Special counsel Robert Mueller's latest indictment offers new details of just how deeply Russian operatives have infiltrated state and local election agencies across the U.S. — adding to years of warnings about the technologies that underpin American democracy.
Deputy Attorney General Rod Rosenstein said Friday that hackers within Russia's GRU military intelligence service targeted state and local election boards, infiltrated a Florida-based company that supplies software for voting machines across the country, and broke into a state election website to steal sensitive information on about 500,000 American voters.
While the FBI had issued warnings in 2016 about hackers breaching state election websites in Illinois and Arizona, the latest indictments in Mueller's ongoing Russia probe surfaced the most granular account yet on foreign operatives’ efforts to tamper with U.S. election systems.
Sen. James Lankford (R-Okla.) said the charges outline a Russian “attack on our democracy.”
“Today’s indictments are also another sign that we must enact election security legislation to protect our election infrastructure from attacks from foreign entities,” who is sponsoring a bipartisan bill to beef up U.S. election safeguards.
The indictment says one defendant —Anatoliy Sergeyevich Kovalev, a Russian military officer that allegedly worked with the GRU — orchestrated attacks targeting "state and county offices responsible for administering the 2016 US. Elections."
Russian operatives hacked into the website of an unidentified state board of election office, according to the charges, and stole sensitive personal information.
The Russians also breached an unidentified company that sells voter registration software and then pretended to be an employee of that company in “over 100” spear-phishing messages sent to election administrators in several Florida counties, according to the charges. That fits the narrative of a classified NSA report published last year by The Intercept, which identified the vendor as Florida-based VR Systems.
While there's no indication the actions outlined in the indictments changed voting results or interfered with the voting process, Rosenstein said that allegations underscore the federal government's grave concerns about election security.
"There's a concerted and organized effort by the federal government to make sure that we do deter and prevent any sort of cyberattacks on our elections and that we harden our election systems to prevent against any kind of intrusions," he said.
Indeed, election security has become a key priority in Washington since the 2016 election, with many lawmakers warning that state officials remain woefully unprepared to protect the polls during this year’s midterms. In fact, revelations in the indictments will confirm the worst fears of many in Washington who believe the 2016 election meddling was just a precursor for what the Kremlin has planned this November.
“The charges indicate that this wasn’t just a campaign by Russia to influence voters, but an effort to hack election software to change the outcome,” Barbara McQuade, a former U.S. attorney in Michigan, told POLITICO. “This should be a wake-up call to safeguard our upcoming elections as a matter of national security.”
Earlier this year, Congress gave the federal Election Assistance Commission $380 million for states to bolster security at the polls. So far, many states have described how they plan to use the money to replace voting systems and upgrade software, but this week lawmakers criticized 18 states for not moving fast enough to protect election systems.
In a report this week, Democrats on the House Committee on Administration said that states would likely need some $1.4 billion over 10 years to properly enhance cybersecurity at the polls.
In a ranking of how states are doing when it comes to improving security, it gave Delaware, Georgia, Louisiana, New Jersey and South Carolina the worst ratings because they rely solely on electronic voting machines that leave no paper trail, which makes it impossible to check the results against a physical vote count.
The Department of Homeland Security confirmed last summer that Russians had targeted the voter registration databases of 21 states, but Chris Krebs, undersecretary of DHS's National Protection and Programs Directorate, testified Wednesday that he thinks they tried to target every state and territory in during the heated 2016 presidential race.
"I would suspect that the Russians scanned all 50 states," Krebs said, adding that 21 "was the number we were able to see."
At the same hearing, Krebs told lawmakers that they shouldn't expect widespread upgrades of voting software and other technologies due to the scope of such an undertaking. “There are challenges from a procurement process,” said Krebs, adding that “there’s not enough money to transition.”
Mueller and Director of National Intelligence Dan Coats have both said they've seen evidence of ongoing Russian-led disinformation campaigns via social media meant to influence midterm elections. But Krebs said DHS has not seen any evidence of attempted hacking or other attacks aimed at election officials, organizations or infrastructure ahead of the midterms.
On Friday, speaking at an event at the Hudson Institute, Coats said he agreed with the DHS assessment that Moscow hasn’t yet started an online campaign comparable to the multi-faceted attacks it launched in 2016.
However, “we fully realize we are just one click of the keyboard away from a similar situation repeating itself," he said.
Russia is “persistent," Coats added. "They’re pervasive, and they are meant to undermine America’s democracy on a daily basis.”
Darren Samuelsohn and Eric Geller contributed to this report.