A top secret NSA report on the actions of the Russian hackers on the eve of elections in 2016

Russian military intelligence has carried out a cyber attack against at least one software provider for the us elections and on the eve of November’s presidential election, sent out targeted phishing messages more than 100 officials from the electoral system. This is stated in a secret intelligence report obtained by The Intercept.

In a top secret document the national security Agency, which was submitted anonymously and The Intercept was independently tested for authenticity, analyzed the Agency receives the latest intelligence on which lasted several months, cyberspace operations of the Russian intelligence, the purpose of which was infrastructure, organizing elections and the voting process in the United States. This report dated may 5, 2017 is the most detailed for today the document of the American government about the Russian intervention in elections.

The report gives a rare opportunity to understand the technical side of the Russian hacker action, but it is not shown, the source of the intelligence data on which analysis is built. Refused to give his name an employee of us intelligence has warned that we should not draw far-reaching conclusions from this document, because only one analysis is unlikely to be exhaustive and final.

The report shows that Russian hackers may have infiltrated into the American system of voting is much deeper than previously thought. In summary, the report clearly stated, as described in the document of cyber attacks carried out by Russian military intelligence, namely the Main intelligence Directorate of the General Staff (GRU).

Employees of the Main intelligence Directorate of the Russian General Staff… in August 2016 carry out espionage against an American company, apparently with the purpose of obtaining information about software and hardware relevant to the election…. These employees could use the obtained in the result of the operation, data… to carry out targeted phishing fraud against local government bodies of the USA in order to obtain the registration information of the electors.

These findings are from a document the NSA are in complete contradiction with the sounded last week by the statements of Russian President Vladimir Putin that Russia does not interfere in foreign elections. “At the state level we have never done it, that’s what is most important,” said Putin, who previously played with denials of Russian intervention. This time the President first admitted the possibility that the responsibility for this can carry independent Russian hackers “Patriotic feelings”. In the report the NSA, by contrast, clearly indicated that a cyber attack carried out GRU.

In the analysis the NSA made no findings about how did the intervention impact on the outcome of the vote. The authors admit that over the scope of the activities and achievements of hackers much remains unknown. However, the report shows that Russian hackers through their actions could crack at least some elements of the system for voting, although the results of such actions are uncertain.

The authors in the preparation contacted with the NSA and office of the Director of National intelligence. Representatives of these agencies demanded that we not publish this top-secret document and did not report it, and also refused to comment on it. When we informed them that still intend to publish the material, the NSA has asked about making some changes. The editors of the Intercept agreed, with certain requirements, when they came to the conclusion that the disclosure of this material is clearly not in the public interest.

The report adds some very important details to the overall picture that emerged from an unclassified intelligence assessment of the Russian intervention in elections, published by the Obama administration in January. In the January document presents the conclusions of the us intelligence community, but omitted many specific details of what was done because of concerns about the disclosure of sensitive sources and methods. In the evaluation with a high degree of confidence, it is concluded that the Kremlin has ordered to conduct a large-scale and multipurpose awareness campaign to “undermine public confidence in democratic processes in the United States to discredit Secretary Clinton, and also lower her chances of being elected President.”

This assessment does not attempt to analyse the impact of effort on the elections, although “the Russian security services received and supported access to various elements of the American electoral bodies at the state level and on the ground.” As noted by the Ministry of national security, this assessment sounded soothing statement: “Those systems that were targeted Russian action to influence them or bring them down, have nothing to do with counting of votes”.

But now the NSA had managed to learn that Russian hackers acting on behalf of the state and were part of the team, “whose mission was to cyber-espionage aimed at the elections in the United States and in other countries,” focused on those elements of the system that are directly associated with the registration of voters.” Among them was private device manufacturer, leading and checking the lists of voter registration. In advertising certain devices, this company says they can connect via wifi and Bluetooth, which are the perfect starting point for further malicious actions.

The targeted phishing attack

As stated in a secret report of the NSA, the Russian plan was very simple: to introduce merchant systems electronic voting and cunning to persuade local government officials to open Microsoft Word documents, quietly infected with a powerful cracking software. As a result of such actions of hackers could completely control infected computers.

But in order to mislead local officials, hackers needed access to internal systems dealer software election process because it gave them a very convincing cover-up and disguise. Therefore, as reported in NSA report, 24 August 2016 Russian hackers sent employees to an unnamed American company producing programmes for the election of fake emails, supposedly from Google. Directly in the document, the company is not known, but it has a link to the product Florida company VR Systems, which provides electronic voting and sells equipment used in eight States.

In phishing messages was a link directing employees to a malicious web site, ostensibly owned by Google. This website requested information for logins and passwords, and then passed it to remote hackers. The NSA has set up seven “potential victims” of such actions among employees. The mail server missed three malicious messages, but at least one account of the employee could be infected, concluded the Agency. The NSA in its report notes: “it is Unknown whether the intruders by the above-mentioned target of phishing to hack email all intended victims, and what data was able to withdraw”.

VR Systems refused a request to comment on incident in the course of the particular hacking operation, as outlined in the NSA document. CEO Ben Martin (Ben Martin) in response to a request from The Intercept to comment made the following statement:

Phishing and spear phishing is a common occurrence in our industry. We regularly participate in cyber alliances with state bodies and representatives of the law enforcement system to combat threats of this type. We have appropriate rules and procedures for the protection of our customers and the company.

The NSA report stated that VR Systems had been broken only in order to steal logins and not for the introduction of malicious programs to control other people’s computers. But it is unlikely someone reassure. The founder of the company computer security Infosec Rendition Jake Williams (Jake Williams), who previously worked in the group of hackers to the NSA for operational penetration into computer networks of the enemy, said the theft of usernames can be even more dangerous than the infected computer. “The data I’d received mostly using malware because using usernames of the employees you can enter in a virtual enterprise network, to email, to cloud services,” he said. This provides access to internal corporate information. The risk is increased manyfold due to the fact that people often use the same password in multiple services. Phishing, which translates as “fishing”, does not require that all of the victims grabbed the bait, although Williams stresses that hackers are never limited to one set of stolen data.”

In any case, the hackers apparently got what they needed. Two months passed, and on October 27 they started the “operational” account in Gmail, which was similar to Inbox one of the staff of VR Systems. Use documents obtained during the previous operation, and this was done in order to start a second operation target of phishing attacks targeting local government agencies in the USA. These email messages contained a Microsoft Word document that was infected in such a way that when opened they give the signal created by hackers “malicious infrastructure.”

According to estimates by the NSA, this phase of the operation targeted phishing could start on 31 October or 1 November. Then phishing messages were sent on the 122 locations “associated with the named local authorities”. Obviously they were sent to the officials “involved in the system of voter registration”. In the mail was the application in Microsoft Word format, which supposedly contained useful documentation for the product line VR Systems with databases of voters EViD. But really, was embedded malicious automated command that takes effect instantly and seamlessly whenever a user opens a document. These infected files were used scripting language, Microsoft PowerShell is designed for system administrators and is installed by default on Windows computers that allowed hackers to control the settings and functions of the system. In the case of opening the files they could give the infected computer a command to start background loading the second batch of malware from a remote server controlled by hackers. In a secret report says that it gave the attacking “sustainable access” to a computer or the ability “to learn victims on the subject of information of interest”. In fact, weaponized Word document, softly unlocks and opens the back door of the victim, allowing subsequently automatically deliver to her any cocktail of malware.

According to Williams, if successful, this kind of attack, hackers have unlimited opportunity to steal that information of interest. “As soon as the user opens the email, (application), explained Williams, the attacker gains the same opportunity, what has the user. Senior Manager, research group security Symantec, Vikram Thakur (Vikram Thakur) told The Intercept that in such cases “the amount of stolen data may be limited only by control measures taken by network administrators”. The theft of data of this type are usually encrypted and therefore, he who observes the infected network, does not see what is removed, but can definitely say that the network is something going on, added Williams. In General, this method of “average complexity,” said Williams, and they can use “almost any hacker”.

However, the NSA knows for sure what the results of the attack, the report said. “It is not known whether the above target of phishing to hack the computer of the chosen victim, and which data you can access the organizer of the attack,” the Agency said.

The FBI declined to comment about whether it is a criminal investigation of cyberattacks against VR Systems.

Giving in December press conference, President Obama said that in September, he said Russian President Vladimir Putin on the inadmissibility of hacker break-ins of the American electoral infrastructure. “In particular, I was concerned that the hacker attack on the national Committee of the Democratic party can be exacerbated by other hacker hacking that could prevent the counting of votes and affect the electoral process, Obama said. — Therefore, in early September, when I met with President Putin in China, I have a feeling that the most effective way to prevent this is to directly speak with him and tell him to stop such activities, as otherwise there will be serious consequences. And we subsequently saw no interference in the electoral process.”

Now, however, the NSA revealed that such interference continued. “The concern is that all this happened in October — said the head of one of law enforcement with significant experience in the cyber sphere. — In August, the FBI and the Department of homeland security has warned these agencies. This was not a surprise. To guard against this was easy. But this requires a budget allocation and due consideration.”

In the NSA document briefly describes the other two operations, intervention in the elections with the participation of Russian hackers. In one case, the Russian military hackers got your email address, pretending to be another American company on the organization of elections. In the document it is named “the American company № 2”. With this address, they started sending fake verification email, offering “election-related products and services.” The NSA was not able to determine whether this ‘ some targeted attacks.

During the third meeting with the same group of hackers sent out a test e-mail message to the addresses of the electoral Commission in American Samoa. Presumably, this was done to test for the existence of these addresses. This was followed by another phishing attack. It is unclear what was her result, but the evaluation of the NSA, the Russians persistently tried “to imitate the service provider for the count refused to participate in elections.” The report does not indicate why the Russians had chosen as a target of the tiny island in the Pacific ocean, where very few voters, and they are not able to somehow affect the outcome of the vote.

A tempting target

To draw attention to budget allocations for security for the election is required to solve a political mystery. “Our problem is that security for the elections is irrelevant, until something happens. And when something happens, there is a group of people who don’t need security because no matter what happens, it is good, — said the expert on cyber security Bruce Schneier (Bruce Schneier) working in the Berkman Center at Harvard University and often writing about the security problems of the American electoral system. — So the security issue is very serious, unlike your Bank account”.

According to Schneier, the NSA described the attack this is the standard hacking procedure. “Identity theft, spear phishing — what it is, he says. — After winning the springboard, you start to think about how to get somewhere”.

All this means that you need to understand how important voter registration system for our voting system, and how the hacking affects the reliability of the result.

Company VR Systems does not sell voting machines with touch screens. It sells software and devices, checking and bringing in the voting lists of who is allowed to vote when they come to the polls on voting day or vote early. Companies such as VR Systems are very important because “the current system of registration is Central to American elections,” — explains the Deputy Director of the Brennan Center at the law faculty of new York University’s Lawrence Norden (Lawrence Norden). According to him, the sellers of the type of VR Systems are especially important in the electoral commissions “often there are no experts for information technology”, therefore “these sellers also provide most IT services, working through the programming and cybersecurity”. These are the people that should be inaccessible to the hacking forces of a hostile country.

On the website of VR Systems reported that the company has contracts in eight States: California, Florida, Illinois, Indiana, new York, North Carolina, Virginia and West Virginia.

The President of the organization for election observation Verified Voting Pamela Smith (Pamela Smith) agree that although VR Systems do not organize the vote, it still is a tempting target for those who set out to disrupt the elections.

“If someone has a database of voters in the state, it can take any malicious action by modifying information or deleting it, she said. This may deprive some people of the opportunity to vote, or they would be required to vote “provisionally”. This means that they will check on eligibility to vote, and then will be included in the voter lists. In addition, in some cases, the voter will have to overcome additional obstacles, for example, to provide information to the official from the electoral Commission before it confirms the legitimacy of the voter”.

Consultant for digital security mark of Graft (Mark Graff), who previously worked as head of security at Lawrence Livermore national laboratory, called this hypothetical tactics “in fact, network attack” against the voters. According to Graft, there is a more worrying prospect, which consists in the fact that hackers can choose as a target a company like VR Systems to get as close as possible to the actual counting process. Attempting to directly hack the voting machines or to make changes will be noticeable, and therefore more dangerous than hacking related and less visible components of the voting system, such as databases for voter registration. In this case, the emphasis is on the fact that such bases are consolidated into one common network. Of course, VR Systems strongly promotes the fact that its line of equipment EViD connected to the Internet, and that on election day, “the history of voting is immediately transferred to the County database”, and this is done continuously. Thus, computer attack can be quickly and quietly distributed through the network system components like microbes transmitted through a handshake.

According to the Director of the Center for computer security and society at the University of Michigan Alex Halderman (Alex Halderman) who is an expert on electronic voting, one of the Central problems of the scenario described in the NSA document, is that e-books for the counting of votes are made by those who program the voting machines. Real voting machines not connected to networks such as EViD, but they are updated manually, and the system settings are carried out by people at the local level or at the state level, which may responsible for the first and for the second. If malware GRU will be targeted against these people, the consequences can be quite serious and disturbing.

“Usually at the County level there is some company that before the election programs of the voting machines, told, Halderman edition of the Intercept. — I am concerned that a hacker capable of hacking e-books for the counting of votes, can take advantage of software updates being implemented by the seller to infect the system management of the electoral process, which programs the machines for voting. By doing this, you can force the machine to carry out fraud during the counting of votes”.

According to Schneier, the main prize from hacking VR Systems is the ability to collect sufficient information to effectively carry out false attacks against electoral workers. If a fake email accompanied by an official permit from the chief contractor of the electoral Commission, it looks more authentic.

Such hacking may be the basis for further subversive actions. One employee of the American special services once admitted that the NSA described the Russian operation against the software of voter registration, may the idea cause of failure of elections in areas where products are used VR Systems. A hacked system the counting of votes not only can lead to chaos on the voting day, says Halderman. “This can be done selectively in some areas where the voting preference for a specific candidate, influencing their preferences”.

The Russian tactics of influence on the American presidential election faced challenges because the Federal election system is decentralized, and the processes of voting and counting of votes differ not only from state to state but from district to district. Meanwhile, the electoral College complicates predictions about where efforts should focus.

“To influence the election of the hacking methods is difficult, and not because of the technology, counterfeit which is quite simple. Hard to know what will be effective, says Schneier. — If you look at previous elections, in 2000, Florida decided, in 2004, the Ohio, and in the last election a couple of districts in Michigan and Pennsylvania. So to understand where to implement the hack is very, very difficult.”


But the decentralized system has its vulnerabilities. There is no strong Central government, which supervises the electoral process and for the procurement of hardware and software for voting. Similarly, there is no effective control at the national level for voter registration, maintenance of voting lists and the vote count. There is no single body responsible for the security of the elections. Official representative of the Federal election Commission Christian Hilland (Christian Hilland) told The Intercept that the question of voting, as well as the software and hardware of the election are not included in the purview of the Commission. “Does the Commission support of the election of the United States, you can ask them,” he said.

To ask the Commission ensure that the election was not so easy. It was established in 2002 as the response of Congress to the disaster with the counting of votes. On its website, the Commission notes that its task is to “work as a national focal point for informing of the election administration. Commission for the support of the election also gives the accreditation of testing laboratories and certifies voting systems”. But she has no real power and something like a stagnant swamp. If you click the link to certification systems for voting, it will lead you to a dead page.

If the United States existed, the Central electoral body, he could initiate an investigation of that election day happened in Durham, North Carolina. The registration system failed in a number of polling stations, which caused chaos and led to long queues. In this regard, the members of the election Commission was forced to switch to paper ballots, but the vote was delayed until late in the evening.

A list of voter registration was conducted by the company VR Systems — the one that hacked Russian hackers, as outlined in the NSA document.

Local officials said that the crash was not caused by hacker attack. “The Commission for monitoring the elections in North Carolina have not detected any suspicious activity in the elections of 2016, which would be beyond the scope of what usually happens in the electoral process at other times. For any potential risks and vulnerabilities is continuously monitored, and the Commission is working in collaboration with the Ministry of national security and the information technology Department of North Carolina, helping to eliminate any possible risks,” — said the press-Secretary of the Commission for monitoring the elections in the state of North Carolina Patrick Gannon (Patrick Gannon).

Deputy Director, Supervisory Commission of the County of Durham George McCue (George McCue) also noted that programs VR Systems is no problem. “There were carried out some investigation and it has revealed virtually no indications for product defects, he said. — It seems that was user error at different stages of the process from setting up computers to use of their workers of electoral bodies”.

Taken together, this raises the stakes in the ongoing investigation for possible collusion between the headquarters of the trump and Russian representatives, promising greater attention to the hearings in Congress this week to testify dismissed FBI Director James Comey. If the fact of collusion will eventually be proven (at the moment this is a very big “if”), it turns out that Russia in its actions went much further alleged email hacks in the interests of their propaganda campaign. It will be an attack on the very infrastructure of the American elections.

But to what conclusion came the investigators are studying the circumstances of the action headquarters of the trump, this is nothing compared to the threat to the legitimacy of the American elections in case it is impossible to ensure protection of infrastructure. “The withdrawal of the NSA demonstrates that countries examine specific tactics of electoral manipulation and we need to be vigilant in defence, said Schneier. — The elections have a dual purpose: to choose the winner and convince the loser. If the election is not protected from hacker break-ins, there are doubts about the legitimacy of the voting process, even if the actual hacking in this case”.

Throughout the history of the transfer of power has always been a time of a serious weakening of society, leading to terrible bloodshed. The peaceful transfer of power is one of the greatest inventions of democracy.

“Elections must not only be honest, they should be clearly and unfailingly honest, to the loser said, “Yes, I lost, but it was a fair and honest fight,” said Schneier. But he would not calm down, if it is sure that the elections were not fair and correct.”