NSA Leak confirms route of Russian hacking in virus transmission to election systems

The importance of the National Security Agency (“NSA”) leaked documents cannot be overstated.  I have been writing about voter registration and elections system hacking in the 2016 Primary and General Election for several months now and have surveyed following states related to these issues: Arizona, Alabama, Alaska, CaliforniaColorado, ConnecticutFlorida’s primary electionFlorida’s general election, GeorgiaHawaii, IdahoIllinois, & Indiana. In many of these states, we have found evidence which matches up with this prior analysis and helps to answer some unanswered questions. The above states help point to the likely route of transmission from the source of hacking to the voting machines themselves. There is only one final piece which needs to be conducted, and this is a forensic analysis of the machines. Brent Turner, Secretary of the National Association of Voting Officials (“NAVO”) has already asked for a forensic analysis from all 50 states, however, no state has yet permitted NAVO to conduct such an analysis.

Route of Virus Transmission

The importance of the NSA document is that it provides proof of actual malicious virus infiltration into the voting systems, beginning at the vendor level. The document explains that the Russian General Staff Main Intelligence Directorate (Russian military unit) attempted to and successfully infiltrated an elections systems company using phishing emails. VR Systems, an elections system vendor, is mentioned, but not identified as the hacked company in the NSA document. VR Systems is an election systems vendor, based out of Tallahassee, Florida which operates in California, Florida, Illinois, Indiana, New York, North Carolina, Virginia, and West Virginia.

VR Systems released the following statement in response to requests for comment by the media:

Phishing YouTube Video

Infection of the election vendor’s computer system was accomplished by the user opening up emails which contained Word Documents that had viruses embedded in them. Once clicked, the virus extracted and was so powerful that it could give Total Access to whoever was doing the hacking. The entire process is described below:

After this was accomplished, hackers obtained over 120 email addresses for various election officials. It is not clear which election officials are affected. Wayne County, Indiana Clerk Debra Berry explained that she received information from VR Systems that Florida was the primary target, however, this has not stopped other election officials in different states from conducting an analysis. Currently, there is an on-going analysis of the election systems in various counties throughout the U.S.

There is no specific documentation other than Clerk Berry’s statement which explains where these election officials were located or if the leaked document describes an event limited to a particular geographic location. There is also no mention how many election officials were actually affected by the virus. It is import to note, however, that if any election official were infected, it could result in Total Access to their computer. Considering the scope of the operation and historical analysis of Russian hacking, it is likely that the attack was not limited to one election systems vendor but rather an extensive use of bot networks, which could send out numerous requests. The NSA document explains that the Word Document sends out a beacon when a computer is infected, most likely so a real human user can access the computer itself.

DDOS/Bot Networks

DDOS attacks are those which overwhelm a computer with repeated requests over and over until the server/computer shuts down. Bot networks can infiltrate massive numbers of servers/computers over many networks. The hacking tools discussed above had the ability to both bypass firewalls and inject malicious viruses everywhere. These tools could have been used to hit many different servers/computers across the country where election workers were unwittingly harboring a virus.


From Election Official Computers to Voting Machines

What makes this highly concerning is that if a hacker were to have complete access to the election system as an administrator, they could easily implant a virus on the computer that might reprogram the voting machines either prior to the election through removable media (such as a USB stick) infected with the virus that could change vote counts at some point.

There is no need for voting machines to be connected to the internet to get infected. Andrew Appel, a computer scientist at Princeton University explains: ”

“To hack a voting machine remotely, you might think it has to be plugged in to the Internet.  Most voting machines are never plugged directly into the Internet.  But all voting machines must accept electronic input files from other computers: these “ballot definition files” tell the vote-counting program which candidates are on the ballot.

These files are transferred to the voting machine, before each election, by inserting a cartridge or memory card into the voting machine.  These cartridges are prepared on an Election Management System (EMS) computer.  If that computer is hacked, then it can prepare fraudulent ballot-definition cartridges.  Are those EMS computers ever connected to the Internet?  Most of them probably are…”

This could all happen without an election officials knowledge. It is important to ask the question:

“why would the Russians stop at the election officials computer and not make a change to the actual vote count?”

There would be no benefit to going at the extreme length of setting everything up, but stopping short of finishing the job. If anything, it is absolutely necessary for the forensic analysis of the voting machines to take place in order to maintain Integrity of our election system. For far too long the systems have been vulnerable to hacking.

Additionally some State contracts prevent people from being able to conduct forensic analysis of the voting machines.

These are simply unacceptable results which need to change in order for people to be represented in a true democracy.

Leon County Florida Hacking Demonstration

In January of 2016 Dan Sinclare, Leon County, Florida Elections Supervisor Candidate and Dave Levin with Vanguard Cyber Security presented a short demonstration of how Levin was able to hack into the county election systems in Florida and found numerous problems with the security of the system.

It was incredibly easy for the Levin to get in and accomplish anything that the administrator was able to accomplish. He explained that “you be from Siberia and perform” the attack on the system. While Levin’s actions are considered by many to be White Hat Techniques, that did not deter his criminal prosecution for the act. He was later sentenced to 20 days in jail.

What’s important about this particular video has that it shows in real-time format how Hacker’s likely would have used state election officials credentials in order to do whatever the administrator could have done in the systems. It is important to note, that administrators had the responsibility of uploading and downloading candidate information as well as results to and from the administrators computer and the voting machines themselves. This is important because it demonstrates again, the route of transmission of the virus to the vote count systems. If an election official’s computer used for these actions was compromised with this virus, results could not be trusted.


Voter registration systems were extensively targeted throughout the country as I have detailed in numerous reports. It is important to note that an attack on the voter registration systems is an attack on the vote count. In analyzing the NSA document reported above, it is important to note several issues in Arizona starting before the primary where voters were kicked off the rolls. Arizona Secretary of State, Michelle Reagan gave testimony accepting that there had been alterations of both Republican and Democrat party affiliations on the voter rolls — where they were changed to “No Party Preference.” Her testimony appeared genuinely concerned, shocked, and heartfelt. The results were truly disturbing.

Were these events related or was this part of another Russian hacking attempt? Either answer is concerning. The breach itself caused the FBI to issue a Flash Alert which was reported by Yahoo! on August 29, 2016. detailing a cyber analysis of the Arizona hacking incident.

It turns out that hackers were actually able to install malicious software, prompting the state to take the machines down/offline for nine days. It is also important to note that on January 10, 2017, local news reported that numerous lawmakers’ computers have been infected with malware, of which one of the characteristics was to bring up a screen in Russian.

Apparent Russian hacking

The fact that election officials and lawmakers’ systems were breached, tends to lend credence to the fact that the most important systems were affected. This Arizona attack was previously identified as part of a phishing email infiltration. Because of the way that botnets work it is important to point out that sending out queries to lawmakers and election officials computers, as well as the voting systems themselves probably occurred widely throughout the country. Again, a transparent forensic analysis of the voting machines would help to answer this question ultimately.


The next state to consider is Illinois. I have previously reported and Illinois and from what I have found the Illinois State Board of Elections (“SBE”) had come out with a report which detailed an analysis of the infiltration which occurred into it systems prior to the general election. This infiltration involved involved obtaining usernames and passwords of election officials as demonstrated in the SBE report below:

It is important that there is credential harvesting in this case. Illinois officials would have likely been hacked in a manner which would result in Total Access to the election systems by the hackers. This could have been a way to change the vote tallies as described above. Again this is highly concerning.


It is important to point out that the information provided above provides a route of transmission of Russian hacking in the election from the source to the vote count systems which tends to discredit the results. These issues need to be shored up as soon as possible in order to prevent any future incidents there have already been calls for the information to be declassified so that states can begin the necessary work to fix their election systems.

There is a solution to this problem which Mr. Turner, Brian Fox, and Dr. Juan Gilbert from the National Association of Voting Officials have demonstrated – See www.navo-us.org. This system advocates for complete and total transparency in the process. We need to make sure that the election systems are appropriately transparent so that the public has confidence in the system. General Public License Version 3 (GPLv3) open source ballot printing and tabulation systems have been tendered to the US government for public ownership and use, but have been kept on the sidelines by corporate led lobbyists.

Prime III Demo from Wisconsin Elections Commission on Vimeo.

This can no longer be tolerated as it is in direct conflict with the national security interest. The process is relatively simple. This process (1) begins with the voter  choosing the candidate which he or she would like to vote for. Then (2) a ballot is printed out and the voter verifies that the ballot matches the desired selection from the screen. The ballot is then (3) inserted into a privacy sleeve and (4) dropped into the ballot box where it is (5) counted at the end of voting. It is important to note that the count will occur at the end of the day and at the precinct where the vote was originally cast so that people from both parties, as well as voter, the media, and election officials can watch as the count begins to take place. The following video demonstrates how the system works:

Once the counting begins, all of the ballots are announced then (6) scanned into a scanner and the scanning process is projected on a big screen in the public count center. The hand count (8) audit will take place immediately and the hand count will be (9) matched up to the electronic accounting system. If there is found to be a problem with the machine scanner, then the scanner will be thrown out. The hand count will be paramount. Transparency is key here. It is important to use open-source GPLv3 software, because it is not proprietary and does not contain any secret coding which would prevent the forensic analysis of the voting machines. Many reputable entities requiring the best security platform possible utilize open source software, in particular the Department of Defense and NASA which use the code for numerous platforms within their operational makeup.

We deserve nothing less than to have transparency in the elections process as well as to have accountability. Voting officials, unfortunately can be reluctant to provide information related to deficiencies which may have occurred, but there is nothing more precious than a right to vote. If our right to vote is infringed upon, we will have no recourse and our democracy will no longer exist. There is no issue more important for our preservation as a shining example of freedom, than protecting our right to vote — we must continue this fight for our democracy.