Here’s the Email Russian Hackers Used to Try to Break Into State Voting Systems

The simplicity of the email, which included a malicious election software manual, is part of the playbook of an advanced attacker, an expert said.

NORTH LAS VEGAS, NV - NOVEMBER 08:  A poll worker gives a voter a Las Vegas Strip-themed "I Voted" sticker after taking back her voter activation card at a polling station at Cheyenne High School on Election Day on November 8, 2016 in North Las Vegas, Nevada. Americans across the nation are picking their choice for the next president of the United States.  (Photo by Ethan Miller/Getty Images)
A poll worker gives a voter a Las Vegas Strip-themed "I Voted" sticker after taking back her voter activation card at a polling station in North Las Vegas, Nevada, on November 8, 2016. Photo: Ethan Miller/Getty Images

Just days before the 2016 presidential election, hackers identified by the National Security Agency as working for Russia attempted to breach American voting systems. Among their specific targets were the computers of state voting officials, which they had hoped to compromise with malware-laden emails, according to an intelligence report published previously by The Intercept.

Now we know what those emails looked like.

An image of the malicious email, provided to The Intercept in response to a public records request in North Carolina, reveals precisely how hackers, who the NSA believed were working for Russian military intelligence, impersonated a Florida-based e-voting vendor and attempted to trick its customers into opening malware-packed Microsoft Word files.

The screenshot, shown below, confirms NSA reporting that the email purported to originate from the vendor, Tallahassee-based VR Systems, but was sent from a Gmail account, which could have easily tricked less scrupulous users. “Emails from VR Systems will never come from an  ‘@gmail.com’ email address” the company warned in a November 1, 2016 security alert, which included the reproduction of the GRU email.

The specific Gmail address shown in the message, vrelections@gmail.com, matches an address cited in the NSA report as having been created by Russian government hackers, although in the NSA report the address was rendered with a period, as “vr.elections@gmail.com.” The timing of VR Systems’ security alert is also in line with the NSA’s reporting, which indicated that the email attack occurred on either October 31 or November 1 of 2016. The original classified NSA document contained intelligence assessments, but omitted any raw signals intelligence used to form those assessments.

In addition to having arrived from a Gmail account, rather than an actual VR Systems address, the attacker also appears to have slipped up and used the British spelling of “modernized” in the email’s body. But to a state election official reading quickly in the frantic period before a presidential election, without an eye open for the hallmarks of a phishing attack and accustomed to such emails from VR, the message could have had disastrous and completely unexpected consequences. North Carolina experienced a variety of widely-reported software glitches on Election Day in 2016.

Jake Williams, founder of the cybersecurity firm Rendition Infosec and a former NSA hacker, told The Intercept that there appeared to be “nothing very sophisticated” about the email attack, which he said is ironically part of the playbook of a “more advanced” attacker. A visually simple message would have helped the attackers “blend into the noise,” said Williams.

There appeared to be “nothing very sophisticated” about the email attack, which he said is ironically part of the playbook of a “more advanced” attacker.

As indicated in the NSA report, the attached Word documents, posing as documentation for VR Systems software, would have invisibly downloaded a malware package that could have provided the attacker with remote control over a target’s computer. The report further indicated that the malware-spiked documents actually did contain legitimate “detailed instruction on how to configure EViD [voting] software on Microsoft Windows machines,” suggesting that if a state elections official had opened the attachments, they might not have had immediate cause for concern.

Williams said the use of “.docm” file extensions on the Word documents should have been “very suspicious” on its own, as using such an extension allows code in the file to run automatically. He also said  the use of recycled malware “increases the chance of detection a little, but also decreases the chance of correct attribution a lot.”

Williams also noted that VR Systems claimed in their email security alert that they didn’t know the  “potential impact” of opening these attachments, even as it was warning customers against doing so. “Why not?” Williams wonders. “Did they follow up with customers after they found out what the impact was, or did they just drop it?”

VR Systems COO Ben Martin told The Intercept that following the attack, the company “hired a leading threat intelligence firm, which conducted a byte-by-byte analysis of our systems and found no indications that that our system had been breached as a result of this spear phishing attack.” As of today, however, the company said that “the impact of clicking on the attachment is unknown to VR Systems.” Martin continued:

When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified our customers by email and advised them not to click on the attachment. Most election officials have security systems in place that would have flagged the email before it even reached the intended recipient. After we notified our customers of the potential threat, most told us that their spam filter caught the email or that they had never received it. We are only aware of a small number of our customers who actually received the fraudulent email and of those, none of them notified us that they clicked on the attachment or were compromised as a result.

Still, Martin noted that VR isn’t aware of every recipient of the malware message, which would make an accounting of its impact difficult, if not impossible.

The company provided voter registration and poll book software to eight states in 2016. Its November 1 alert about an email threat was later provided to an elections official named Michael Dickerson in Mecklenburg County, North Carolina and forwarded to The Intercept by the county in response to its public records request.

Mecklenburg includes Charlotte, North Carolina’s largest city, but it was Durham that became a flash point for electronic voting glitches in 2016, which led the state Board of Elections to extend voting time in eight Durham County precincts on election night. The NSA report concluded that it was “unknown” whether Russian military intelligence “was able to successfully compromise any of the entities targeted as part of [its] campaign,” and no known intelligence has linked the North Carolina glitches to Russian hacking, although the New York Times reported in September that neither federal agencies, nor those in states reportedly targeted by the hackers, had done much to investigate the issue. In May, the Senate Intelligence Committee reported that in a “small number” of states, hackers broke into election computers and could change registration data, but not votes.

Top photo: A poll worker gives a voter a Las Vegas Strip-themed “I Voted” sticker after taking back her voter activation card at a polling station in North Las Vegas, Nevada, on Nov. 8, 2016.

Join The Conversation