The US Election Assistance Commission is responsible for certifying voting equipment.
A hacker breached the US agency responsible for certifying voting equipment, according to a new report, though it reportedly happened after Election Day.
Reuters reports that security firm Recorded Future was monitoring the digital underground and “discovered someone offering log-on credentials for access to computers at the US Election Assistance Commission.” Researchers from Recorded Future reportedly then posed as potential buyers and struck up a conversation with the hacker.
“They discovered that the Russian-speaking hacker had obtained the credentials of more than 100 people at the election commission after exploiting a common database vulnerability,” Reuters reports, citing Recorded Future’s Vice President of Intelligence, Levi Gundert, and Director of Advanced Collection Andrei Barysevich. The hacker was reportedly trying to sell details of that vulnerability to a government in the Middle East for “several thousand dollars.”
The researchers alerted law enforcement and the Election Assistance Commission about the breach; the vulnerability has since been fixed, the report notes.
The commission did not immediately respond to PCMag’s request for comment on Friday, but in a statement to Reuters said it’s “working with federal law enforcement agencies to investigate the potential breach and its effects,” adding that “the FBI is currently conducting an ongoing criminal investigation.”
Perhaps the scariest part about the whole incident is that Barysevich told Reuters the hacker didn’t seem particularly sophisticated. He used a common technique called SQL injection to break in and steal a list of usernames and “obfuscated passwords, which he was then able to crack,” Reuters reports. The hacker also reportedly made away with “non-public reports on flaws in voting machines.”