries accessed the site between 7 p.m. and 10 p.m., Sword & Shield reports. The website went down for about an hour between 8 p.m. and 9 p.m., according to the county.
Aside from the U.S., the bulk of website requests stemmed from IP addresses from Canada, the U.K., Chile, France and Italy.
As for the unauthorized access, Sword & Shield mapped the IP addresses to two places: the U.K. and the Ukraine. However, there’s nothing definitive about the origin of the attack, since hackers can easily use proxies to obfuscate their identities.
The county and the firm have declined to provide additional information about the vulnerability that hackers exploited, but said that it was fixed shortly after Sword & Shield found it.
Additionally, when Sword & Shield tested the exploit upon discovering it, the website crashed. Partly for that reason, the report says it’s tough to determine what actually caused the election day crash.
“It is unclear what the specific cause of the outage was due to a multitude of events occurring at the same time. The effect was clearly a loss of service, but it is unclear, with the information provided, if the outage was an intended event or a side effect of the events,” the report says.
But Ball, the county IT official, said that the hack and the DDoS-like symptoms are likely connected.
“In the absence of the original data packets, it is not possible to determine beyond a doubt whether or not there was malicious intent behind the DOS-like web traffic/errors, but since it occurred simultaneously with the deliberate attack on the server, I believe that it is reasonable to hypothesize that the two might have been two legs of a single malicious incident,” Ball said.
The election drew extra attention globally because Glenn Jacobs — better known as professional wrestler Kane — won the Republican primary.