Summer Fridays just aren’t as relaxing as they used to be. This afternoon, special counsel Robert Mueller released indictments of 12 Russian intelligence officers alleging that they conspired to hack into various Democratic Party computers and email accounts during the 2016 election, and that they communicated with people associated with the Trump campaign. The indictment also singled out Russian intelligence for having hacked into a state board of elections website and a private company that helps administer elections.
While the Mueller investigation is primarily focused on whether members of the Trump campaign colluded with Russia, it has also tackled issues of Russian interference in our democracy at large. Russian tampering with election systems is a troubling piece of that interference, and remains a worry with four months to go until the midterm elections. (Here’s a story I wrote in the spring about a worst-case scenario for Russian interference on this upcoming Election Day.)
American elections are administered by states and local municipalities, using a combination of in-house and private vendors that don’t operate under a consistent security standard. We’ve known for almost a year that that the election systems of 21 states were scanned by Russian hackers in the lead-up to the 2016 elections. To our knowledge, only one state, Illinois, is confirmed to have been hacked. So what new information did today’s indictments tell us about 2016 election interference?
What we learned today
Count 11 of Mueller’s indictment tells us that in or around July 2016, Russian intelligence officers hacked into a state board of elections website and “stole information related to approximately 500,000 voters.” Though the state is not named, this is probably referring to the hack of the Illinois system, during June and July 2016. But the indictment appears to reveal that more voter information was exposed than originally thought: Illinois authorities initially said that the names and personal information of fewer than 200,000 voters had been exposed, but if the hack detailed in the Mueller indictment is in fact the Illinois attack, then that number was underestimated by about 300,000.
The Mueller indictment also tells us that in addition to targeting state election sites, the hackers scanned the web presences of certain counties in Georgia, Iowa and Florida, looking for vulnerabilities.
Anything else of interest?
The indictment potentially confirms an Intercept report from last year that a private company involved with election administration was also targeted by the hackers.
Mueller’s indictment says that the Russian intelligence officers hacked into the computers of a vendor that supplied software used to verify voter registration information. The Intercept report was based on National Security Agency documents, which did not directly identify the company but made references to a product made by VR Systems, whose products are used in eight states. The indictment also says the hackers sent more than 100 targeted phishing emails to people involved with administering Florida elections.