COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY
details about the activity they saw on their networks, and the Committee compared that accounting to DHS's reporting of events.[1] Where those accounts differed is noted below. The scanning activity took place from approximately June through September 2016.
| State | Observed Activity[2] |
|---|---|
| Illinois | (U) See infra, "Russian Access to Election-Related Infrastructure" for a detailed description. |
| State 2 | (U) See infra, "Russian Access to Election-Related Infrastructure" for a detailed description. |
| State 3 | (U) According to State 3 officials, cyber actors using infrastructure identified in the August FLASH conducted scanning activity.[3] State 3 officials noticed "abnormal behavior" and took action to block the related IP addresses.[4]
DHS reported GRU scanning attempts against two separate domains related to election infrastructure.[5] |
| State 4 | (U) See infra, "Two Unexplained Events" for a detailed description. |
| State 5 | (U) Cyber actors using infrastructure identified in the August FLASH scanned "an old website and non-relevant archives," according to the State 5 Secretary of State's office.[6] The following day, State 5 took action to block the IP address.[7]
DHS, however, reported GRU scanning activity on two separate State 5 Secretary of State websites, plus targeting of a District Attorney's office[8] in a particular city.[9] Both the websites appear to be current addresses for the State 5 Secretary of State's office. |
| State 6 | (U) According to State 6 officials, cyber actors using infrastructure identified in the August FLASH scanned[10] the entire state IT infrastructure, including by using the Acunetix tool, but the "affected systems" were the Secretary of State's |
- ↑ (U) DHS briefed Committee staff three times on the attacks, and staff reviewed hundreds of pages of intelligence assessments.
- ↑ (U) Slight variation between what states and DHS reported to the Committee is an indication of one of the challenges in election cybersecurity. The system owners—in this case, state and local administrators—are in the best position to carry out comprehensive cyber reviews, but they often lack the expertise or resources to do so. The federal government has resources and expertise, but the IC can see only limited information about inbound attacks because of legal restrictions on operations inside the United States.
- ↑ (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 3], December 8, 2017.
- ↑ (U) Ibid.
- ↑ (U) DHS briefing for Committee staff on March 5, 2018.
- ↑ (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 5], December 1, 2017.
- ↑ (U) Ibid.
- ↑ (U/ ) Briefers suggested the "most wanted" list housed on the District Attorney's website may have in some way been connected to voter registration. The exact nature of this connection, including whether it was a technical network connection or whether databases of individuals with felony convictions held by the District Attorney's office had voting registration implications, is unclear.
- ↑ (U) DHS briefing for Committee staff on March 5, 2018.
- ↑ (U) State 6 officials did not specify, but in light of the DHS assessment, they likely meant SQL injection.
15
COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY
