Menu
Hacker allegedly stole logins from a US election agency

Hacker allegedly stole logins from a US election agency

A Russian-speaking hacker was found trying to sell the allegedly stolen login credentials

A Russian-speaking hacker has been found selling stolen login credentials for a U.S. agency that tests and certifies voting equipment, according to a security firm.

The hacker was attempting to sell more than 100 allegedly compromised login credentials belonging to the U.S. Election Assistance Commission (EAC), the security firm Record Future said in a Thursday blog post. The company said it discovered online chatter about the breach on Dec. 1.

Some of these credentials included the highest administrative privileges. With such access, an intruder could steal sensitive information from the commission, which the hacker claimed to have done, Recorded Future said.

According to screenshots obtained by Recorded Future, the hacker had access to details about tests of election systems and software.

The EAC said it has terminated access to the affected application and is working with federal law enforcement to determine the source of the criminal activity.

The EAC was formed in 2002. In addition to certifying voting systems, it develops best practices for administering elections.

In a statement, the commission said that it was aware of a “potential intrusion” involving a web-facing EAC application.   

The possible breach comes after weeks of allegations that the Russian government attempted to influence last month's U.S. election through several high-profile hacks.

The commission does not directly administer U.S. elections. They are carried out by states and local jurisdictions.

“The EAC does not maintain voter databases. The EAC does not tabulate or store vote totals,” the commission said.

rasputin eac breach 1 Recorded Future

A systems status report page on the commission's application.

Record Future also said the hacker it identified doesn’t appear to be sponsored by any foreign government. The security firm’s blog post didn’t cite any evidence that the hack had resulted in vote-tampering in the election.

To pull off the breach, the hacker exploited an unpatched SQL injection vulnerability, a common attack point found in websites. The hacker may also have tried to sell details about this vulnerability to a broker working on behalf of a Middle Eastern government, Recorded Future said.

“It’s not uncommon for this type of vulnerability to lead to broader system level access, however, in this case the full extent of the EAC compromise remains unknown,” Recorded Future said.

The stolen login credentials could have also allowed a hacker to modify or plant malware on the commission’s web-facing application, the company said.

It’s unclear how long the vulnerability remained unpatched, so it’s possible other bad actors may have exploited it, Recorded Future said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments