FBI Links Cyberattacks on Arizona and Illinois Voter-Registration Data to Foreign Hackers

The FBI believes that the infiltration in late June of Arizona voter-registration databases may be linked to foreign hackers who stole data from an Illinois election site, Yahoo News reported on Monday.

Michael Isikoff, Yahoo's chief investigative correspondent, reported that he'd obtained an FBI warning about cyberattacks on elections databases in two states. He confirmed through a source that the states were Illinois and Arizona.

The online article received nationwide attention on Monday, even though much of the story had already been reported. Isikoff's story, based on a disturbing FBI alert about the two attacks, touched nerves that were already frayed following the bombshell leak last month of Democratic National Committee e-mails, a debacle that resulted in the resignation of DNC chairwoman Debbie Wasserman Schultz.

The Arizona Secretary of State's Office revealed news of the hack back in late June and early July, reporting that it was a serious attack, the FBI was investigating, and that no data had been stolen. The Illinois hack, which shut down the Illinois voter registration for nearly two weeks, was covered by the news media when it happened in mid-July. Isikoff's story reveals that hackers had penetrated and copied voter information for about 200,000 Illinois residents.

The events in Arizona and Illinois sparked so much concern that Homeland Security Secretary Jeh Johnson spoke with state elections officials in a conference call on August 15, trying to assuage fears of a massive Election Day cyberattack and offering up federal experts who could visit election sites and make recommendations for security improvements.

Three days after the phone call, Isikoff reported, the FBI issued its bulletin. Entitled "Targeting Activity Against State Board of Election Systems," the alert stated that the FBI was investigating two computer attacks and listed eight IP addresses — unique numbers assigned to every computer and device using the internet —  that were linked to the hacks. One of those IP addresses was used in both attacks.

"The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected," the alert states. "Attempts should not be made to touch or ping the IP addresses directly."

One of the IP addresses "has surfaced before in Russian criminal underground hacker forums," according to an expert quoted in Isikoff's article. The hacks in Illinois and Arizona should be seen as a "wake-up call" for elections officials, Tom Hicks, the chairman of the U.S. Election Assistance Commission, told Isikoff.

The FBI won't comment on specific alerts but does acknowledge that it reveals information to "private industry" of cyber threats, says Matthew Reinsmoen, a special agent with the agency's Phoenix office.

"This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals," reads a statement Reinsmoen sent to New Times on Monday. "As you may know, in July, we confirmed that the FBI's Cyber Crimes Unit did alert the state to a potential computer compromise. Due to the sensitive nature of these investigations, we will not elaborate further on the matter."

Matt Roberts, spokesman for Arizona Secretary of State Michele Reagan, said media outlets around the world were calling to find out what was going on, but that the story was actually old news. Because the FBI won't comment, officials can't be certain Arizona is one of the two states mentioned in the alert, he said.

But a serious breach did occur, apparently tied to Russian hackers.

FBI officials notified the Arizona Department of Administration in late June of a serious threat to voter-registration records — an "eight" on a scale of one to 10, as threats go, Roberts said.

Malicious software was downloaded onto a Gila County Elections Department computer, where it apparently recorded the keystrokes of the computer user and gleaned the user's password-protected login information. The hacker put the county employee's username and password on the internet. Not long after, the information was used to gain access to the voter information. But the county uses two levels of computer security for access to that information, and the hacker was unable to get past that second level. Roberts declined to discuss the details of that second-level security.

The FBI's revelation of a breach in June spurred the state to take its online voter-registration apparatus offline for almost a week while the system was inspected.

"We wanted to make sure that info wasn't being corrupted if there was a bug in it," Roberts explained. Users wouldn't have noticed, because all the new registrations went into a queue that was processed when the system was put back online.

The shutdown affected a page on the Secretary of State's website where Clean Elections candidates can solicit $5 contributions that allow them to collect public money to run their campaigns.

Roberts said the inspection proved the malware hadn't infected any other county computers, and that the state's voter-registration database hadn't been violated. Reagan took prompt action in June upon hearing from the FBI, he says.

"When Secretary Reagan hears the words 'Russian hacker,' and 'credible Russian hacker' from the FBI, she's going to pay attention to that," he said.

Isikoff's story says federal officials aren't sure if the attacks came from foreign agents bent on changing U.S. elections or from criminals who want to sell voter information for a quick buck.

Correction: The article previously stated the malware was downloaded onto a Maricopa County computer — it was Gila County.
KEEP PHOENIX NEW TIMES FREE... Since we started Phoenix New Times, it has been defined as the free, independent voice of Phoenix, and we'd like to keep it that way. With local media under siege, it's more important than ever for us to rally support behind funding our local journalism. You can help by participating in our "I Support" program, allowing us to keep offering readers access to our incisive coverage of local news, food and culture with no paywalls.
Ray Stern has worked as a newspaper reporter in Arizona for more than two decades. He's won numerous awards for his reporting, including the Arizona Press Club's Don Bolles Award for Investigative Journalism.