In any other year, hackers breaking into a couple of state government websites through common web vulnerabilities would hardly raise a blip on the cybersecurity community’s radar. But in this strange and digitally fraught election season, the breach of two state board of election websites not only merits an FBI warning—it might just rise to the level of an international incident. On Monday, an FBI alert surfaced warning state boards of election to take precautions against hackers after two election board websites were breached in recent months. According to Yahoo News, those breaches likely targeted Arizona and Illinois board of election sites, both of which admitted earlier this summer that they’d been hacked. Cybersecurity researchers are already speculating that the attacks link to Russia, pointing to the string of recent, likely Russian attacks that have hit the Democratic National Committee and the Clinton campaign. “Someone is trying to hack these databases, and they succeeded in exfiltrating data, which is significant in itself,” says Thomas Rid, a cybersecurity-focused professor in the War Studies department at King’s College of London and author of Rise of the Machines. “In the context of all the other attempts to interfere with this election, it’s a big deal.”
In its warning sent to state-level election boards, the FBI described an attack on at least one of those two election websites as using a technique called SQL injection. It’s a common trick, which works by entering code into an entry field on a website that’s only meant to receive data inputs, triggering commands on the site’s backend and sometimes giving the attacker unintended access to the site’s server. In this case, it seems to have allowed the hackers to steal 200,000 voter records from the Illinois board of elections, and to cause the Illinois board to close registration for ten days.
The use of that common SQL injection vulnerability hardly signals the involvement of sophisticated state-sponsored hackers, much less specifically Russian ones. But the security firm ThreatConnect, which has been investigating IP addresses that the FBI said were associated with the attacks, has found a few still-murky clues that point in Russia’s direction. ThreatConnect found that one of the IP addresses named by the FBI mapped in 2015 to Rubro.biz, a Russian-language website it describes as a cybercriminal black market. (However, WIRED found that the IP address now points to a website appearing to be associated with the Turkish AKP political party. This, too, could be a red-herring, as neither WIRED nor ThreatConnect has yet confirmed the legitimacy of that apparently Turkish website.) And the VPN used by the attackers appears to have been King Servers, the firm says, a service with a Russian language website.
“There are elements to suggest there are Russian fingerprints on this,” says Rich Barger, ThreatConnect’s director of threat intelligence. But he cautions that the firm’s research is “very nascent. We’re still working on it.”