Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns
The malware attack, which sent fake email replies to voters and businesses, spotlights an overlooked vulnerability in counties that don’t follow best practices for computer security.
by Jack Gillum, Jessica Huseman, Jeff Kao and Derek Willis
Sept. 24, 6 a.m. EDT
Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. “Re: official precinct results,” one subject line read. The text supplied passwords for an attached file.
But Jackson didn’t send the messages. Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson’s three-person office, already grappling with the coronavirus pandemic, ground to a near standstill.
“I’ve only sent three emails today, and they were emails I absolutely had to send,” Jackson said Friday. “I’m scared to” send more, she said, for fear of spreading the malware.
The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots. Although experts have repeatedly warned state and local officials to follow best practices for computer security, numerous smaller locales like Hamilton appear to have taken few precautionary measures.
U.S. Department of Homeland Security officials have helped local governments in recent years to bolster their infrastructure, following Russian hacking attempts during the last presidential election. But desktop computers used each day in small rural counties to send routine emails, compose official documents or analyze spreadsheets can be easier targets, in part because those jurisdictions may not have the resources or know-how to update systems or afford security professionals familiar with the latest practices.
A ProPublica review of municipal government email systems in swing states found that dozens of them relied on homebrew setups or didn’t follow industry standards. Those protocols include encryption to ensure email passwords are secure and measures that confirm that people sending emails are who they purport to be. At least a dozen counties in battleground states didn’t use cloud-hosted email from firms like Google or Microsoft. While not a cure-all, such services improve protections against email hacks.
Although the malware used against Hamilton likely originated with foreign hackers, it appears to have been part of a widespread campaign, rather than one that targeted election-related sites. The malware also doesn’t appear to have spread from Hamilton to other Texas counties. And because Hamilton is a so-called offline county, the attack didn’t affect state voter systems. State and Hamilton County officials said the intrusion won’t affect voters’ ability to cast ballots or have them tabulated.
Still, such attacks could rattle voters’ confidence — or, at worst, bring down systems on election day. The type of malware deployed against Hamilton, called Emotet, often serves as a delivery mechanism for later ransomware attacks, in which swindlers commandeer a victim’s computer and freeze its files until a ransom is paid. U.S. officials have expressed concern that those attacks — which have paralyzed government agencies, police departments, schools and hospitals — could potentially disrupt the election.
Harvard’s Belfer Center for Science and International Affairs, which specializes in establishing best practices for political campaigns and election officials, said in a February 2018 report that election officials should “create a proactive security culture.” For political campaigns, the group suggested using cloud-based email and office software, which are more likely to neutralize threats like Emotet before they reach a user’s inbox. Experts said smaller governments with fewer resources should heed that advice.
Hamilton County has 8,500 residents and voted for President Donald Trump by a 6-to-1 margin in 2016. Almost all of the county offices, including Jackson’s, are located in the courthouse. During the pandemic, residents submit paperwork through a cracked window at the top of the courthouse steps, next to the door. A handwritten note taped to the glass reads, “If we don’t see you, please yell!”
Jackson’s office uses multiple email accounts, runs Microsoft Windows and edits Word files locally on its computers, as opposed to a cloud service like Google Docs, which is more likely to strip out malicious code. None of the emails sent to Hamilton was flagged as suspicious, according to a ProPublica review. The county’s email system lacks two-factor authentication — a standard protection involving a second means of verifying a user’s identity. It also hasn’t implemented DMARC, a system that helps organizations and businesses confirm that emails sent from their addresses are authentic.
Last November, AT&T Corp. performed a security audit for the county clerk’s office, a service offered free to counties by the Texas secretary of state. Jackson said last year’s audit, which took place before her appointment, highlighted no major concerns, but another one is being conducted this year. A representative of the secretary of state’s office said that the audit is a “top-to-bottom assessment” of both physical and cyber security, including the email system, and said Hamilton “may or may not have” implemented the recommendations.
ProPublica obtained five malware samples from Hamilton County and identified them as Emotet. The security firm Proofpoint, which examined the samples at our request, traced them to two weeklong Emotet campaigns in mid-September likely involving millions of malicious email attachments.
Emotet tricks users into clicking on plausible-looking messages and following phony instructions that in reality disable security settings in Microsoft Office. If successful, the ruse allows the malware to hijack the victim’s email conversations and send phony replies from bogus accounts. Malware attached to the messages is primed for a new set of targets automatically selected from the victim’s inbox, further spreading the infection.
Jackson, who has been county clerk less than a year, said she didn’t know who in the office clicked on the fake messages. She also said she has received little help from the county’s outside IT firm, BizProtec LLC. She said she noticed what appeared to be phishing emails on Monday, Sept. 14, and first alerted BizProtec the next day. By that afternoon, BizProtec called to assure her that it had fixed the problem by changing computer passwords for her and the rest of the office, which Hamilton County employees cannot do on their own. But the new passwords didn’t help. By noon this past Monday, a week after the attack began, her inbox had more than 35 suspicious emails — including one that appeared to be from the county judge and contained malware.
(Continued)
The malware attack, which sent fake email replies to voters and businesses, spotlights an overlooked vulnerability in counties that don’t follow best practices for computer security.
by Jack Gillum, Jessica Huseman, Jeff Kao and Derek Willis
Sept. 24, 6 a.m. EDT
Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. “Re: official precinct results,” one subject line read. The text supplied passwords for an attached file.
But Jackson didn’t send the messages. Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson’s three-person office, already grappling with the coronavirus pandemic, ground to a near standstill.
“I’ve only sent three emails today, and they were emails I absolutely had to send,” Jackson said Friday. “I’m scared to” send more, she said, for fear of spreading the malware.
The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots. Although experts have repeatedly warned state and local officials to follow best practices for computer security, numerous smaller locales like Hamilton appear to have taken few precautionary measures.
U.S. Department of Homeland Security officials have helped local governments in recent years to bolster their infrastructure, following Russian hacking attempts during the last presidential election. But desktop computers used each day in small rural counties to send routine emails, compose official documents or analyze spreadsheets can be easier targets, in part because those jurisdictions may not have the resources or know-how to update systems or afford security professionals familiar with the latest practices.
A ProPublica review of municipal government email systems in swing states found that dozens of them relied on homebrew setups or didn’t follow industry standards. Those protocols include encryption to ensure email passwords are secure and measures that confirm that people sending emails are who they purport to be. At least a dozen counties in battleground states didn’t use cloud-hosted email from firms like Google or Microsoft. While not a cure-all, such services improve protections against email hacks.
Although the malware used against Hamilton likely originated with foreign hackers, it appears to have been part of a widespread campaign, rather than one that targeted election-related sites. The malware also doesn’t appear to have spread from Hamilton to other Texas counties. And because Hamilton is a so-called offline county, the attack didn’t affect state voter systems. State and Hamilton County officials said the intrusion won’t affect voters’ ability to cast ballots or have them tabulated.
Still, such attacks could rattle voters’ confidence — or, at worst, bring down systems on election day. The type of malware deployed against Hamilton, called Emotet, often serves as a delivery mechanism for later ransomware attacks, in which swindlers commandeer a victim’s computer and freeze its files until a ransom is paid. U.S. officials have expressed concern that those attacks — which have paralyzed government agencies, police departments, schools and hospitals — could potentially disrupt the election.
Harvard’s Belfer Center for Science and International Affairs, which specializes in establishing best practices for political campaigns and election officials, said in a February 2018 report that election officials should “create a proactive security culture.” For political campaigns, the group suggested using cloud-based email and office software, which are more likely to neutralize threats like Emotet before they reach a user’s inbox. Experts said smaller governments with fewer resources should heed that advice.
Hamilton County has 8,500 residents and voted for President Donald Trump by a 6-to-1 margin in 2016. Almost all of the county offices, including Jackson’s, are located in the courthouse. During the pandemic, residents submit paperwork through a cracked window at the top of the courthouse steps, next to the door. A handwritten note taped to the glass reads, “If we don’t see you, please yell!”
Jackson’s office uses multiple email accounts, runs Microsoft Windows and edits Word files locally on its computers, as opposed to a cloud service like Google Docs, which is more likely to strip out malicious code. None of the emails sent to Hamilton was flagged as suspicious, according to a ProPublica review. The county’s email system lacks two-factor authentication — a standard protection involving a second means of verifying a user’s identity. It also hasn’t implemented DMARC, a system that helps organizations and businesses confirm that emails sent from their addresses are authentic.
Last November, AT&T Corp. performed a security audit for the county clerk’s office, a service offered free to counties by the Texas secretary of state. Jackson said last year’s audit, which took place before her appointment, highlighted no major concerns, but another one is being conducted this year. A representative of the secretary of state’s office said that the audit is a “top-to-bottom assessment” of both physical and cyber security, including the email system, and said Hamilton “may or may not have” implemented the recommendations.
ProPublica obtained five malware samples from Hamilton County and identified them as Emotet. The security firm Proofpoint, which examined the samples at our request, traced them to two weeklong Emotet campaigns in mid-September likely involving millions of malicious email attachments.
Emotet tricks users into clicking on plausible-looking messages and following phony instructions that in reality disable security settings in Microsoft Office. If successful, the ruse allows the malware to hijack the victim’s email conversations and send phony replies from bogus accounts. Malware attached to the messages is primed for a new set of targets automatically selected from the victim’s inbox, further spreading the infection.
Jackson, who has been county clerk less than a year, said she didn’t know who in the office clicked on the fake messages. She also said she has received little help from the county’s outside IT firm, BizProtec LLC. She said she noticed what appeared to be phishing emails on Monday, Sept. 14, and first alerted BizProtec the next day. By that afternoon, BizProtec called to assure her that it had fixed the problem by changing computer passwords for her and the rest of the office, which Hamilton County employees cannot do on their own. But the new passwords didn’t help. By noon this past Monday, a week after the attack began, her inbox had more than 35 suspicious emails — including one that appeared to be from the county judge and contained malware.
(Continued)
