A Florida-based maker of voter registration software says it has proof that neither its employees’ email accounts nor its systems were penetrated in a Russian cyberattack in 2016 — an attack that could have allowed hackers to prevent voters from casting ballots during the presidential election if successful. The company, VR Systems, said in a letter to Sen. Ron Wyden (D-Ore.) this month that an analysis by a cybersecurity firm found that it had not been breached, despite allegations to the contrary in special counsel Robert Mueller’s report on Russian election interference. Mueller’s report said Russian hackers installed malware on the network of an unnamed voting technology company. A leaked National Security Agency document published by The Intercept contained details that indicate VR Systems was the most likely victim. Furthermore, in its letter to Wyden, the company admits to receiving so-called “spearphishing emails” in 2016. In the letter, VR Systems responded to questions from the senator about whether computer forensic experts or a government agency had examined the company’s computers and networks after the phishing campaign occurred.
POLITICO learned independently that VR Systems hired FireEye to conduct the examination.
But in a twist that Wyden suggested was alarming, the company said in its letter to the senator that it didn’t hire FireEye until 10 months after it received the malicious Russian emails.
“[I]t appears that it took nearly a year for experts to examine the company’s computers to determine the extent of any Russian hacking,” Wyden told POLITICO in a written statement. “That may have been long after evidence of hacking had disappeared.”
VR Systems says the investigation found no evidence of a breach, and that a subsequent investigation by the Department of Homeland Security a year later in 2018 also found no malware on its network. The company, however, would not provide Wyden a copy of the FireEye report, nor would it show the report to POLITICO.
“[I]t is simply unacceptable that VR Systems is stonewalling Congressional oversight by refusing to provide my office with the report produced as part of its external security audit of its systems from 2017,” Wyden told POLITICO. “Following the unprecedented attack on our elections, Congress needs to see all the evidence of what happened in 2016 to make sure we do everything possible to prevent another successful attack in the future.”
VR Systems sells software and electronic “poll books” containing voter registration records that are used throughout Florida and in seven other states. Its EViD poll books are used to check voters in at the polls and determine if they’re registered and eligible to cast a ballot.
The Mueller report noted that the FBI believes a malicious email campaign did successfully allow the attackers to breach at least one employee email account at a company fitting VR Systems description and allow the attackers to install malware on its network. That report did not identify VR Systems by name.
But there’s one problem with the FBI assessment cited by Mueller: It’s not clear the FBI ever conducted a forensic investigation of VR Systems’ network to determine if the phishing attack succeeded.
The FBI has refused to confirm or deny that it conducted a forensic investigation of VR Systems, saying the Russian hacking operation is still part of an ongoing criminal investigation.