Updated April 24 to add new developments.
The Mueller report released Thursday found that Russian spies successfully hacked into U.S. voting software during the 2016 elections, and North Carolina officials think there’s a chance it was software that’s in use here.
The N.C. Board of Elections now has sent a letter to VR Systems, whose voting software was used by 21 North Carolina counties in 2016. The letter, which was first reported by WRAL, asks the company to “provide immediate, written assurance regarding the security of your network.” (This quote has been corrected. A previous version quoted “assurance” as “insurance.”)
The Mueller report didn’t specifically name the company. But VR Systems confirmed in a written statement that it’s the company in question. The company’s software can’t be used to count or change votes. Instead, it manages the electronic polling books used to check in voters, to make sure people don’t vote twice.
The Mueller report found that “Russian cyber actors in 2016 targeted” the company, and “installed malware on the company network.” Durham County, which had numerous problems and delays in the 2016 elections, was using the company’s check-in software at the time.
The Mueller report does not go into the full extent of the hacking, and while it does say at least one Florida county was hacked, the report does not name any North Carolina successes for the hackers.
The VR Systems attorney to whom the Board of Elections sent its inquiry, Michael L. Weisel of Raleigh, told The News & Observer Friday that the company plans to formally respond to the state on Monday. But he said in an email that while there was a type of malware attack known as “spear phishing” conducted against VR Systems, the company does not believe its electronic check-in software was compromised.
“Contrary to the State Board assertions, VR Systems has never been informed by anyone (Homeland Security, NSA, etc) their software or systems have ever been compromised or ‘hacked,’” he wrote.
After this story was published, the company wrote to state officials: “Your letter misrepresented the report’s finding. As the indictment (against the accused Russian spies) and report clearly state, these are two separate hacking attempts by GRU. ... There is no causal link between the attempted hack into VR Systems, and the apparent access to one Florida county government from a separate spearphishing attack.”
Spear phishing, according to the FBI, is a fraudulent e-mail that appears to be from a sender that the recipient would know. The sender typically asks for personal data from the recipient.
Pat Gannon, a spokesman for the N.C. Board of Elections, said Friday that state officials don’t currently believe that the Durham problems in 2016 were caused by hacking but they just want to be sure.
“State Board investigators believe user error on the part of Durham County election and poll workers likely contributed to the 2016 incident,” Gannon wrote in an email. “However, the agency’s review to date, including questions posed to VR Systems, has not conclusively determined the cause, in part because the agency lacks the necessary technical expertise to forensically analyze the computers used in Durham County, and other government agencies declined the agency’s requests to evaluate them.”
He added that the problems they are investigating only involve voting on Election Day, when Durham “encountered problems with VR Systems’ electronic poll book software in several precincts. ... VR Systems did not immediately explain the cause of the issues. Durham County hired a digital forensics firm to investigate, but its report was inconclusive.”
In a company statement, VR Systems said it has completed a Homeland Security assessment, and hired new security consultants, as a direct response to the spear phishing attacks. “While we are proud of these efforts, we know that no system is ever completely secure and we work tirelessly every day to protect our systems and our customers,” the company said.
In its more recent letter, the company added that it tried to help with the Durham investigation — but the state turned down its assistance. “VR Systems previously offered to pay for additional forensic third-party investigation to help determine the cause of failure,” the company’s letter says. “However, the Board has rejected these offers.”
State election officials Wednesday told The News & Observer that they would not be responding publicly to the company’s letter “at this time.”
The Mueller report is not the first indication that VR Systems was targeted by Russia. The News & Observer reported the possibility that VR Systems was hacked by the Russian government nearly two years ago, in June 2017.
That reporting was based on the leak of secret National Security Agency intelligence to the news site The Intercept. The intel was leaked by an NSA employee named Reality Winner, who last year was sentenced to more than five years in prison for the leak.
After that news first broke in 2017, state election officials tried to stop local counties from being able to use VR Systems software in future elections. But VR Systems sued the state, with The News & Observer reporting at the time that the company argued “the elections board improperly revoked its license,” and a judge agreed to let VR Systems continue operating here.
State officials have identified 21 counties using the company’s software in 2016, and 17 counties using it now.