In Georgia, a database that verifies voter signatures was locked up by Russian hackers in a ransomware attack that also dumped voters’ registration data online.
In California and Indiana, Russia’s most formidable state hackers, a unit linked to the Federal Security Service, or FSB, bore into local networks and hit some election systems, although it is still unclear why.
In Louisiana, the National Guard was called in to stop cyberattacks aimed at small government offices that employed tools previously seen only in attacks by North Korea.
And Tuesday night, someone hacked the Trump campaign, defacing its website with a threatening message in broken English, warning that there would be more to come.
None of these attacks amounted to much. But from the sprawling war room at US Cyber Command to those monitoring the election at Facebook, Twitter, Google and Microsoft, experts are watching closely for more “perception hacks.” Those are smaller attacks that can be easily exaggerated into something bigger and potentially seized upon as evidence that the whole voting process is “rigged,” as President Donald Trump has claimed it will be.
The phrase comes up every time Christopher Krebs, the Department of Homeland Security official responsible for making sure voting systems are secure, talks about the biggest vulnerabilities in this election. His worry is not a vast attack but a series of smaller ones, perhaps concentrated in swing states, whose effect is more psychological than real.
Perception hacks are just one of a range of issues occupying election officials and cybersecurity experts in the final days of voting — and their concerns will not end on Election Day.
One theory gaining ground inside US intelligence agencies is that the Russians, having made the point that they remain inside key American systems despite bolstered defences and new offensive operations by Cyber Command, may sit out the next week — until it is clear whether the vote is close.
The Russian play, under this theory, would be to fan the flames of state-by-state election battles, generating or amplifying claims of fraud that would further undermine US confidence in the integrity of the election process.
The Iranians would continue their playbook, which US intelligence officials see as more akin to vandalism than serious hacking, filled with threats in mangled English.
But American experts have warned local officials that come November 3, the Iranians may seek to paralyze or deface the websites of secretaries of state, affecting the reporting of results, and create the impression of being inside the voting infrastructure even if they never were and the election results have not been compromised.
Here is a look at some of the potential threats and what has been learned in a year of behind-the-scenes cyberbattles.
Protecting the machines
Government officials are trying to assure voters that voting machines are hard to hack on a large scale: They are almost entirely offline. States and counties use their own systems, and the breadth and diversity of those systems, the argument goes, make it nearly impossible for a single attack to target all of them.
But that does not eliminate the risk. At the University of Michigan, J. Alex Halderman has turned his laboratory into an arcade of voting-machine vulnerabilities and found ways to create “attacks that can spread from machine to machine like a computer virus and silently change election outcomes.”
Others point out that no one needs to hack every state to cause havoc. In a tight election, an attacker could target Atlanta, Philadelphia, Detroit or Milwaukee and delay the reporting of results from an electoral battleground.
The other weak point in the diversity-as-security claim, election security experts say, is the constellation of contractors that support elections across multiple states and counties. “The claim that diversity is protecting the election is a logical fallacy,” said Harri Hursti, an election security consultant.
Hursti worries about a scenario in which ballot scanners could be reprogrammed to read a vote for Joe Biden as a vote for Trump or vice versa.
“A single point of failure could compromise election infrastructure across multiple counties and states,” Hursti warned.
His concern is strictly cautionary but not unheard-of. Not long after the 2016 election, a National Security Agency whistleblower revealed that VR Systems, a Florida company that provided check-in software to multiple states, including critical swing states like Florida and North Carolina, was compromised by Russian hackers before the vote. There is no evidence they used that access to affect the final vote.
The constant drumbeat of cyberattacks and foreign interference has forced states to put safeguards in place. States have worked to print paper backups of voter registration data, and they have phased out machines that leave no paper backup.
Krebs said that next week about 92% of all votes cast would be “associated” with some kind of paper record, up significantly from four years ago.
But with the surge in mail-in ballots this year, machine voting will also diminish as a percentage of the total vote. So the vulnerabilities that the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency is focused on are potential attacks on voter registration, verification and vote reporting systems, along with the computer networks of secretaries of state, or power outages at the polls.
Those kinds of attacks would not change the vote tallies. But, executed artfully enough, especially in battleground states or key districts within those states, they could be used to sow doubt about the legitimacy of the election.
Some officials still wonder if that was the motivation behind some of Russia’s 2016 interference, when hackers “scanned” the registration databases of all 50 states, breached systems in Arizona and Florida, and made an unusually noisy show of stealing voters’ registration data in Illinois but ultimately did nothing with it.
Many of those vulnerabilities have been patched, thanks to an aggressive campaign by the Homeland Security Department and the states. But voting is a local affair and vulnerabilities remain, as Gov. Ron DeSantis of Florida discovered when he went to vote early in Tallahassee, the state capital. Someone — the police arrested a 20-year-old from Naples, Florida — had changed the governor’s address to West Palm Beach.
That is why there is so much concern about a Russian group called Energetic Bear. Over the years, the group, believed to be a unit of the FSB, has breached US power grids, water treatment plants, a nuclear power plant in Kansas and, more recently, web systems at San Francisco International Airport.
And starting in September, it began going into the systems of state and local governments. Intelligence officials say they have succeeded in breaching only two servers in California and Indiana.
The most imminent threat, officials say, is ransomware attacks that could freeze some part of the voting system and delay results.
It is a sign of how concerned the intelligence agencies and private industry are about ransomware that over the past month both Cyber Command and a group of companies led by Microsoft have been bringing down servers around the world linked to TrickBot, a set of tools used in some of the most sophisticated ransomware operations.
“This is all about disrupting TrickBot’s operations during peak election activity,” said Tom Burt, the Microsoft executive in charge of the operation.
But there is already evidence that the hackers behind TrickBot have shifted to new tools, according to Mandiant, a cybersecurity firm. Over the past month and a half, researchers discovered that the same people have directed a spate of vicious new ransomware attacks that have taken US hospitals offline, just as coronavirus cases are spiking.
“They could use these same tools against whoever they want whether it’s the election or hospitals,” said Kimberly Goody, a cybercrime analyst at Mandiant.
A ransomware attack in Gainesville, Georgia, locked up the voter signature verification systems last week, forcing poll workers to do things the old-fashioned way, pulling registration cards manually and eyeballing the signatures.
The attack, which does not appear to have been directed at the election but took election systems down as collateral damage, exposed continued weak spots in Georgia, a key battleground state.
Internal emails showed that the Georgia secretary of state’s office disabled two-factor authentication in recent weeks, after its election software was buckling under the deluge of early voters. Two-factor authentication, which keeps hackers from breaking into systems with one stolen password, has been key to the Homeland Security Department’s election security strategy, and in this case emails show that the secretary of state simply turned it off.
Preparing for the aftermath
Trump has already promoted the idea that mail-in ballots will be riddled with fraud and has sought to use small glitches in the distribution and return of mail ballots as evidence that the system cannot be trusted if the result goes against him.
The Cybersecurity and Infrastructure Security Agency issued a “public service announcement” recently about taking care to verify information before believing it or reposting it. But as some government officials concede, there is no remedy for a president who repeats unproven rumours and conspiracy theories — other than directly contradicting him.
“They have walked the line carefully,” said Sen. Angus King, I-Maine. “But the real test is coming.”