Quantcast
Connect with us

Foreign hackers cripple Texas county’s email system with a simple malware attack

Published

on

(Photo: Shutterstock)

Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. “Re: official precinct results,” one subject line read. The text supplied passwords for an attached file.

But Jackson didn’t send the messages. Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson’s three-person office, already grappling with the coronavirus pandemic, ground to a near standstill.

ADVERTISEMENT

“I’ve only sent three emails today, and they were emails I absolutely had to send,” Jackson said Friday. “I’m scared to” send more, she said, for fear of spreading the malware.

The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots. Although experts have repeatedly warned state and local officials to follow best practices for computer security, numerous smaller locales like Hamilton appear to have taken few precautionary measures.

U.S. Department of Homeland Security officials have helped local governments in recent years to bolster their infrastructure, following Russian hacking attempts during the last presidential election. But desktop computers used each day in small rural counties to send routine emails, compose official documents or analyze spreadsheets can be easier targets, in part because those jurisdictions may not have the resources or know-how to update systems or afford security professionals familiar with the latest practices.

A ProPublica review of municipal government email systems in swing states found that dozens of them relied on homebrew setups or didn’t follow industry standards. Those protocols include encryption to ensure email passwords are secure and measures that confirm that people sending emails are who they purport to be. At least a dozen counties in battleground states didn’t use cloud-hosted email from firms like Google or Microsoft. While not a cure-all, such services improve protections against email hacks.

Although the malware used against Hamilton likely originated with foreign hackers, it appears to have been part of a widespread campaign, rather than one that targeted election-related sites. The malware also doesn’t appear to have spread from Hamilton to other Texas counties. And because Hamilton is a so-called offline county, the attack didn’t affect state voter systems. State and Hamilton County officials said the intrusion won’t affect voters’ ability to cast ballots or have them tabulated.

ADVERTISEMENT

Still, such attacks could rattle voters’ confidence — or, at worst, bring down systems on election day. The type of malware deployed against Hamilton, called Emotet, often serves as a delivery mechanism for later ransomware attacks, in which swindlers commandeer a victim’s computer and freeze its files until a ransom is paid. U.S. officials have expressed concern that those attacks — which have paralyzed government agencies, police departments, schools and hospitals — could potentially disrupt the election.

Harvard’s Belfer Center for Science and International Affairs, which specializes in establishing best practices for political campaigns and election officials, said in a February 2018 report that election officials should “create a proactive security culture.” For political campaigns, the group suggested using cloud-based email and office software, which are more likely to neutralize threats like Emotet before they reach a user’s inbox. Experts said smaller governments with fewer resources should heed that advice.

Hamilton County has 8,500 residents and voted for President Donald Trump by a 6-to-1 margin in 2016. Almost all of the county offices, including Jackson’s, are located in the courthouse. During the pandemic, residents submit paperwork through a cracked window at the top of the courthouse steps, next to the door. A handwritten note taped to the glass reads, “If we don’t see you, please yell!”

ADVERTISEMENT

Jackson’s office uses multiple email accounts, runs Microsoft Windows and edits Word files locally on its computers, as opposed to a cloud service like Google Docs, which is more likely to strip out malicious code. None of the emails sent to Hamilton was flagged as suspicious, according to a ProPublica review. The county’s email system lacks two-factor authentication — a standard protection involving a second means of verifying a user’s identity. It also hasn’t implemented DMARC, a system that helps organizations and businesses confirm that emails sent from their addresses are authentic.

Last November, AT&T Corp. performed a security audit for the county clerk’s office, a service offered free to counties by the Texas secretary of state. Jackson said last year’s audit, which took place before her appointment, highlighted no major concerns, but another one is being conducted this year. A representative of the secretary of state’s office said that the audit is a “top-to-bottom assessment” of both physical and cyber security, including the email system, and said Hamilton “may or may not have” implemented the recommendations.

ADVERTISEMENT

ProPublica obtained five malware samples from Hamilton County and identified them as Emotet. The security firm Proofpoint, which examined the samples at our request, traced them to two weeklong Emotet campaigns in mid-September likely involving millions of malicious email attachments.

Emotet tricks users into clicking on plausible-looking messages and following phony instructions that in reality disable security settings in Microsoft Office. If successful, the ruse allows the malware to hijack the victim’s email conversations and send phony replies from bogus accounts. Malware attached to the messages is primed for a new set of targets automatically selected from the victim’s inbox, further spreading the infection.

Jackson, who has been county clerk less than a year, said she didn’t know who in the office clicked on the fake messages. She also said she has received little help from the county’s outside IT firm, BizProtec LLC. She said she noticed what appeared to be phishing emails on Monday, Sept. 14, and first alerted BizProtec the next day. By that afternoon, BizProtec called to assure her that it had fixed the problem by changing computer passwords for her and the rest of the office, which Hamilton County employees cannot do on their own. But the new passwords didn’t help. By noon this past Monday, a week after the attack began, her inbox had more than 35 suspicious emails — including one that appeared to be from the county judge and contained malware.

ADVERTISEMENT

Experts ProPublica interviewed said that changing passwords is unlikely to scrub malware. “You facepalm when you hear that advice,” said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. “Unless you clean up an infection, it’ll just keep coming back. You can change your password a million times — it does not actually matter.”

Hamilton County wouldn’t say how much BizProtec charges for its services, but a work proposal for nearby Bosque County shows the firm bills $95 an hour for typical service calls and $125 for calls outside of normal business hours. BizProtec also appears to do IT work for Cooke, Falls, Gonzales, Wheeler, Young, Llano, Eastland and Somervell counties, procurement records show, which combined have more than 150,000 residents.

Email and phone messages left with BizProtec and its owner, Kerry Hancock, seeking comment this week were not returned. Email addresses for Uvalde, Kleberg and Matagorda counties appeared on Emotet-generated emails sent to a listserv of Texas officials. However, those counties said they were not infected, and it’s possible that their email addresses were taken from Hamilton County inboxes and used to spread the malware to recipients of Hamilton emails.

Hamilton residents and business owners have received malware from several county offices, according to Jackson. Yet the county’s top elected official, County Judge W. Mark Tynes, told ProPublica he doesn’t think there was a problem.

ADVERTISEMENT

“We get spoofed all the time,” Tynes said, insisting to a reporter that he had no reason to believe the malware incident was anything serious. “BizProtec told me they were taking care of it,” he said. “I have no reason to be dissatisfied with BizProtec.”

Told that his own email address was being used to send infected messages, Tynes didn’t seem alarmed. “I’m retiring at the end of my term,” he said.

Security experts said there’s ample reason for concern. Last year, Emotet was one of the most common precursors for large-scale ransomware attacks, and the likely vector by which they wormed their way into municipal governments, according to a report by cybersecurity firm Intel 471.

“This is a massively spread, low-sophistication and low-targeting attack, and they were hacked by that. If a nation-state went after them,” Mark Arena, CEO of Intel 471, said, “they’d crumble in a second.”

ADVERTISEMENT

A May DHS analysis obtained by ProPublica found that cybercriminals continue to use software tied to Emotet to attack public and private sector networks. Emotet hackers sometimes sell access to compromised computers to a third party, said Roman Huessy of abuse.ch, a website that tracks malware. “This third party then may resell that access once again, and it sooner or later ends up with a ransomware gang,” Huessy said.

Kalember, the Proofpoint executive, said that the Emotet cybercrime group likely originated in Russia, raising the prospect that computers compromised by the malware could end up in the hands of Russia’s military intelligence agency, the GRU. “There’s tons of history of Emotet-like groups being coerced into doing things that the GRU wants,” Kalember said. “If I were running an intelligence operation, I’d absolutely want to use [malware] like Emotet because there’s plausible deniability on multiple different layers.”

This year, ProPublica revealed the frailty of parts of America’s patchwork election infrastructure, including outdated websites that publish voting results. We found that at least 50 election-related websites in counties and towns voting on Super Tuesday were particularly vulnerable to cyberattack.

As of June 2019, Texas requires all elected officials and county employees who have access to local government computer systems to undergo cybersecurity training every year. The Texas Association of Counties, which represents county officials, offers a free course that it says meets the state’s requirements. Jody Seaborn, a spokesman for the association, said that he had not heard about the Hamilton County malware episode and that the group “strongly encourages” counties to adopt cybersecurity best practices. A representative of the secretary of state’s office said that Hamilton County employees recently renewed their security training, as is required annually by Sept. 1.

Jackson said she works 60 hours a week, often returning to the office after dinner. She said she doesn’t have time to also be her department’s IT staff and wouldn’t know how to do it if she wanted to.

ADVERTISEMENT

She remains in the throes of planning for November, having gotten little rest after just organizing a July runoff election. “I am still trying to master elections,” she said. “How am I supposed to do that if I can’t use my email?”

Filed under:

 


Report typos and corrections to: [email protected].
READ COMMENTS - JOIN THE DISCUSSION
Continue Reading

2020 Election

Trump’s attacks on voting ‘backfired and only inspired people to march early to the polls’: report

Published

on

Clark County Registrar of Voters Joseph Gloria has had three decades of election experience in Nevada, but had never seen a "perfect storm," as he called it, like this before. With all hands on deck for this election cycle, Gloria helped put together an entire mail-in voting system in less than 90 days to deal with the coronavirus pandemic.

“I’m as comfortable as I can be because I have an excellent staff,” Gloria said. “We learned some things in the primary and are feeling good about this cycle, but unfortunately we have people at the national level who are encouraging people to do things that disrupt the polling place and make it a challenge for us to process votes.”

Continue Reading

2020 Election

Watch Kamala Harris laugh out loud when 60 Minutes asks her if Trump is racist

Published

on

Sen. Kamala Harris (D-CA) laughed when asked if President Donald Trump was racist during a 60 Minutes interview that aired Sunday evening on CBS.

"Do you think the president is racist?" Nora O'Donnell asked.

"Yes, I do," Harris replied, with a laugh. "Yeah, I do."

"You can look at a pattern that goes back to him questioning the identity of the first Black president of the United States," she said, referring to the racist "birther" conspiracy theory he pushed against Barack Obama.

"You can look at Charlottesville, when there were peaceful protesters and on the other side neo-Nazis and he talks about fine people on either side," she continued. "Calling Mexicans rapists and criminals? His first order of business was to institute a Muslim ban?"

Continue Reading
 

2020 Election

Lesley Stahl takes Trump to task for still not having a health care plan as 60 Minutes airs interview

Published

on

CBS News' Lesley Stahl took heat from President Donald J. Trump for asking him "tough questions" during their interview for 60 Minutes and the train wreck will air Sunday night in primetime.

But in the meantime, there's this:

Lesley Stahl: But you're okay with some tough questions?

President Donald Trump: No, I'm not. I mean--

Lesley Stahl: (LAUGH) You're not okay with tough questions?

Continue Reading
 
 
Democracy is in peril. Invest in progressive news. Join Raw Story Investigates for $1. Go ad-free. LEARN MORE