Just days the 2016 presidential election, hackers identified by the National Security Agency as working for Russia attempted to breach American voting systems. Among their specific targets were the computers of state voting officials, which they had hoped to compromise with malware-laden emails, according to an intelligence report published previously by The Intercept. Now we know what those emails looked like. An image of the malicious email, provided to The Intercept in response to a public records request in North Carolina, reveals precisely how hackers, who the NSA believed were working for Russian military intelligence, impersonated a Florida-based e-voting vendor and attempted to trick its customers into opening malware-packed Microsoft Word files.
The screenshot, shown below, confirms NSA reporting that the email purported to originate from the vendor, Tallahassee-based VR Systems, but was sent from a Gmail account, which could have easily tricked less scrupulous users. “Emails from VR Systems will never come from an ‘@gmail.com’ email address” the company warned in a November 1, 2016 security alert, which included the reproduction of the GRU email.
The specific Gmail address shown in the message, firstname.lastname@example.org, matches an address cited in the NSA report as having been created by Russian government hackers, although in the NSA report the address was rendered with a period, as “email@example.com.” The timing of VR Systems’ security alert is also in line with the NSA’s reporting, which indicated that the email attack occurred on either October 31 or November 1 of 2016. The original classified NSA document contained intelligence assessments, but omitted any raw signals intelligence used to form those assessments.