A 25-year-old Federal contractor was charged Monday with leaking a top secret NSA report detailing how Russian military hackers targeted US voting systems just days before the election.
The highly classified intelligence document, published Monday by The Intercept, describes how Russia managed to infiltrate America’s voting infrastructure using a spear-phishing email scheme that targeted local government officials and employees.
It claims the calculated cyberattack may have even been more far-reaching and devious than previously thought.
The report is believed to be the most detailed US government account of Russia’s interference to date.
It was allegedly provided to the Intercept by 25-year-old Reality Leigh Winner, of Augusta, who appeared in court Monday after being arrested at her home over the weekend.
She was charged with removing and mailing classified materials to a news outlet, DOJ officials said.
“Releasing classified material without authorization threatens our nation’s security and undermines public faith in government,” Deputy Attorney General Rod J. Rosenstein explained in a statement. “People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation.”
Winner, who works as contractor at Pluribus International Corporation, allegedly leaked the report in early May. A federal official told NBC News that she had, in fact, given it to the Intercept.
According to the document, it was the Russian military intelligence that conducted the cyber attacks last year.
Specifically, operatives from the Russian General Staff Main Intelligence Directorate, or GRU, are said to have targeted employees at a US election software company last August and then again in October.
While the name of the company is unclear, the report refers to an undisclosed product made by VR Systems — an electronic voting services and equipment vendor in Florida that has contracts in eight states, including New York.
The hackers were given a “cyber espionage mandate specifically directed at U.S. and foreign elections,” the report says.
On August 24, 2016, the group sent the employees fake emails, which were disguised as messages from Google. At least one of the workers was believed to be compromised.
In late October, the group established an “operational” Gmail account and posed as an employee from VR Systems — using previously obtained documents to launch another spear-phishing attack “targeting US local government organizations,” the report says.
According to the NSA, the hackers struck on either October 31 or November 1, sending spear-fishing emails to at least 122 different email addresses “associated with named local government organizations.”
They were also likely sent to officials “involved in the management of voter registration systems,” the report says.
The emails were said to have contained weaponized Microsoft Word attachments, which were set up to appear as unharmful documentation for the VR Systems’ EViD voter database — but were actually embedded with automated software commands that are secretly turned on as soon as the user opens the document.
The hack ultimately gave the Russians a back door and the ability to deliver any sort of malware or malicious software they wanted, the report says.
In addition, the NSA document also describes two other incidents of Russian meddling prior to the election.
In one, the hackers posed as a different voting company, referred to as “US company 2,” from which they sent phony test emails — offering “election-related products and services.”
The other operation was said to be conducted by the same group of operatives, and involved sending emails to addresses at the American Samoa Election Office, in the attempt to uncover more existing accounts before striking again.
It is ultimately unclear what came of the cyberattack, but the NSA report firmly states that the Russians had been intent on “mimicking a legitimate absentee ballot-related service provider.”
“It is unknown, whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor,” the NSA states of the result of the hacking.
While the government employees were only hit with simple login-stealing tactics, experts told the Intercept that such operations could prove even more dangerous than malware attacks in some instances.
VR Systems doesn’t sell voting machines, but holds contracts in New York, California, Florida, Illinois, Indiana, North Carolina, Virginia, and West Virginia — making it a prime target for those who want to disrupt the vote and cause chaos come election day.
“If someone has access to a state voter database, they can take malicious action by modifying or removing information,” Pamela Smith, president of election integrity watchdog Verified Voting, told the Intercept.
“This could affect whether someone has the ability to cast a regular ballot, or be required to cast a ‘provisional’ ballot — which would mean it has to be checked for their eligibility before it is included in the vote,” she said. “And it may mean the voter has to jump through certain hoops such as proving their information to the election official before their eligibility is affirmed.”
At least one US intelligence official admitted to the Intercept that the Russian hackers described in the NSA report could have disrupted the voting process on November 8, by specifically targeting locations where VR Systems’ products were in use. They cited the simple possibility of compromising an election poll book system, which could cause widespread damage in certain places.
“You could even do that preferentially in areas for voters that are likely to vote for a certain candidate and thereby have a partisan effect,” explained Alex Halderman, director of the University of Michigan Center for Computer Security and Society.
In response to the report, VR Systems’ Chief Operating Officer Ben Martin told the Intercept: “Phishing and spear-phishing are not uncommon in our industry. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.”