Update 12:15 p.m. Miami-Dade County spokesperson Mike Hernandez says the county has no record of receiving a phishing email or a breach. "The Miami-Dade County Information Technology Department has searched its email archive back to April 2014 and has no records of emails being received by the County," Hernandez says. "Miami-Dade County has received no breach notifications from any federal, state or local law enforcement agencies or breach notifications from county vendors."
Update 1:30: VR Systems confirms that it was hacked, but says it has no indications any election systems were infected with malware as a result.
A few weeks before the November 2016 election, all 67 county elections supervisors in Florida got a call from the FBI with a warning: Hackers were trying to break into their voting systems. The FBI insisted no one had been hacked yet, but told supervisors they needed to be wary.
They might not have been careful enough. The Intercept posted leaked NSA documents online last night that suggest Russian hackers did, in fact, break into the Tallahassee company that provides voting technology to most Florida counties, including Miami and Broward. And those same hackers used that connection to send phishing emails to more than 100 local officials just days before the vote, the docs show.
There's no suggestion in the NSA docs that the hackers wormed their way into Miami-Dade's or Broward's voting equipment. But in light of the fact that the hack targeted the same company that was investigated after accidentally posting results early in Broward during the August primaries, the NSA's intel raises new questions about Florida's security in the face of Russian attacks.
The Intercept's story is based on top-secret NSA documents dated May 5. The alleged leaker, incidentally, was charged by federal officials soon after the story was released, apparently after the Intercept failed to hide telling printer dots on the documents it had received. (Yes, it is notable that so far the only person charged over widespread Russian hacking attempts is someone who alerted the media to those hacking attempts.)
The company at the center of the report is VR Systems, a Tallahassee firm that provides elections technology in eight states and to 58 of Florida's 67 counties. Miami-Dade has contracted with VR Systems since 2007, according to county records, and had a $600,000 deal with the firm to provide a Voter Registration System through November, with a $3.9 million option to continue the deal through 2020.
The company had some notable wobbles last year, most visibly during the August primaries in Broward. Vote totals in that county were posted online a half-hour before polls closed, which is illegal under state law. Other errors led to late and sporadic reporting in several other counties.
A probe into the early posting was launched in Broward, but investigators decided the error was simply an accident. "A staff member of ours inadvertently created a link that was a preview of the election results that were not intended to be public," VR's CEO Mindy Perkins told the Sun Sentinel.
But that same month, the newly leaked NSA report shows, Russian military intelligence broke into VR Systems.
"Russian General Staff Main Intelligence Directorate actors... executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions," the report says. "The actors likely used data obtained from that operation to... launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations."
Though VR Systems isn't named directly in the report, the Intercept says the NSA clearly names products made by the Tallahassee company. (A VR Systems spokesperson didn't immediately respond to a message from New Times.)
According to the NSA, the Russians duped up to seven employees at the company into going to a fake Google website and entering their credentials, which the hackers could then use to access company documents.
Then, in late October, those same hackers used the info they'd stolen from VR Systems to set up a fake Gmail account from the company, which they used to send malware-infected Microsoft Word docs to more than 100 elections supervisors around the United States.
It's not clear whether Miami-Dade or Broward elections officials were targeted by that phase of the attack. Neither department returned calls from New Times this morning.
But if any elections officials fell for the fake Gmail account and opened the infected Word document, the Russian hackers would have had almost unlimited access to the officials' computer systems. It's not hard to envision a scenario when that kind of access could have led to direct tampering with vote results. But the NSA doesn't know if that happened.
“It is unknown,” the NSA document says, “whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor.”
Update: VR Systems sent New Times a statement on the hacking:
“When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment. We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result. Phishing and spear-phishing are not uncommon in our society. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company. It is also important to note that none of our products perform the function of ballot marking, or tabulation of marked ballots.”