Updated at 9 p.m. ET
Russia's military intelligence agency launched an attack days before Election Day on a U.S. company that provides election services and systems, including voter registration, according to a top-secret report posted Monday by The Intercept.
The news site published a report, with redactions, by the National Security Agency that described the Russian spear-phishing scheme, one it described as perpetrated by the same intelligence agency — the GRU — that the Obama administration imposed sanctions on for the 2016 cyber mischief.
According to the NSA report, Russian hackers sent emails to people who worked at a company that provides state and local election offices with voter registration systems, trying to trick them into giving up their user credentials. The Intercept reports, "At least one of the employee accounts was likely compromised, the agency concluded." The NSA report says that the Russians then used information from that account to launch a separate phishing attack targeting 122 local election officials.
The hackers apparently sent the officials emails that appeared to be from the vendor in an effort to trick the recipients to click on an attachment or link that could have introduced malware into their computers. If they had been successful, the hackers could have gained control of the infected computer. The American spy agency acknowledges it doesn't know how successful the Russian efforts were in that effort or what information or access the GRU may have gotten.
A spokesman for the Office of the Director of National Intelligence declined to comment.
VR Systems, the Florida-based election systems provider referenced in the material, said in a statement:
"When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment. We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result.
"Phishing and spear-phishing are not uncommon in our society. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.
"It is also important to note that none of our products perform the function of ballot marking, or tabulation of marked ballots."
Separately on Monday, the Justice Department announced that it is charging a 25-year-old Georgia woman who works for an intelligence agency contractor with sending classified material to a news organization.
Reality Leigh Winner of Augusta was arrested Saturday. The FBI said in court documents that she had been accused of printing out classified material and sending it by mail to a news outlet.
Two national security officials with knowledge of the matter confirmed to NPR on Monday that the cases are connected.
Winner's arrest follows the promise of a crackdown by the Trump administration on leaks, which have detailed a number of sometimes embarrassing details about the inner workings of the government and some of its national security arrangements.
"Releasing classified material without authorization threatens our nation's security and undermines public faith in government," Deputy Attorney General Rod Rosenstein said in a statement on Monday. "People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation."
The NSA document posted on Monday offers some of the most official details yet about Russia's cyberactivity, which the U.S. intelligence community has previously discussed in much broader terms. It also confirmed that the Russian attacks continued after the Department of Homeland Security publicly attributed the meddling to Russia's intelligence agencies, confirming that those statements did not deter more cyberattacks, and after President Barack Obama's warning to Russian President Vladimir Putin in September "to cut it out, there were going to be serious consequences if he did not."
Intelligence agency leaders say that Russia's attacks did not change any actual votes in the 2016 race, but election technology experts have been concerned for years that hackers could attempt to manipulate not only individual voting machines but also other equipment used to run elections, such as those that tabulate votes or keep track of voter registrations.
While the machines that voters use to cast their ballots are not connected to the Internet, the computers used to program these machines, or to run elections, can be connected at some point, leaving them vulnerable to cyberattacks.
J. Alex Halderman, a computer security expert from the University of Michigan, is among those who have been sounding the alarm for years.
"It's highly significant that these attacks took place, because it confirms that Russia was interested in targeting voting technology, at least to some extent. I hope further investigation can shed more light on what they intended to do and how far they got," he says.
Halderman and others note that local election officials often contract with private vendors, such as VR Systems, to program their voting equipment. He says if those vendors are hacked, then malware could easily be spread to local election offices and ultimately to individual voting machines.
Jeremy Epstein, another voting security expert, said that even though the NSA report describes efforts to hack into voter registration systems, once hackers have access to a local election office's computers, they can potentially infect other aspects of the election.
"If I was a Russian trying to manipulate an election, this is exactly how I would do it," he says.
Experts say it would be difficult to know whether votes had been tampered with unless the equipment had a paper ballot backup. Those paper ballots can be used to verify whether the election results reported electronically were correct.
Lawrence Norden of the Brennan Center for Justice at the New York University School of Law notes that seven of the eight states that use VR Systems services — California, Florida, Illinois, Indiana, New York, North Carolina and West Virginia — have paper-based systems. And most of the equipment used in the eighth state — Virginia — also use paper.
Another concern is that even if hackers did not try to change the actual election results, they could undermine confidence in the voting system by causing enough confusion at the polls to raise doubts about the results. That could happen, for example, if voters showed up at the polls to find that their names were not listed or listed incorrectly.