A Boston based IT security company posted a shocking article yesterday, which claimed that a hacker broke into the US Election Assistance Commission and sold the information via a Middle Eastern government broker.
Recorded Future claims to have discovered that there was a security breach of the U.S. Election Assistance Commission (EAC). They report that a hacker named Rasputin was able to get into the computer systems of the EAC and get login information for 100 users, including administrators. They believe that the hacker is Russian.
As proof of his ability to gain access to the EAS systems, Rasputin posted multiple screen captures of internal web tools online. Here is one example:
(Image Credit: Recorded Future)
How did he do it?
According to Recorded Future's assessment, Rasputin used something called an SQL injection attack in order to get access to the EAS servers. Essentially, SQL injection is exploiting vulnerable software that connects to a database by inserting database commands into a web request. That is, if a piece of software is not properly protected, it is possible to add database (SQL) statements into the data submitted via a web form and thus gain access to the database itself. It's not clear which piece of software was compromised.
What is most interesting here is what Recorded Future said happened to the data:
Research suggests that the actor was in ongoing negotiations with a potential buyer, on behalf of a Middle Eastern government. Recorded Future successfully identified the penetration source and provided all information to federal law enforcement agencies.
What does this mean?
It is important to note that this does NOT mean the election was hacked. The EAC does not administer voting machines, nor does it have access to them. What the EAC does is mostly create guidelines and distribute funds for election-related projects. While they do create guidelines for testing and certification of election systems, their computer systems have no access to those election systems.