Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns

The Hamilton County courthouse.

The Hamilton County courthouse. Shutterstock

 

Connecting state and local government leaders

The malware attack, which sent fake email replies to voters and businesses, spotlights an overlooked vulnerability in counties that don’t follow best practices for computer security.

Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. “Re: official precinct results,” one subject line read. The text supplied passwords for an attached file.

But Jackson didn’t send the messages. Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson’s three-person office, already grappling with the coronavirus pandemic, ground to a near standstill.

“I’ve only sent three emails today, and they were emails I absolutely had to send,” Jackson said Friday. “I’m scared to” send more, she said, for fear of spreading the malware.

The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots. Although experts have repeatedly warned state and local officials to follow best practices for computer security, numerous smaller locales like Hamilton appear to have taken few precautionary measures.

U.S. Department of Homeland Security officials have helped local governments in recent years to bolster their infrastructure, following Russian hacking attempts during the last presidential election. But desktop computers used each day in small rural counties to send routine emails, compose official documents or analyze spreadsheets can be easier targets, in part because those jurisdictions may not have the resources or know-how to update systems or afford security professionals familiar with the latest practices.

A ProPublica review of municipal government email systems in swing states found that dozens of them relied on homebrew setups or didn’t follow industry standards. Those protocols include encryption to ensure email passwords are secure and measures that confirm that people sending emails are who they purport to be. At least a dozen counties in battleground states didn’t use cloud-hosted email from firms like Google or Microsoft. While not a cure-all, such services improve protections against email hacks.

Although the malware used against Hamilton likely originated with foreign hackers, it appears to have been part of a widespread campaign, rather than one that targeted election-related sites. The malware also doesn’t appear to have spread from Hamilton to other Texas counties. And because Hamilton is a so-called offline county, the attack didn’t affect state voter systems. State and Hamilton County officials said the intrusion won’t affect voters’ ability to cast ballots or have them tabulated.

Still, such attacks could rattle voters’ confidence — or, at worst, bring down systems on election day. The type of malware deployed against Hamilton, called Emotet, often serves as a delivery mechanism for later ransomware attacks, in which swindlers commandeer a victim’s computer and freeze its files until a ransom is paid. U.S. officials have expressed concern that those attacks — which have paralyzed government agencies, police departments, schools and hospitals — could potentially disrupt the election.

Harvard’s Belfer Center for Science and International Affairs, which specializes in establishing best practices for political campaigns and election officials, said in a February 2018 report that election officials should “create a proactive security culture.” For political campaigns, the group suggested using cloud-based email and office software, which are more likely to neutralize threats like Emotet before they reach a user’s inbox. Experts said smaller governments with fewer resources should heed that advice.

Hamilton County has 8,500 residents and voted for President Donald Trump by a 6-to-1 margin in 2016. Almost all of the county offices, including Jackson’s, are located in the courthouse. During the pandemic, residents submit paperwork through a cracked window at the top of the courthouse steps, next to the door. A handwritten note taped to the glass reads, “If we don’t see you, please yell!”

Jackson’s office uses multiple email accounts, runs Microsoft Windows and edits Word files locally on its computers, as opposed to a cloud service like Google Docs, which is more likely to strip out malicious code. None of the emails sent to Hamilton was flagged as suspicious, according to a ProPublica review. The county’s email system lacks two-factor authentication — a standard protection involving a second means of verifying a user’s identity. It also hasn’t implemented DMARC, a system that helps organizations and businesses confirm that emails sent from their addresses are authentic.

Last November, AT&T Corp. performed a security audit for the county clerk’s office, a service offered free to counties by the Texas secretary of state. Jackson said last year’s audit, which took place before her appointment, highlighted no major concerns, but another one is being conducted this year. A representative of the secretary of state’s office said that the audit is a “top-to-bottom assessment” of both physical and cyber security, including the email system, and said Hamilton “may or may not have” implemented the recommendations.

ProPublica obtained five malware samples from Hamilton County and identified them as Emotet. The security firm Proofpoint, which examined the samples at our request, traced them to two weeklong Emotet campaigns in mid-September likely involving millions of malicious email attachments.

Emotet tricks users into clicking on plausible-looking messages and following phony instructions that in reality disable security settings in Microsoft Office. If successful, the ruse allows the malware to hijack the victim’s email conversations and send phony replies from bogus accounts. Malware attached to the messages is primed for a new set of targets automatically selected from the victim’s inbox, further spreading the infection.

Jackson, who has been county clerk less than a year, said she didn’t know who in the office clicked on the fake messages. She also said she has received little help from the county’s outside IT firm, BizProtec LLC. She said she noticed what appeared to be phishing emails on Monday, Sept. 14, and first alerted BizProtec the next day. By that afternoon, BizProtec called to assure her that it had fixed the problem by changing computer passwords for her and the rest of the office, which Hamilton County employees cannot do on their own. But the new passwords didn’t help. By noon this past Monday, a week after the attack began, her inbox had more than 35 suspicious emails — including one that appeared to be from the county judge and contained malware.

Experts ProPublica interviewed said that changing passwords is unlikely to scrub malware. “You facepalm when you hear that advice,” said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. “Unless you clean up an infection, it’ll just keep coming back. You can change your password a million times — it does not actually matter.”

Hamilton County wouldn’t say how much BizProtec charges for its services, but a work proposal for nearby Bosque County shows the firm bills $95 an hour for typical service calls and $125 for calls outside of normal business hours. BizProtec also appears to do IT work for Cooke, Falls, Gonzales, Wheeler, Young, Llano, Eastland and Somervell counties, procurement records show, which combined have more than 150,000 residents.

Email and phone messages left with BizProtec and its owner, Kerry Hancock, seeking comment this week were not returned. Email addresses for Uvalde, Kleberg and Matagorda counties appeared on Emotet-generated emails sent to a listserv of Texas officials. However, those counties said they were not infected, and it’s possible that their email addresses were taken from Hamilton County inboxes and used to spread the malware to recipients of Hamilton emails.

Hamilton residents and business owners have received malware from several county offices, according to Jackson. Yet the county’s top elected official, County Judge W. Mark Tynes, told ProPublica he doesn’t think there was a problem.

“We get spoofed all the time,” Tynes said, insisting to a reporter that he had no reason to believe the malware incident was anything serious. “BizProtec told me they were taking care of it,” he said. “I have no reason to be dissatisfied with BizProtec.”

Told that his own email address was being used to send infected messages, Tynes didn’t seem alarmed. “I’m retiring at the end of my term,” he said.

Security experts said there’s ample reason for concern. Last year, Emotet was one of the most common precursors for large-scale ransomware attacks, and the likely vector by which they wormed their way into municipal governments, according to a report by cybersecurity firm Intel 471.

“This is a massively spread, low-sophistication and low-targeting attack, and they were hacked by that. If a nation-state went after them,” Mark Arena, CEO of Intel 471, said, “they’d crumble in a second.”

A May DHS analysis obtained by ProPublica found that cybercriminals continue to use software tied to Emotet to attack public and private sector networks. Emotet hackers sometimes sell access to compromised computers to a third party, said Roman Huessy of abuse.ch, a website that tracks malware. “This third party then may resell that access once again, and it sooner or later ends up with a ransomware gang,” Huessy said.

Kalember, the Proofpoint executive, said that the Emotet cybercrime group likely originated in Russia, raising the prospect that computers compromised by the malware could end up in the hands of Russia’s military intelligence agency, the GRU. “There’s tons of history of Emotet-like groups being coerced into doing things that the GRU wants,” Kalember said. “If I were running an intelligence operation, I’d absolutely want to use [malware] like Emotet because there’s plausible deniability on multiple different layers.”

This year, ProPublica revealed the frailty of parts of America’s patchwork election infrastructure, including outdated websites that publish voting results. We found that at least 50 election-related websites in counties and towns voting on Super Tuesday were particularly vulnerable to cyberattack.

As of June 2019, Texas requires all elected officials and county employees who have access to local government computer systems to undergo cybersecurity training every year. The Texas Association of Counties, which represents county officials, offers a free course that it says meets the state’s requirements. Jody Seaborn, a spokesman for the association, said that he had not heard about the Hamilton County malware episode and that the group “strongly encourages” counties to adopt cybersecurity best practices. A representative of the secretary of state’s office said that Hamilton County employees recently renewed their security training, as is required annually by Sept. 1.

Jackson said she works 60 hours a week, often returning to the office after dinner. She said she doesn’t have time to also be her department’s IT staff and wouldn’t know how to do it if she wanted to.

She remains in the throes of planning for November, having gotten little rest after just organizing a July runoff election. “I am still trying to master elections,” she said. “How am I supposed to do that if I can’t use my email?”

Jack Gillum is a senior reporter at ProPublica based in Washington, D.C., covering technology and privacy. Jessica Huseman covers voting rights and election administration for ProPublica. Jeff Kao is a computational journalist at ProPublica who uses data science to cover technology and artificial intelligence. Derek Willis is a news applications developer at ProPublica, focusing on politics and elections. 

NEXT STORY: Senate Still Divided on Comprehensive Data Privacy Legislation

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.