How the Russians penetrated Illinois election computers


ByChuck Goudie and Christine Tressel WLS logo
Saturday, July 4, 2020
How the Russians penetrated Illinois election computers
Hackers stole voters' personal information from state election computers in July, 2016.

CHICAGO (WLS) -- The twelve Russians charged with hacking into Illinois' election database may have worked as intelligence agents, but the I-Team has learned it didn't take above-average computer intelligence to pull off the heist.

Russian hackers used a common computer trick employed by info-thieves, according to federal investigators.

The electronic intrusion, which occurred in July of 2016 at the Illinois State Board of Election, was via a hacking technique called "SQL injection." The names, addresses, dates of birth, driver's license numbers and partial Social Security numbers of about 500,000 Illinois voters are believed to have been stolen, according to federal indictments handed up last week against a dozen Russian operatives and information from state election officials.

"For a lot of voters there has been a lot of fear that there is going to be Russian hacking and stealing my vote after I cast my vote" said Matt Dietrich, spokesperson for the Illinois State Board of Elections. "Not one vote was changed in Illinois based on what happened 2 years ago. Not one vote was attempted to be changed based on that. That was not the object."

If the object was to simply gain access, grab information and sow discord, then the Russian operation seems to have succeeded.

"The Russians hacked into the computer networks of election officials and vendors in order to steal voter data and other information" said Sen. Dick Durbin , D-Illinois on Tuesday. "We know that Russia meddled in the 2016 election and we know that we should be gearing up for the Russians to interfere with the 2018 midterm election as well."

SQL, an acronym for Structured Query Language, is a database programming language. An "SQL injection" is a common piece of cyber-trickery used to illegally gain access to government, financial, business and private computers. Experts estimate that 8 of every 10 data breaches occur as a result of SQL injection.

The favored tactic of hackers usually begins with certain commands typed on a public web form and ends with broad access to the site's server. In the case of Illinois, after hackers typed a specially-crafted code into the election database search box, records were stolen and the board had to shut down registration for ten days.

At the time the FBI put out a special alert to state election authorities across the U.S. Many times the digital fingerprint leads investigators away from the actual culprits. As the I-Team revealed in 2016, Illinois cyber-attackers appeared to be a connected to a Turkish political party. Now though, two years later, federal agents say they have traced the attack to Russia.

Illinois election officials say they have taken measures to secure voter databases and web applications.

"Processor usage had spiked to 100% with no explanation" state investigators determined. "Analysis of server logs revealed that the heavy load was a result of rapidly repeated database queries on the application status page of the Paperless Online Voter Application (POVA) web site" they said.

State officials say new protocols are in place to prevent another such malicious attack.

"We concluded from the analysis of the attack that we could reasonably expect that various IVRS (Illinois Voter Registration System) passwords were compromised. These passwords included those of election authorities, their staffs, internal SBE users, vendors, and web services. In order to ensure that attackers could not access any portion of the system with stolen passwords."

According to internal reports, authorities reset all IVRS passwords in order to force users to change their password at next login; introduced enhanced password complexity requirements (length, special characters, numbers, etc.); mandated two-factor token login for all IVRS users; added password encryption to the IVRS database so that stored passwords could no longer be deciphered, even by SBE employees.

"In the wake of the breach 2 years ago we installed new firewall hardware and software we devoted personnel specifically to cyber security to shore up the system to make sure it wasn't going to happen again" said Dietrich.

The SQL injection ploy has been used by hackers around the world to gain access to corporate databases, banks and government agencies. The keystroke trick usually exploits vulnerabilities that are commonly present in databases that allow unauthorized access.

EDITOR'S NOTE: An earlier version of this story had an inaccurate definition of SQL. This has since been corrected.