Two high-profile U.S. senators have taken a keen interest in a small Florida-based election tech company that may have unwittingly been used by Russian hackers to interfere with the U.S. presidential election in 2016.
Senators Ron Wyden (D-OR) and Amy Klobuchar (D-MN) on Wednesday sent a letter to FBI director Christopher Wray asking for more information about the agency’s interactions with Tallahassee, Florida-based VR Systems, which makes the “pollbook” devices used by counties in eight states around the country to verify the eligibility of voters arriving at the polls. The senators emphasized that “Congress and the American people still do not have a complete picture of the federal government’s efforts to detect and defend against this attack against our democracy.”
VR Systems was referenced–first in a leaked 2018 NSA report, then in the Mueller report–as the “U.S. Vendor” or “Vendor 1,” targeted in a GRU (Russian military) spearfishing attack that took place between August and November of 2016. The FBI and the NSA believe the GRU may have been trying to access the email addresses of VR Systems’ county election board end users, then send malicious code to those users that could alter the behavior of the company’s voter check-in hardware and software on election day.
And problems did occur with VR Systems products on November 8, 2016. The company’s EViD voter check-in devices used in several cities in Durham County, North Carolina malfunctioned and could not admit new voters for several hours. North Carolina Attorney General Josh Stein wrote in a letter to the Department of Homeland Security secretary Kirstjen Nielsen that some voters may have left polling places before voting. This sent election officials there scrambling to retrieve their physical pollbook backups, and created long lines of people waiting to vote.
In their letter, Wyden and Klobuchar asked Wray if the FBI examined the Durham County electronic pollbook devices, and the computers that control them, to find out if they had been breached or hijacked by malicious code. The Department of Homeland Security, at the request of Durham County, is planning to do a forensic audit of the computers used to control EViD devices in the county. The DHS has yet to respond to a Fast Company request for further information on the audit, including the expected completion date.
The FBI apparently had an inkling back in August of 2016 that Russian operatives might try to exploit election tech firms to interfere in the election. VR Systems said in a letter to Wyden that the FBI warned it during an August 2016 conference call to be on the lookout for a set of specific potentially-malicious IP addresses. VR Systems, after doing a log check, found that computers at the suspect IP addresses had indeed visited its website. VR Systems says it reported that fact back to the FBI, but didn’t find out until 2017 that the IP addresses the FBI warned about were part of a larger Russian effort to disrupt election systems.
In their letter, Wyden and Klobuchar asked Wray if the FBI ever followed up with VR Systems before the November 8, 2016 election. They want to know if the FBI examined the VR Systems servers and network for evidence of a security breach.
The senators also asked for the FBI’s opinion of the results of a FireEye investigation into VR Systems’ networks. VR Systems claims the investigation found no security breach, but hasn’t provided details. It’s unclear if VR Systems shared the results of FireEye’s work with the FBI.
VR Systems did not respond to requests for comment and clarification.
The FBI’s response to warning signs at VR Systems provides an example of the sluggishness with which the U.S. government has responded to Russia’s widespread and multipronged attack on the 2016 election. And as Fast Company reported last month, states and counties have still not performed the forensic analyses needed to understand fully the attacks that took place.