Russians Believed To Have Used Spear-Phishing In Election Hacking
MICHEL MARTIN, HOST:
Now it's time for our regular segment Words You'll Hear. That's where we take a word or phrase that will be in the news this week and try to understand it by focusing on that word. This week, our word is spear-phishing. That's when a hacker tricks somebody by sending an email allegedly from somebody the target knows and trusts but with malicious software. The target sees an email from a friend or colleague, opens up the infected attachment and bam, the hacker is in. That's one of the strategies that Russia is believed to have used to try to influence the U.S. elections last fall.
Next week, both the House and the Senate will hold hearings to look into this. For more, we turn now to NPR's Pam Fessler, who just got back from a couple of conferences with state and local election officials last week. Hi, Pam.
PAM FESSLER, BYLINE: Hi, how you doing?
MARTIN: Good. So can you give us an overview of the alleged spear-phishing campaign? Who were the targets, and how did it happen?
FESSLER: Well, this was an attempted attack on election systems around the country. And it was revealed in an - National Security Agency report that was leaked about a week and a half ago. And apparently, Russian intelligence tried last August to break into the email system of a vendor who provides voter registration software and hardware to local election offices.
It's not exactly clear what happened except that late October, early November, 122 local election officials were sent emails that looked like they were coming from that vendor. They had attachments that included malicious software. It's not clear if anyone actually clicked on the attachments. There's no signs that anybody did, but this raised a lot of red flags.
MARTIN: Well, you know, speaking of that, what prompts these hearings now? I mean, these concerns about the Russians tampering with the elections have been heard since last fall, so why now?
FESSLER: So this is part of a broader investigation into Russian efforts last year to manipulate and interfere in U.S. elections. And so this is a much broader investigation. And it's taken a while for the committees to try and figure out exactly, you know, where the focus of this investigation is going to be.
MARTIN: Now, we mentioned that you were just at a conference with election officials. And you spoke with someone from VR Systems. That's the company that makes the election software that the hackers targeted. What is VR Systems saying about all of this?
FESSLER: That's right. I spoke with Ben Martin. He is the company's chief operating officer. And he said that what appears to be Russian intelligence tried to break into their employees' emails accounts. He, in fact, says that none of his employee accounts were, in fact, compromised, but their customers were receiving fake emails, emails that were made to look like they were from this company.
Also, he said, you know, no election software company would be sending election offices updates to software just days before the election, so this raised a bunch of red flags. They alerted intelligence officials. And they also alerted all of their customers to not open the attachments. And as far as they know, nobody did open the attachments.
MARTIN: Well, Pam, before we let you go because there's still - there are still there are still so many unanswered questions and questions that might never be answered about what happened last fall, what does this mean for upcoming elections in 2018 and 2020?
FESSLER: State and local election officials say they're already doing a lot with security. They are now working more with the federal government. The Department of Homeland Security has declared that election systems are now what they call critical infrastructure. And this means that they will be providing a lot more assistance to state and local election officials to try and test their systems to make sure that they are not vulnerable to outside attacks.
So there's going to be a lot of talk in the upcoming year or two about just how much election systems can be secured. Some people say, you know, the best way to do that would be to make sure that we have voting machines that all have - if we have an electronic voting machine, that they have paper ballot backups. So if something does go wrong, you can always go back to the paper and count and make sure that there hasn't been any tampering. But it's going to take a lot more than just that.
MARTIN: That's NPR's Pam Fessler. Pam, thank you.
FESSLER: Thank you.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.