JUNEAU — A hacker gained unauthorized access in 2016 to the server that hosts Alaska’s public elections website, according to documents released by Gov. Bill Walker’s administration.
The documents, obtained by the Anchorage Daily News through a public records request, outline an incident that drew the attention of federal law enforcement but had not been publicly revealed by Alaska election officials.
The documents show that Alaska’s elections, like other states’ around the country, face threats from hackers seeking to undermine American democratic institutions. But technology experts both inside and outside state government said that no damage was done — and that the attack actually highlights the resilience of Alaska’s multi-layered cyber-defenses.
“I’m surprised elections officials haven’t been more proactive in telling this story,” said Joseph Lorenzo Hall, chief technologist at the Washington, D.C.-based Center for Democracy and Technology, who reviewed the documents at the ADN’s request. He added: “It could have been a lot worse for Alaska.”
An earlier incident involving Alaska’s elections system was made public in September, when state officials said an election-related server was scanned by Russian cyber-actors. In that case, the state said that the event, which it learned about roughly a month before Election Day, did not amount to a security breach.
But elections officials never disclosed an apparently unrelated, successful intrusion into the website-hosting server on Election Day. They now say the attack had no effect on the integrity of Alaska’s election or the counting of votes.
The state elections director, Josie Bahnke, said the internal documents do not change her account of the 2016 election. The state did not announce the hacker’s unauthorized access because the elections process wasn’t “impeded” by the event, the state elections division said in a prepared statement.
There was no confidential data on the hacked server, and there was no way for the server to bring malicious data into state networks because it could not make outgoing connections to the internet, current and former state officials said in interviews.
“No voter data was compromised. No results of the election have changed. And we continue to conduct secure elections,” said Bahnke.
State and federal officials, and the public, have made elections security a focus since 2016. The U.S. Department of Homeland Security last year told officials in 21 states, including Alaska, that hackers affiliated with the Russian government targeted their elections during the 2016 campaign.
At least two states were successfully attacked by the Russian hackers. In Arizona, they stole a county elections official’s login information; in Illinois, they downloaded information about thousands of people from that state’s voter registration database, including partial Social Security numbers.
There’s no evidence those incidents affected the outcome of the 2016 election. In Alaska, computers using Russian-affiliated internet addresses simply scanned an elections-related server, but they didn’t try to gain any kind of unauthorized access, said the state election division’s systems administrator, Phillip Malander.
The state has previously acknowledged that scan. It had not disclosed the other incident, which the state learned of at 5:30 a.m. on Election Day, Nov. 8, according to the public records.
A Twitter user named CyberZeist had posted a screen shot “from what appeared to be a compromised Alaska Division of Elections reporting system,” Chris Letterman, who was then the state’s chief information security officer, wrote to another state official on Election Day afternoon.
The reporting system hosts one of the state’s three publicly available elections results pages, along with other public websites. CyberZeist had found a weakness in a computer language called PHP — a weakness that software developers publicly revealed in October 2016, along with an update to fix it. The announcement meant that hackers likely knew about the weakness, and how to exploit it.
The state elections reporting system normally would have been automatically updated to patch the weakness. But a state cybersecurity analyst, Myron Davis, had inadvertently broken the automatic update process in September 2016, when he was trying to make more efficient use of storage space, according to the documents.
The hack granted CyberZeist administrator privileges, which theoretically allowed the hacker to view all files on the server — not just the ones available to the public. But none of the files held on the server were confidential, and the hacker could not modify them, officials said.
A Twitter user named CyberZeist touted his hack of one of Alaska’s elections-related servers in 2016, in a screen grab captured by a blog, ForensicsXploited.blogspot.com.
CyberZeist posted a screenshot from the reporting system on Twitter, with a message: “#USElections2016 Alaska Election Division online #ballot administrator access #pwned.. waiting for people to start voting.” (“Pwned” is commonly-used expression on the internet to indicate when something has been hacked or defeated.)
The hacker also contacted an Australian security researcher and internet publisher, Lee Johnstone, Johnstone said. CyberZeist told Johnstone that the system was running an out-of-date operating system, and sent a screenshot that suggested they could edit elections-related web pages.
The screenshot, however, came from a test area that didn’t actually have the power to alter publicly accessible pages, Alaska elections officials said.
“It was all shady and seemed more media-bait than anything else,” Johnstone said in a message, suggesting that CyberZeist wanted their attack to be publicized.
CyberZeist’s identity and motives are hazy. The hacker was once part of a collective called UGNazi, according to a private security firm’s report included in the public records request.
The collective waged successful attacks to take down the websites of the CIA and NASDAQ, and it repeatedly posted online the Social Security number and address of former New York City mayor Michael Bloomberg, according to Wired. CyberZeist left the group in 2012 and has made subsequent attacks on financial institutions, according to the security firm’s report.
CyberZeist told the tech website Gizmodo that they attacked Democratic National Committee members using information from the successful, Russian-linked hack of the email account of Hillary Clinton’s campaign chairman, John Podesta. But, CyberZeist told Gizmodo: “I am not directly linked with the Podesta hacks.”
Alaska officials said they have received no information that links CyberZeist’s attack with the separate, Russian-affiliated internet addresses’ scans of the state elections-related server.
A spokesman for the U.S. Department of Homeland Security, Scott McConnell, referred questions about the attack back to the state.
Davis, the state security analyst, pinpointed the internet address of an Indian power company as the one he thought CyberZeist used to make their attack on Alaska. It’s likely the attacker wasn’t actually in India and instead used the address to conceal their true location, said Hall, the Washington, D.C.-based technology expert.
Johnstone, the Australian security researcher, ultimately published a story about the hack on his website, Cyber War News, headlined: “Alaska elections result site hacked by CyberZeist.”
But the information did not spread to organizations with broader circulation, and Alaska news outlets did not pick up the story.
State officials recounted the incident to an FBI agent, who in turn reported it to a federal judge, according to one of the emails in the public records request. But state technology experts found no evidence that CyberZeist changed anything on the hacked server.
The server couldn’t even make outgoing connections to the global internet, according to Davis, the state security analyst who’s since left his job. The server was specifically limited so that it could make outgoing connections only to one other computer: the state server that transmitted software updates.
“It could not connect anywhere else,” Davis said in a phone interview. “It was pretty well locked down.”
The computer system that actually counts and adds Alaska’s vote totals is completely separate from the one that hosts the public website.
It’s also not connected to the global internet, and it only transmits data to the reporting system by disk, in one direction. State elections officials call it a “sneakernet,” since you need sneakers to walk data from one system to the other.
Those different layers of security are “beautifully done,” said Hall. CyberZeist’s intrusion was analogous to a burglar who successfully broke through a screen door, but got no further, he said.
“All the other doors and other things did exactly what they were supposed to do,” he said. “This is just a glorious example of things working.”
Alaska’s elections division wants to keep voters informed of situations “that would adversely impact the exercise of their voting rights,” the division said in its prepared statement.
But it also wants to keep both foreign and domestic adversaries from sowing uncertainty and mistrust in the state’s democratic process — and there’s a risk that comes with publicizing a hack that had no practical affect on the 2016 election, elections officials said.
“Their whole goal is just to undermine people’s confidence in the electoral process and the system,” said Malander, the elections division’s systems administrator.
Alaska’s elections system scored well on a February security review by the Washington, D.C.-based Center for American Progress: It was one of 11 states to receive a ‘B,’ the highest grade awarded.
In this year’s election, Alaska will stop allowing voters living or stationed overseas to return ballots electronically, a practice that the center’s report called “notoriously insecure.”
Alaska elections and technology officials, in interviews and emails, broadly described other steps they’re taking; there are new login restrictions and procedures for identity confirmation, new information-sharing tools and a federal security clearance obtained by Bahnke that will grant her more access to details about threats and defenses.
But officials were hesitant to delve into the details of those measures. Alaska’s election system, with its paper ballots and layers of protections, is secure, and residents are better off focusing on other threats to their democratic institutions, said Bill Vajda, the state’s chief information officer.
“We are taking steps to make sure that we’re protecting the integrity of the security of the technology and infrastructure,” Vajda said in an interview.
“The real focus of the story isn’t us,” he said, pointing instead toward Russian-linked efforts to distribute false news stories on social media. He added: “Facebook sold ads to the Russians to promote fake news, and they got called in front of Congress to answer.”
One Alaska lawmaker said the CyberZeist attack underscores the importance of keeping the state’s elections secure from foreign interference.
“I think there’s always room for improvement; I think this highlights that fact,” said Sitka Democratic Rep. Jonathan Kreiss-Tomkins, who chairs the House State Affairs Committee, which has jurisdiction over elections.
He said he’s considering holding a hearing on elections security this week.