Updated at 9 p.m. ET
Russia's military intelligence agency launched an attack days before Election Day on a U.S. company that provides election services and systems, including voter registration, according to a top-secret report posted Monday by The Intercept.
The news site published a report, with redactions, by the National Security Agency that described the Russian spear-phishing scheme, one it described as perpetrated by the same intelligence agency — the GRU — that the Obama administration imposed sanctions on for the 2016 cyber mischief.
According to the NSA report, Russian hackers sent emails to people who worked at a company that provides state and local election offices with voter registration systems, trying to trick them into giving up their user credentials. The Intercept reports, "At least one of the employee accounts was likely compromised, the agency concluded." The NSA report says that the Russians then used information from that account to launch a separate phishing attack targeting 122 local election officials.
The hackers apparently sent the officials emails that appeared to be from the vendor in an effort to trick the recipients to click on an attachment or link that could have introduced malware into their computers. If they had been successful, the hackers could have gained control of the infected computer. The American spy agency acknowledges it doesn't know how successful the Russian efforts were in that effort or what information or access the GRU may have gotten.
A spokesman for the Office of the Director of National Intelligence declined to comment.
VR Systems, the Florida-based election systems provider referenced in the material, said in a statement:
"When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment. We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result.
"Phishing and spear-phishing are not uncommon in our society. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.
"It is also important to note that none of our products perform the function of ballot marking, or tabulation of marked ballots."
Separately on Monday, the Justice Department announced that it is charging a 25-year-old Georgia woman who works for an intelligence agency contractor with sending classified material to a news organization.
Reality Leigh Winner of Augusta was arrested Saturday. The FBI said in court documents that she had been accused of printing out classified material and sending it by mail to a news outlet.
Two national security officials with knowledge of the matter confirmed to NPR on Monday that the cases are connected.
Winner's arrest follows the promise of a crackdown by the Trump administration on leaks, which have detailed a number of sometimes embarrassing details about the inner workings of the government and some of its national security arrangements.
"Releasing classified material without authorization threatens our nation's security and undermines public faith in government," Deputy Attorney General Rod Rosenstein said in a statement on Monday. "People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation."
The NSA document posted on Monday offers some of the most official details yet about Russia's cyberactivity, which the U.S. intelligence community has previously discussed in much broader terms. It also confirmed that the Russian attacks continued after the Department of Homeland Security publicly attributed the meddling to Russia's intelligence agencies, confirming that those statements did not deter more cyberattacks, and after President Barack Obama's warning to Russian President Vladimir Putin in September "to cut it out, there were going to be serious consequences if he did not."
Intelligence agency leaders say that Russia's attacks did not change any actual votes in the 2016 race, but election technology experts have been concerned for years that hackers could attempt to manipulate not only individual voting machines but also other equipment used to run elections, such as those that tabulate votes or keep track of voter registrations.
While the machines that voters use to cast their ballots are not connected to the Internet, the computers used to program these machines, or to run elections, can be connected at some point, leaving them vulnerable to cyberattacks.
J. Alex Halderman, a computer security expert from the University of Michigan, is among those who have been sounding the alarm for years.
"It's highly significant that these attacks took place, because it confirms that Russia was interested in targeting voting technology, at least to some extent. I hope further investigation can shed more light on what they intended to do and how far they got," he says.
Halderman and others note that local election officials often contract with private vendors, such as VR Systems, to program their voting equipment. He says if those vendors are hacked, then malware could easily be spread to local election offices and ultimately to individual voting machines.
Jeremy Epstein, another voting security expert, said that even though the NSA report describes efforts to hack into voter registration systems, once hackers have access to a local election office's computers, they can potentially infect other aspects of the election.
"If I was a Russian trying to manipulate an election, this is exactly how I would do it," he says.
Experts say it would be difficult to know whether votes had been tampered with unless the equipment had a paper ballot backup. Those paper ballots can be used to verify whether the election results reported electronically were correct.
Lawrence Norden of the Brennan Center for Justice at the New York University School of Law notes that seven of the eight states that use VR Systems services — California, Florida, Illinois, Indiana, New York, North Carolina and West Virginia — have paper-based systems. And most of the equipment used in the eighth state — Virginia — also use paper.
Another concern is that even if hackers did not try to change the actual election results, they could undermine confidence in the voting system by causing enough confusion at the polls to raise doubts about the results. That could happen, for example, if voters showed up at the polls to find that their names were not listed or listed incorrectly.
KELLY MCEVERS, HOST:
A Russian intelligence agency launched a cyberattack last year against a company that helps run American voting systems. That detail appeared today in a top secret National Security Agency document that was posted by the news website The Intercept. And on the same day, the Justice Department announced it's charging a young woman who works for an intelligence agency contractor with sending secret information to a news organization. NPR has confirmed these two threads are connected.
And to tell us more about this breaking story, we are joined by national security editor Phil Ewing. Hi there, Phil.
PHIL EWING, BYLINE: Hi, Kelly.
MCEVERS: OK, so there's a lot of stuff here. Let's start with this cyberattack first. What does this NSA report say happened?
EWING: What it says happened is in the last months of the presidential campaign last year, the Russian military intelligence agency known as the GRU began a spearfishing attack against a company in the United States that provides election services and election systems to eight U.S. states. And what appears to have taken place is these Russian cyber hackers sent spearfishing emails to people in this company that said, we need your login credentials so that you can do something with these messages that they got.
And what the NSA report doesn't say is whether or not these officials, these U.S. officials, know whether that was successful, whether these guys got in, what kind of information they were able to take out or what kind of control they were able to get over these election computing systems.
MCEVERS: Is there any sense of - that the Russians could have used what they did here to change the outcome of the election?
EWING: The short answer is no, there's nothing in this that indicates that was a danger. But at the same time, once you get control of a computer system, you can do all kinds of things. You can see what people in that network are doing. You can install your own software to create false data. You could create chaos and send everybody in the company an email saying they've been laid off, and maybe they won't show up to work on a key day when you want there to be chaos. So the indications are that this stopped short of changing the outcome of any election, but it's still very serious potentially for these vendors to have had their systems compromised in this way.
MCEVERS: And usually we don't know where a lot of these national security stories come from. There was some indication today that the government might have already identified the source.
EWING: That's right, yeah. Not long after the story posted on The Intercept, the Justice Department announced that it has filed charges down in Georgia against a woman named Reality Leigh Winner, who's 25 years old. She works for an NSA contractor, and she may have been connected with the leak of this material.
According to court documents the Justice Department unveiled today, she was one of the people at this NSA facility in Augusta, Ga., who had access to these documents. The FBI says she was in email contact with the correspondents for this website The Intercept that broke the story. And she may have printed out copies of this PDF and mailed them by snail mail - kind of old fashioned - to The Intercept to be able to share this information with them.
Now, this story is still unreeling, and we don't know much more. But we do know from national security officials who are familiar with these matters that she is connected with this case and The Intercept.
MCEVERS: Certainly not the first time the U.S. intelligence community has had a contractor release secret information, right?
EWING: Yeah, that's right. And one of the things this story - one of the many things this story raises is, this is not the first time, as you say, a contractor who's not a U.S. government employee but kind of on the outer perimeter has compromised some secrets. We remember Chelsea Manning, who was in the Army at the time and released information about U.S. military conduct overseas - Edward Snowden, the most famous example. And this right now appears to be something very much similar to those two.
MCEVERS: NPR's national security editor Phil Ewing, thank you.
EWING: Thank you. Transcript provided by NPR, Copyright NPR.