TALLAHASSEE — At least three Florida elections offices got malicious emails days before the 2016 presidential election that a classified federal report says were part of a Russian cyberattack that aimed to hack into their computers.
Election supervisors in Citrus, Clay and Pasco counties told the Times/Herald Tuesday that they got the emails, but they did not open them. It’s unclear whether the cyberattack was successful anywhere else in Florida.
A secret intelligence report by the National Security Agency described two efforts by a Russian military intelligence unit, the G.R.U. to disrupt the presidential election.
The first attempt in August targeted VR Systems, a Florida vendor that sells election software to most counties in the state and the second attempt was directed at 122 election management officials, according to The Intercept, an online national security news outlet that said it obtained a copy of the NSA’s classified intelligence report, dated May 5.
The Intercept said the second email, sent around Nov. 1, six days before Election Day and disguised as a routine message from VR Systems, was embedded with weaponized files that would have allowed “vast control over a system’s settings and functions.”
Pasco County Supervisor of Elections Brian Corley said the malicious message was in his agency’s inbox on Oct. 31.
“I didn’t open it,” Corley said. “Phishing emails? We get them all the time. I can’t tell you how many people in Nigeria want to give me $8 million.”
He said every suspicious email is forwarded to a “quarantine” email address.
Clay County Supervisor of Elections Chris Chambless said his office got a copy of the phishing e-mail but it was stopped by an anti-virus filter.
Tallahassee-based VR Systems quickly warned counties about the attempt in a Nov. 1 email to all 64 counties that use its software.
“I looked to see if we had it in our system, and we didn’t, and quite frankly, I made that assumption then that our quarantine system did its job,” said Chambless, president of the Florida State Association of Supervisors of Elections.
“To our knowledge, there has been no Florida county that executed this phishing attempt,” Chambless, who said his medium-sized elections office gets about 3,500 phishing or spam messages daily.
Chambless sent a memo to supervisors Tuesday in which he emphasized that none of VR Systems’ products “perform the function of ballot marking or tabulation of marked ballots.”
The lesson from the incident, he said, was for counties to use enterprise grade antivirus software “to ensure the greatest threat protection available.”
In an interview with the Times/Herald, Citrus Supervisor of Elections Susan Gill said she too recalled receiving it at her Crystal River offices.
“Yes, we did receive it, and we immediately received an email from VR Systems telling us not to open it,” Gill said.
In Florida, voter registration data and the software used to count votes are on two separate electronic systems, as Seminole County Supervisor of Elections Mike Ertel emphasized on his Facebook page.
“Important: Even if the bad guys would have accessed our local registration files (which they didn’t), those files are in no way connected to vote counting,” Ertel wrote on Facebook. “I’ve said it hundreds of times: ‘You can’t hack paper.’ Seminole County votes on trusted paper ballots.”
Miami-Dade’s elections office said it did not receive the second message that the NSA report said was aimed at elections officials.
“We have no indication at this time that a Miami-Dade County system, or one of our valued partners, has been breached,” a spokesman for county Mayor Carlos Gimenez said. “The county’s elections department will continue to work closely with the information technology department to ensure the ongoing security and confidentiality of our elections systems.”
Broward Supervisor of Elections Brenda Snipes said her office didn’t get it either.
VR Systems chief executive officer Mindy Perkins issued a statement in response to The Intercept’s report that said in part: “When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment. We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result.”
After the first suspicious email was sent last August, the FBI’s Jacksonville office held a conference call on Sept. 30 with county supervisors of elections to alert them to “a malicious act found in a jurisdiction” in Florida, according to Ion Sancho, the former Leon County elections supervisor who was on the call.
Sancho and other election officials who spoke to the Times/Herald Tuesday said they had not heard any more about the federal investigation until the Intercept’s report appeared Monday.
A 25-year-old intelligence contractor from Augusta, Ga., Reality Leigh Winner, was charged Monday with leaking the NSA report to The Intercept.
by Steve Bousquet