White House

Mueller report: Russia hacked state databases and voting machine companies

Russian intelligence officers injected malicious SQL code and then ran commands to extract information

Donna Shalala, Democratic candidate for Florida's 27th Congressional District, votes on Election Day at Coral Gables Fire Station 3 on Nov. 6, 2018. (Tom Williams/CQ Roll Call file photo)

The Russian military intelligence unit known by its initials GRU targeted U.S. state election offices as well as U.S. makers of voting machines, according to Mueller’s report.

Victims of the Russian hacking operation “included U.S. state and local entities, such as state boards of elections (SBOEs), secretaries of state, and county governments, as well as individuals who worked for those entities,” the report said. “The GRU also targeted private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations.”

The Russian intelligence officers at GRU exploited known vulnerabilities on websites of state and local election offices by injecting malicious SQL code on such websites that then ran commands on underlying databases to extract information.

Using those techniques in June 2016, “the GRU compromised the computer network of the Illinois State Board of Elections by exploiting a vulnerability in the SBOE's website,” the report said. “The GRU then gained access to a database containing information on millions of registered Illinois voters, and extracted data related to thousands of U.S. voters before the malicious activity was identified.”

In another operation, GRU officers sent spearphishing emails to election officials and executives of companies that make voting machines, the report said.

In August 2016, GRU targeted employees of a company that develops software to manage voter rolls and installed malware on the company’s network, the report said without naming the company.

“Similarly, in November 2016, the GRU sent spearphishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election,” the report said. “The spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.”

The Orlando Sentinel reported last week that Volusia County was affected by the GRU attack. The paper said county officials received emails purporting to be from Tallahassee-based VR Systems, the company that likely fell victim to the attack.

Last year, then Sen. Bill Nelson, D-Fla., and Marco Rubio, R-Fla., both warned Florida election systems were susceptible to Russian cyberattacks. Nelson, who lost the election to Florida Gov. Rick Scott, said Russians had gained access to Florida voter data but didn’t offer any details.

The Mueller report said, “FBI believes that this operation enabled the GRU to gain access to the network of at least one Florida county government.”

In July 2018, Mueller indicted 12 Russian military intelligence officers from the GRU for breaking into the Democratic National Committee’s email servers, stealing information and leaking it through special online sites as well as through WikiLeaks. The Justice Department said the Russian military officers also hacked the website of a state election board and stole information on 500,000 voters.

Mueller’s report said the GRU’s Unit 26165 targeted Democratic candidate Hillary Clinton’s personal email server in July 2016 soon after candidate Trump announced at a rally, “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing.” The emails were stored on Clinton’s personal email server.

The attack on Clinton’s email server occurred within five hours of Trump’s call and targeted 15 email accounts at the domain, the report said. “The investigation did not find evidence of earlier GRU attempts to compromise accounts on this domain. It is unclear how the GRU was able to identify these email accounts, which were not public,” the report said.

Separately the GRU unit responsible for attacking the Clinton server also hacked into a Democratic National Committee cloud server and stole 300 gigabytes of data from the computers, the report said.

Get breaking news alerts and more from Roll Call on your iPhone or your Android.