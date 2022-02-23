The Idaho Secretary of State’s office is working with a handful of counties hit with an email phishing attack that has a slim potential to affect how primary elections are conducted this coming spring.
That is a worst-case scenario, said Deputy Secretary of State Chad Houck at Boise.
“It is not at that scope. It is not at that scale. The channel this is in at the moment has been email, and it’s not election email. It’s email at large, it’s a county email (issue).”
Right now, his office is helping the affected counties remove malware infecting their email systems, a process that typically takes from a few hours to a few days, depending on the size of the system. Houck declined to name the counties, saying it may make their systems more vulnerable.
The websites of both Nez Perce and Lewis counties were offline Tuesday, and Nez Perce County experienced some email problems, said Nez Perce County Clerk Patty O. Weeks. But she maintained access to the state’s voter database and said she didn’t know if the website problem was related to an email phishing attack. Weeks said county information and technology staff have been working tirelessly over several days to fix the problem.
Houck said like many email scams, the attack works by someone opening a malicious attachment — in this case in the form of an Excel spreadsheet. That allows a virus to infect the machine.
“It can then exfiltrate data from that user’s email, specifically their email address books and previous emails they have received,” he said.
It then sends the same infected attachment to those addresses and cloaks itself so that it appears the message is coming from somebody the recipient knows, making them more likely to repeat the mistake.
At this point, the unknown senders have not used ransomware or attempted to inflict harm to the infected systems. But it’s possible they could do so later or they may curate passwords if that information has been shared via email messaging.
“They haven’t done anything that is a proactive attack,” he said. “It’s more looking like they are broadening the footprint of where they have access.”
He doesn’t have any evidence that the people behind the plot have intentions to interfere with elections or voter data. But the state is planning for that scenario.
“If they are in my kitchen, I’m going to read that they are after my recipes,” he said.
When a county’s email system is infected, Houck said operational protocols dictate that the county is cut off from the state’s voter registration software and databases. They remain blocked until the malware is removed and passwords and permissions to state voter data are reset and the system is deemed secure.
“That is days to a week depending on how fast things on a county level happen in terms of mitigation.”
There is no threat to voter tabulation or that votes may be changed, he said. But there is concern an attack could interfere with the smooth operation of elections by blocking access to voter rolls. The rolls are used by election workers to make sure voters who show up to cast ballots are registered. In some counties, they are printed and distributed to poll workers. In other counties, they are electronic and accessed via electronic tablets like iPads.
If a county was hit with an attack blocking access to the rolls in the days leading up to an election, Houck said there are contingencies in place. For example, the state could print the rolls and distribute them to polling places. Idaho law also allows voters to register at the polls and, in a worst-case scenario, all voters at some precincts could have to go that route if voter rolls were unavailable.
The Secretary of State’s office was hit with the same phishing scam more than 90 times in two days. But the state’s defense systems caught and blocked the emails. The same thing happened in many of the state’s 44 counties.
“Unfortunately there were other places that didn’t have those kinds of tools set up,” Houck said.
Nonetheless, other security measures detected the presence of the malware when it started exfiltrating email addresses.
In addition to securing those systems, Houck said the state is working with the affected counties to beef up their defenses.
“This was an exploitation that by all practical purposes could have and should have been stopped and in many cases and many counties was,” he said. “It should have been filtered before it ever got to end users.”
