A hacker breached the US agency responsible for certifying voting equipment, according to a new report, though it reportedly happened after Election Day.
Reuters reports that security firm Recorded Future was monitoring the digital underground and "discovered someone offering log-on credentials for access to computers at the US Election Assistance Commission." Researchers from Recorded Future reportedly then posed as potential buyers and struck up a conversation with the hacker.
"They discovered that the Russian-speaking hacker had obtained the credentials of more than 100 people at the election commission after exploiting a common database vulnerability," Reuters reports, citing Recorded Future's Vice President of Intelligence, Levi Gundert, and Director of Advanced Collection Andrei Barysevich. The hacker was reportedly trying to sell details of that vulnerability to a government in the Middle East for "several thousand dollars."
The researchers alerted law enforcement and the Election Assistance Commission about the breach; the vulnerability has since been fixed, the report notes.
The commission issued a statement about the breach on Thursday noting that it's "working with federal law enforcement agencies to investigate the potential breach and its effects."
Related
- How to Hack an ElectionHow to Hack an Election
The agency stressed that it "does not administer elections [or] collect or store any personal information of voters." Its mission "is to provide a clearinghouse of election administration best practices, administer a voluntary voting machine certification system, and survey election administration practices."
"The FBI is currently conducting an ongoing criminal investigation," the agency said.
Perhaps the scariest part about the whole incident is that Barysevich told Reuters the hacker didn't seem particularly sophisticated. He used a common technique called SQL injection to break in and steal a list of usernames and "obfuscated passwords, which he was then able to crack," Reuters reports. The hacker also reportedly made away with "non-public reports on flaws in voting machines."