Hackers reportedly breached election systems in a third state, in addition to the already disclosed incidents involving Arizona and Illinois, during the 2016 campaign cycle. On Election Day 2016, a hacker successfully penetrated a server hosting Alaska’s main election website, the Anchorage Daily News reported on Monday night, citing documents obtained through a public records request. The breach is not connected to the previously reported hacking attempt made by Russia-linked hackers to access Alaska’s primary voter registration database. Alaska was one of 21 states that were previously informed by the Department of Homeland Security of similar Russian probing activity on their election systems. Security experts told ADN that, although the newly reported incident was a successful intrusion, the Alaska Division of Elections’ security measures appear to have prevented the attackers from changing content on the server.
ADN reports that the hacker exploited a vulnerability in the Alaska election website’s PHP script, a commonly used web development language. According to emails obtained by the Daily News, a fix for the vulnerability was published about a month prior to Election Day, but it was not properly applied. After discovering the incident, officials fixed the flaw within hours. Due to the Alaska Election Division’s multiple layers of security, the hacker was limited from changing information, according to ADN. There’s a separate system that’s responsible for counting vote totals, which is typically isolated from the internet.
Researchers say the hacker were able to escalate privileges, “but that this stopped short of being able to write anything to the volume,” Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, told CyberScoop in an email. Hall reviewed the documents ADN obtained at the news outlet’s request.
“Reading the documents [ADN reporter Nathaniel Herz] got … it seems like this [virtual machine] was heavily restricted and just had the election results in an XML (data) file and a series of PHP scripts to display it, so there was not a lot on that particular machine that would have been juicy,” Hall explained.