The US Election Assistance Commission (EAC), tasked with making sure voting machines meet security standards, was breached by hackers after the November elections, a security agency working with law enforcement on the incident said.
Executives at Recorded Future said the security firm was monitoring underground electronic markets where hackers sell and purchase wares and discovered someone selling log-in credentials to access computers at the EAC, Reuters reports. The firm's researchers posed as a potential buyer and spoke to a Russian-speaking hacker who was peddling the credentials.
Levi Gundert, vice president of intelligence at the company, and Andrei Barysevich, director of advanced collection, told Reuters that the hacker obtained the credentials of more than 100 people at the election commission after exploiting a common database vulnerability.
"The breach appeared to include ... some with the highest administrative privileges," Recorded Future said in a blog post. "These administrative accounts could potentially be used to access sensitive information as well as surreptitiously modify or plant malware on the EAC site, effectively staging a watering hole attack utilising an official government resource."
The researchers said the hacker was attempting to sell the information about the vulnerability to a Middle Eastern government for several thousand dollars. However, Recorded Future alerted law enforcement, leading to the hole being patched.
In a statement late Thursday (15 December), the EAC said it had become aware of a "potential intrusion" and was "working with federal law enforcement agencies to investigate the potential breach and its effects." The statement said that the FBI is conducting an ongoing criminal investigation on the matter.
According to Reuters, the hacker had an unusual business model of scanning for ways to infiltrate into different businesses and then selling that access instead of stealing the data himself. "We don't think he actually works for any government or is super sophisticated," Barysevich said.
The hacker claimed to be accessing the EAC system via an unmatched SQL injection (SQLi) vulnerability. An SQL injection is a well known and preventable flaw, noted Reuters. The hacker was able to gain access to non-public reports on flaws in voting machines.
Matt Blaze, an electronic voting expert and professor at the University of Pennsylvania, said that in theory an individual could use the knowledge of such flaws to target specific machines. Reuters noted that the voting process in the US is decentralised and there were no reports of widespread fraud in the November presidential election.