Georgia Election Data Leak: Sizing Up the ImpactData Dump Could Raise Concerns About Election Integrity, Security Experts Say
The data dump of citizens' election information following a ransomware attack against Hall County, Georgia is likely to raise concerns about the integrity of this year's vote, some security experts say.
While some of the data posted this week on a darknet ransomware forum was already publicly available, the fact that a cybercriminal gang dumped these stolen files the week before the Nov. 3 election is likely to raise questions around voting security and whether the public can trust the results, says Brett Callow, a threat analyst with the security firm Emsisoft.
"Beyond the problems associated with the disruption to election processes, these attacks also present a risk to the perceived integrity of the election," Callow says. "It’s very easy to see how an incident such as this - in which a bad actor may have accessed certain election-related systems - could result in disinformation and claims of overseas interference."
Earlier this week, the Wall Street Journal reported that the hackers behind the Oct. 7 ransomware attack against Hall County dumped the files that they had exfiltrated. While officials had brought some of the IT systems back online, a database used to verify voter signatures remains affected by the incident.
The data dump included administrative files and election information related to county citizens, according to the Wall Street Journal.
Tom Kellermann, the head of cybersecurity strategy at VMware, notes that cybercriminal gangs that wield ransomware are usually motivated by money, but they can have other motivations as well.
"This incident in Georgia has the hallmarks of Russian cybercriminals attempting to sow discord," Kellermann, who served as a cybersecurity adviser to former President Barack Obama, tells ISMG.
Ray Kelly, principal security engineer at WhiteHat Security, notes that while election security has improved, the attack directed at Hall County should make security professionals question how secure the infrastructure is.
"It really brings into question how effective the measures put in place to ensure a safe election will be as we find ourselves in the final stretch of the election," Kelly says. "Precautions were taken, however, the hack still occurred."
Hackers using ransomware to target local government and election infrastructure is one of the main cybersecurity concerns in the lead up to the Nov. 3 election, says Kacey Clark, a threat researcher at security firm Digital Shadows.
"Threat actors have already conducted surveillance operations on infrastructure that could impact election day, and there is a severe concern regarding ransomware campaigns that may seek to target networks and machines critical in running the U.S. election," Clark says.
In August, the FBI and the U.S. Cybersecurity Infrastructure Security Agency published an alert noting that local voter registration databases across the country are vulnerable to the type of ransomware attack seen in Georgia.
Meanwhile, the FBI, CISA and other government agencies are investigating an increasing number of ransomware incidents that have targeted hospitals around the U.S. (See: US Hospitals Warned of Fresh Wave of Ransomware Attacks)
Most of the security discussion ahead of the Nov. 3 election has focused on the threat from nation-state actors, especially Russia, China and Iran. But the U.S. is still in a better position on election security than it was in 2016, says FBI Special Agent Elvis Chan, an expert on election security (see: FBI on Election: 'There's Going to be a Lot of Noise').
One of the reasons that Chan says he's "cautiously optimistic" about maintaining election security is that government agencies are sharing more information with state and local government. In a recent interview with Information Security Media Group, Chan notes that there will be a "lot of noise" just before the election but that voting should remain secure.
"If you are in a state where you are allowed to drop off the ballot … now is the time," Chan says. "What I want people to know is that state and county municipal elections officials take this very seriously, so that you can trust them when you're handing your ballot off to a postal worker or in the dropbox. It will get to the right place."
While officials in Hall County are not commenting on the specifics of the ransomware attack, information posted to the Hall County website notes that the "voting process for citizens has not been impacted by the attack."
While the investigation into the Oct. 7 ransomware incident in Georgia continues, some security researchers say the cybercriminal gang behind the DoppelPaymer ransomware apparently was involved.
DoppelPaymer is a variant of BitPaymer. The DoppelPaymer gang, which came into the limelight in June 2019, demands ransoms of $25,000 to $1.2 million, according to the cybersecurity firm CrowdStrike. The gang is also know to exfiltrate data and use that as leverage to make victims pay (see: DoppelPaymer Ransomware Gang Threatens to Dump Victims' Data).
Hall County officials have not indicated the size of the ransom that the DoppelPaymer gang demanded, but the Wall Street Journal reported this week that the county's data was listed on the gang's website along with other information noting that the "time to pay is over."