Eight U.S. states contract with VR Systems, a Florida-based election products and services vendor targeted in a Russian cyberattack aimed at accessing local election boards, according to a top-secret National Security Agency report.
California, Florida, Illinois, Indiana, New York, North Carolina, Virginia and West Virginia rely on equipment and support provided by the company specializing in voter registration, which likely had at least one employee account login compromised, according to report, which was first obtained and independently authenticated by The Intercept.
Of those states, Indiana and Virginia don’t require risk-limiting audits of backup paper ballots post-vote—the only way to ensure electronic results and, thereby, election legitimacy, as Route Fifty previously reported.
“We learned about this report like everyone else,” Kay Stimson, a National Association of Secretaries of State spokeswoman, told Route Fifty in an interview. “For us, it’s really important to make sure elected officials are aware of the existence of this report.”
The effect on state and local election management remains unclear, though the malware was designed to gain control of system and settings functions that would allow the automatic delivery of even more malware. Encrypted information could then be funneled out, likely alerting the owner to the theft but not the content.
Organizations like Verified Voting and the Institute for Critical Infrastructure Technology have warned federal, state and local officials geo-targeted malware could be injected at the manufacturer level with the end goal of altering the electronic vote tally in swing regions of swing states.