On Monday, an official FBI alert from August 18 was leaked to Yahoo News. The alert stated the FBI had uncovered evidence showing that at least two state election systems were penetrated by hackers in recent weeks. The FBI quickly issued warnings to election officials across the country to ramp up security on their systems.
It appears from the Flash Alert that the public was not supposed to know about it.
This FLASH has been released TLP: AMBER: The information in this product is only for members of their own organization and those with DIRECT NEED TO KNOW. This information is NOT to be forwarded on beyond NEED TO KNOW recipients.
The FBI then goes on to describe the nature of the attack and lists the IP addresses associated with the intrusion.
The FBI received information of an additional IP address, 22.214.171.124, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 126.96.36.199 used in the aforementioned compromise.
The following information was released by the MS-ISAC on 1 August 2016, which was derived through the course of the investigation. In late June 2016, an unknown actor scanned a state’s Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor, detailed in the indicators section below.
“This is a big deal,” said Rich Barger, chief intelligence officer for ThreatConnect, a cybersecurity firm, who reviewed the FBI alert at the request of Yahoo News. “Two state election boards have been popped, and data has been taken. This certainly should be concerning to the common American voter.”
According to the FBI, the hack is the work of a ‘foreign entity.’ However, they have not named the country of origin. This has not stopped other officials from quickly blaming the Russians.
Also absent from the alert are the names of the states involved in the hack. Read more.