Georgia Election Data Hit in Ransomware Attack

With Election Day approaching, local governments need to be prepared for malware attacks on election infrastructure.

Ransomware gangs have officially entered the 2020 election fray, with reports of one of the first breaches of the voting season, on Hall County, Ga. The county’s database of voter signatures was impacted in the attack along with other government systems.

Although the county said the voting process hasn’t been impacted by the ransomware attack, the incident is a warning to other municipalities to lock down their systems, particularly in these last days leading up to the election.

Hall County sits about an hour north of Atlanta and first reported the attack on Oct. 7.

Ransomware attacks involve a criminal introducing malware into the target’s systems, which then takes over an organization’s data and encrypts it until a ransom is paid.

Hall County’s Ransomware Attack

On Oct. 21, the Gainesville Times reported the county’s precinct map was down as a result of a ransomware attack, in addition to a voter-signature database.

It wasn’t until Oct. 22 that the county announced, “The voting process for citizens has not been impacted by the attack.”

“A ransomware attack has occurred involving critical systems within the Hall County government networks, including an interruption of phone services,” according to a news release. “As soon as it occurred, the county began working to investigate the cause, to restore operations and determine the effects of the incident.”

Hall County registration coordinator Kay Wimpye old the paper that some of the systems are already back up and running and if there is a question about a ballot signature, county employees are still able to pull voter-registration cards manually. But with record numbers of mail-in ballots being submitted, that could prove to be a time-consuming process.

Wimpye told the Times that her office sent out 27,573 absentee ballots as of Oct. 21, and 11,351 had been sent back. The Georgia Secretary of State reported that by Oct. 21, 2016, 103,239 mail-in ballots had been returned, compared to 805,442 on the same day in 2020, showing an explosion in the number of voters opting for mail-in voting this election cycle. Although the signatures are being verified now, the ballots won’t be tabulated until Election Day, according to the Times.

Ransomware & the Public Sector

Ransomware attacks timed this close to Election Day threaten to throw an already contentious competition into total disarray.

Brandon Hoffman, CIO at Nentenrich, called the attack on voting infrastructure “inevitable.”

“The ransomware spree has gone essentially unchecked and it stands to reason that type of malware would be the one to hit,” he added. “On the other hand, with ransomware, election infrastructure probably wasn’t the main target.”

But, Hoffman warns, that could change.

“The fact that this was successful validates the attack path,” he said. “Attack-path validation is a key step in any attack sequence, and testing it on small-scale scenarios always makes sense. If security professionals working with voting technology were not already extra-vigilant, there’s no time to waste in getting over-prepared.”

Public-sector organizations are already a juicy target for malware attacks. More than half (52 percent) of public-sector organizations have been attacked and saw malware spread from a compromised user to colleagues, according to a recent report on public sector email security from Mimecast.

The report added that 9 percent of those attacked experienced more than a week of downtime as a result, the most of any other industry. And with the election just over a week away, that could spell disaster for getting votes tabulated in time.

Matthew Gardiner, cybersecurity strategist at Mimecast, told Threatpost by email that attackers see an easy payday in local governments.

“Ransomware-centric cybercriminals are focused on money,” he said. “Thus, they focus on hitting organizations that are relatively easy to get into and have an ability/willingness to pay the ransom. In general, cities, municipalities, towns, and school districts score high here.”

Once a ransom is paid, Gardiner compared it to “blood in the water for sharks,” drawing in more predators. The election deadline may up the price for the data or motivate targets to pay more quickly, but besides that, Gardiner doesn’t see the election outcome as a specific motivator for cybercriminals.

Patching & Training

To keep systems protected at such a sensitive time, two simple things can make a big difference: Patching and employee training, according to Daniel Norman, senior solutions analyst at Information Security Forum.

“Moving forward, end users should receive ample security awareness, education and training on the threat of ransomware, particularly its delivery mechanism,” Norman said in an emailed statement. “Typically, the success of ransomware is reliant on whether or not the target organization has patched its devices properly. Therefore, having all systems patched and up-to-date is a minimal for security.”

Ransomware is on the rise across the globe thanks to the pandemic, up more than 109 percent over last year, according to SonicWall’s 2020 Cyber Threat Report.

Hank Schless, senior manager with security solutions at Lookout, pointed out that workers scattered across the globe on mobile devices are more vulnerable than ever to socially engineered ploys as they toggle between personal and professional applications.

“As workers across the globe began working from home, organizations enabled their employees to stay productive by using mobile devices, and attackers know this,” Schless said.

“Organizations that are proactive about securing mobile devices with mobile security are at the forefront of innovation and demonstrate that they are adapting to today’s rapidly evolving threat landscape,” he added.

As for Hall County, their spokeswoman Katie Crumley declined to provide a comment to Threatpost, beyond the press release, “for security purposes.” The statement said the county “has enlisted the assistance of third-party cyber security professionals to expedite the recovery.”

 

Leave a Reply

Your email address will not be published. Required fields are marked *