The email that showed up in an employee’s inbox at the Contra Costa County elections office last month appeared harmless enough: It looked like it had been sent by a member of her church group and contained the innocuously named attachment “Request3.doc.”
But when the employee clicked on the attachment on a work computer, malware laced into the document attempted to contact a Russian IP address, sparking a weeklong scare over the possibility of a foreign attempt to access county election internet systems.
Emails from the elections office obtained by the Bay Area News Group through a public records request shed new light on the incident, which occurred the same week that Special Counsel Robert Mueller delivered his report on Russian interference in the 2016 election.
The suspicious email was investigated by the FBI and the Department of Homeland Security, and state and federal authorities ultimately concluded that no county data had been compromised. State and local officials said they believe the elections office was not specifically targeted for the attack and it may have been motivated by money.
“We took this very seriously — we’re vigilant, we work every day to keep our operations and elections secure,” Scott Konopasek, the assistant county registrar of voters, in an interview. He said local officials were told by the FBI that “they don’t think we were specifically targeted, but we were just a target of opportunity.”
The episode began when the employee received an email on the morning of Monday, March 18 with a zip file attachment that contained the infected Microsoft Word document. It appeared to be a response to a work-related email she had sent several months earlier to someone in her church group.
When the employee opened the document on a work computer, it started trying to install malware and connect with computer servers.
“Point of origin for the communication was … Russia,” wrote Travis Ebbert, a supervisor at the elections department. “It contacted out twice before we pulled the PC from the network.” Officials responded by taking the computer offline and wiping its hard drive, formatting it “into the ground,” Ebbert wrote.
Investigators ultimately determined that the malware didn’t successfully connect with the Russian server or another Los Angeles server it tried to reach, said California Deputy Secretary of State Susan Lapsley. She said it appeared the malware was ransomware that may have been trying to shut down county computers in order to demand money to start them up again, and that the Russian IP address was traced back to an internet café.
County officials quickly reported the incident to the Secretary of State’s office and were put in contact with the Department of Homeland Security and the FBI, which examined two thumb drives of computer logs and malware downloaded from the county. State and local officials also monitored the county elections office network and other computers to make sure there were no malicious programs lurking behind.
The attack “fits a pattern of other attempts/attacks that trace back to foreign interests,” Clerk-Recorder and Registrar of Voters Joe Canciamilla wrote in an email to county staff in the days after the incident.
A report by state investigators with help from the FBI eventually concluded that no county data had been compromised, Chief Information Officer Marc Shorr wrote in an email the following week. The Governor’s Office of Emergency Services, which conducted the report, did not respond Tuesday to a request for a copy.
State law forbids voting machines from being connected to the internet. But other elections offices around the country have been the target of hacking attempts aimed at accessing voter registration data.
Mueller’s report documented repeated attempts by Russian military intelligence to hack into U.S. state and local election offices voting technology companies. Russian agents successfully extracted data on thousands of Illinois voters after exploiting a vulnerability in the state elections board website, and may have also compromised at least one Florida county government network through an infected email attachment, Mueller’s investigators found.
The Secretary of State’s office said it hadn’t received any reports of phishing emails or internet breaches from other California county elections offices. In response to the incident, the office sent an email to all county elections offices reminding them to be on the lookout for suspicious emails and suggesting they install filters to weed out potential phishing emails.
Contra Costa officials “had detection measures in place and they did all the right steps,” Lapsley said. “We know the threat is ongoing and always exists, whether you’re going through an election or not.”
In light of the incident, the county elections office is “reinforcing” cybersecurity training for employees, Konopasek said. He declined to say whether the employee who opened the email faced any discipline.
California officials have worked to help local elections offices defend themselves against cyberattacks since the 2016 election, which Russian-linked operatives attempted to influence. That has included investments to upgrade aging voting systems and a new state office dedicated to election cybersecurity.
Steve Grobman, the chief technology officer for cybersecurity company McAfee, said that just because the malware in the Contra Costa email reached out to Russian servers doesn’t imply that that attack was necessarily engineered from Russia. “Given the ease of setting up servers in just about any country,” he said in an interview. “If it was being perpetrated by a more sophisticated actor, they could generally mask their origin.”
Just because the actual voting machines and vote-counting technology is not connected to the internet doesn’t mean that malicious actors couldn’t influence U.S. elections, experts say. Hackers who got access to a local elections office website, for example, could impact results by misleading voters in certain precincts about where and when to cast their ballots.
Theresa Payton, the former White House Chief Information Officer and the CEO of a cybersecurity company, said the Contra Costa email sounded like a “cautionary tale” that should encourage elections offices to “safeguard these hardworking employees from making a human mistake like this.”
“Don’t underestimate the adversary,” Payton said. “This is the new normal.”