An Oct. 7 ransomware attack targeted a database used to verify voter signatures in Georgia, and the database is still not fully functional, according to the Gainesville Times, a local newspaper. But many of the other Hall County systems affected by the ransomware attack have been restored.
The DoppelPaymer gang has taken credit for the attack, according to Brett Callow, a threat analyst at the security firm Emsisoft. He says this may be the first successful ransomware attack that has affected part of the election infrastructure.
Kay Wimpye, a county voter registration coordinator, tells the Gainesville Times that, despite the problems with the voter verification database, signatures can still be verified using hard copies of the voter registration cards.
In an update posted to the Hall County website on Thursday, officials note that the “voting process for citizens has not been impacted by the attack.” A spokesperson for the county declined to comment further about the incident on Friday, citing the ongoing investigation.
The county, located about an hour’s drive north of Atlanta, has about 180,000 residents.
Voter Databases Vulnerable
In August, the FBI and the U.S. Cybersecurity Infrastructure Security Agency published an alert saying that local voter registration databases across the country are vulnerable to ransomware.
Christopher Krebs, CISA’s director, has said that, because state districts’ voter databases are stored in highly centralized networks, these repositories are vulnerable to hacking and ransomware attacks by nation-state actors as well as cybercrime gangs (see: CISA’s Krebs: 2016 US Elections Were Cyber ‘Sputnik’ Moment).
Meanwhile, the FBI and other government agencies warned this week that countries such as Iran and Russia are increasingly stepping up their efforts to interfere in the U.S. election both before and after Nov. 3.
The Oct. 7 ransomware attack in Hall County affected IT systems, phone service and parts of the county’s website, including a voting precinct map, according to the Gainesville Times and information provided by county officials.
The county is continuing to work with security firms to fully restore affected systems, but few details have been released.
Callow of Emsisoft says what’s most concerning about incidents targeting election infrastructure “is the very real potential for them to result in disinformation, which could make what’s likely to be a contentious election even more contentious.”
It was inevitable that a ransomware attack would eventually target election infrastructure, says Brandon Hoffman, CISO at security firm Netenrich.
“The ransomware spree has gone essentially unchecked, and it stands to reason that type of malware would be the one to hit,” he says. “On the other hand, with ransomware, election infrastructure probably wasn’t the main target. However, the fact that this was successful validates the attack path. Attack path validation is a key step in any attack sequence, and testing it on small-scale scenarios always makes sense. If security professionals working with voting technology were not already extra vigilant, there’s no time to waste in getting overprepared.”
The DoppelPaymer gang, which Callow says is claiming credit for the Georgia attack, uses crypto-locking malware to not only encrypt files after an attack but also to exfiltrate data as a way to pressure victims into paying a ransom by threatening to publish it (see: More Ransomware Gangs Threaten Victims With Data Leaking).
A screenshot provided to ISMG shows some Hall County files, such as a PDF of a commercial plan review and other data, are listed on the DoppelPaymer darknet “leak” site. The screenshot does not list any voter registration data available.
DoppelPaymer is a variant of BitPaymer. The DoppelPaymer gang, which came into the limelight in June 2019, is known to demand ransoms of $25,000 to $1.2 million, according to the cybersecurity firm CrowdStrike (see: DoppelPaymer Ransomware Gang Threatens to Dump Victims’ Data).
The DoppelPaymer gang has been linked to other high-profile attacks, including an August incident that affected Boyce Technologies, a Long Island City, New York-based manufacturer of transit communication systems that was building ventilators during the COVID-19 pandemic (see: Ransomware Reportedly Hits Ventilator Maker).
Managing Editor Scott Ferguson contributed to this report.