Hackers linked to foreign IP addresses unsuccessfully tried to break into an election database in Knox County, Tennessee, during last week’s primaries, a new report says.
Investigators hired by the county were looking into the May 1 crash of a public website that was displaying returns on election night. In a report released Friday, Sword & Shield Enterprise Security said no election data was compromised in the apparent denial-of-service attack, but that they did discover an attempt to “exploit the backend database behind the Web server.”
Officials said the server was only storing data meant for public display, was not connected to any system where the raw votes were being tallied, and no vote tallies were compromised.
“It’s not connected to any live databases,” David Ball, the Knox County deputy director of IT, told HuffPost. “None of it is primary information that’s kept on that server. It’s a repository for being able to report to the public, and we have intentionally kept any primary data extremely isolated.”
Investigators traced two of the IP addresses involved in the attack to Ukraine and the U.K., according to the report. They also said IP addresses from an unusually high number of foreign countries ― approximately 65 ― targeted the website on election night. The most requests came from Canada, the U.K., Chile, France and Italy. Addresses associated with Russia did attempt to contact the network, according to the report, but not as many times as those associated with other countries did.
Sword & Shield analyzed web traffic on election night and saw symptoms typical of a denial-of-service attack, a type of cyberattack meant to crash or slow down a website. During the same time period, they said, they saw an attempt to breach the public-facing election results website.
Investigators re-enacted the attempted breach and discovered a vulnerability in the database behind the public website. They were not sure what exactly caused the crash on election night, but did say the website crashed when they were testing the vulnerability themselves.
“There is not a clear indication whether the Web site crash was due to the traffic of the [investigators’] scan, the vulnerability being accessed, a combination of both or another external factor,” the report said, adding that further testing would determine the cause.
Ball declined to discuss the specifics of the vulnerability, citing security practices, but said officials promptly removed it once they learned of it. The attempted breach was similar to the attacks that several states experienced during the 2016 presidential election, he said. The disclosure comes as states are working to improve their election security after attempted Russian hacking during that election.
“In this case, it was just a matter of, there was a way to get in, to look around, but that was pretty much the extent of it,” Ball said.
It’s not clear what the hackers were interested in, the IT official said, but there was a range of possibilities.
“It might have been one of those things, had the election data been actually living on that server, there might have been an attempt to alter that. Or there might have been an attempt to redirect traffic from the real website to a phony website somewhere else,” Ball said.
After discovering the exploit, investigators reviewed the county’s system for storing election results. They noted that election data is physically transported from polling places to an isolated central repository. Officials use memory cards to physically transfer the data from that central repository to separate computers to upload onto the web.
“This process provides data integrity. No data is carried back to the isolated master system that contains the official election results,” the report said. “Due to the lack of network connectivity and the fact that all data that goes into the isolated master system can be validated back to each polling station and to each polling machine, no compromise of official election data could have been carried out.”
Philip Stark, a professor of statistics at the University of California, Berkeley who is an expert on election auditing, reviewed the Sword & Shield report and said questions still remained.
“The assurance that no data could possibly flow from outside the tally system into the tally system is basically, ‘This is what Knox County told us,’” he said in an email. Also missing from the report, he said, was any indication of whether the country reused memory cards and, if so, how often it wiped them, as well as confirmation that the voting machines had no wireless functionality.
Ball said the county’s election systems don’t have any network functionality at all. The memory cards that carry the results from a central tabulator to a networked workstation are reused, he said, but “only after a low-level format and security scan.”
“The webserver cannot send any data to the workstations,” Ball said.