The malware attack, which sent fake email replies to voters and businesses, spotlights an overlooked vulnerability in counties that don’t follow best practices for computer security.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. “Re: official precinct results,” one subject line read. The text supplied passwords for an attached file.
But Jackson didn’t send the messages. Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson’s three-person office, already grappling with the coronavirus pandemic, ground to a near standstill.
“I’ve only sent three emails today, and they were emails I absolutely had to send,” Jackson said Friday. “I’m scared to” send more, she said, for fear of spreading the malware.
The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots. Although experts have repeatedly warned state and local officials to follow best practices for computer security, numerous smaller locales like Hamilton appear to have taken few precautionary measures.
U.S. Department of Homeland Security officials have helped local governments in recent years to bolster their infrastructure, following Russian hacking attempts during the last presidential election. But desktop computers used each day in small rural counties to send routine emails, compose official documents or analyze spreadsheets can be easier targets, in part because those jurisdictions may not have the resources or know-how to update systems or afford security professionals familiar with the latest practices.
A ProPublica review of municipal government email systems in swing states found that dozens of them relied on homebrew setups or didn’t follow industry standards. Those protocols include encryption to ensure email passwords are secure and measures that confirm that people sending emails are who they purport to be. At least a dozen counties in battleground states didn’t use cloud-hosted email from firms like Google or Microsoft. While not a cure-all, such services improve protections against email hacks.
Although the malware used against Hamilton likely originated with foreign hackers, it appears to have been part of a widespread campaign, rather than one that targeted election-related sites. The malware also doesn’t appear to have spread from Hamilton to other Texas counties. And because Hamilton is a so-called offline county, the attack didn’t affect state voter systems. State and Hamilton County officials said the intrusion won’t affect voters’ ability to cast ballots or have them tabulated.
Still, such attacks could rattle voters’ confidence — or, at worst, bring down systems on election day. The type of malware deployed against Hamilton, called Emotet, often serves as a delivery mechanism for later ransomware attacks, in which swindlers commandeer a victim’s computer and freeze its files until a ransom is paid. U.S. officials have expressed concern that those attacks — which have paralyzed government agencies, police departments, schools and hospitals — could potentially disrupt the election.
Harvard’s Belfer Center for Science and International Affairs, which specializes in establishing best practices for political campaigns and election officials, said in a February 2018 report that election officials should “create a proactive security culture.” For political campaigns, the group suggested using cloud-based email and office software, which are more likely to neutralize threats like Emotet before they reach a user’s inbox. Experts said smaller governments with fewer resources should heed that advice.
Hamilton County has 8,500 residents and voted for President Donald Trump by a 6-to-1 margin in 2016. Almost all of the county offices, including Jackson’s, are located in the courthouse. During the pandemic, residents submit paperwork through a cracked window at the top of the courthouse steps, next to the door. A handwritten note taped to the glass reads, “If we don’t see you, please yell!”
Jackson’s office uses multiple email accounts, runs Microsoft Windows and edits Word files locally on its computers, as opposed to a cloud service like Google Docs, which is more likely to strip out malicious code. None of the emails sent to Hamilton was flagged as suspicious, according to a ProPublica review. The county’s email system lacks two-factor authentication — a standard protection involving a second means of verifying a user’s identity. It also hasn’t implemented DMARC, a system that helps organizations and businesses confirm that emails sent from their addresses are authentic.
Last November, AT&T Corp. performed a security audit for the county clerk’s office, a service offered free to counties by the Texas secretary of state. Jackson said last year’s audit, which took place before her appointment, highlighted no major concerns, but another one is being conducted this year. A representative of the secretary of state’s office said that the audit is a “top-to-bottom assessment” of both physical and cyber security, including the email system, and said Hamilton “may or may not have” implemented the recommendations.
ProPublica obtained five malware samples from Hamilton County and identified them as Emotet. The security firm Proofpoint, which examined the samples at our request, traced them to two weeklong Emotet campaigns in mid-September likely involving millions of malicious email attachments.
Emotet tricks users into clicking on plausible-looking messages and following phony instructions that in reality disable security settings in Microsoft Office. If successful, the ruse allows the malware to hijack the victim’s email conversations and send phony replies from bogus accounts. Malware attached to the messages is primed for a new set of targets automatically selected from the victim’s inbox, further spreading the infection.
Jackson, who has been county clerk less than a year, said she didn’t know who in the office clicked on the fake messages. She also said she has received little help from the county’s outside IT firm, BizProtec LLC. She said she noticed what appeared to be phishing emails on Monday, Sept. 14, and first alerted BizProtec the next day. By that afternoon, BizProtec called to assure her that it had fixed the problem by changing computer passwords for her and the rest of the office, which Hamilton County employees cannot do on their own. But the new passwords didn’t help. By noon this past Monday, a week after the attack began, her inbox had more than 35 suspicious emails — including one that appeared to be from the county judge and contained malware.
Experts ProPublica interviewed said that changing passwords is unlikely to scrub malware. “You facepalm when you hear that advice,” said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. “Unless you clean up an infection, it’ll just keep coming back. You can change your password a million times — it does not actually matter.”
Hamilton County wouldn’t say how much BizProtec charges for its services, but a work proposal for nearby Bosque County shows the firm bills $95 an hour for typical service calls and $125 for calls outside of normal business hours. BizProtec also appears to do IT work for Cooke, Falls, Gonzales, Wheeler, Young, Llano, Eastland and Somervell counties, procurement records show, which combined have more than 150,000 residents.
Email and phone messages left with BizProtec and its owner, Kerry Hancock, seeking comment this week were not returned. Email addresses for Uvalde, Kleberg and Matagorda counties appeared on Emotet-generated emails sent to a listserv of Texas officials. However, those counties said they were not infected, and it’s possible that their email addresses were taken from Hamilton County inboxes and used to spread the malware to recipients of Hamilton emails.
Hamilton residents and business owners have received malware from several county offices, according to Jackson. Yet the county’s top elected official, County Judge W. Mark Tynes, told ProPublica he doesn’t think there was a problem.
“We get spoofed all the time,” Tynes said, insisting to a reporter that he had no reason to believe the malware incident was anything serious. “BizProtec told me they were taking care of it,” he said. “I have no reason to be dissatisfied with BizProtec.”
Told that his own email address was being used to send infected messages, Tynes didn’t seem alarmed. “I’m retiring at the end of my term,” he said.
Security experts said there’s ample reason for concern. Last year, Emotet was one of the most common precursors for large-scale ransomware attacks, and the likely vector by which they wormed their way into municipal governments, according to a report by cybersecurity firm Intel 471.
“This is a massively spread, low-sophistication and low-targeting attack, and they were hacked by that. If a nation-state went after them,” Mark Arena, CEO of Intel 471, said, “they’d crumble in a second.”
A May DHS analysis obtained by ProPublica found that cybercriminals continue to use software tied to Emotet to attack public and private sector networks. Emotet hackers sometimes sell access to compromised computers to a third party, said Roman Huessy of abuse.ch, a website that tracks malware. “This third party then may resell that access once again, and it sooner or later ends up with a ransomware gang,” Huessy said.
Kalember, the Proofpoint executive, said that the Emotet cybercrime group likely originated in Russia, raising the prospect that computers compromised by the malware could end up in the hands of Russia’s military intelligence agency, the GRU. “There’s tons of history of Emotet-like groups being coerced into doing things that the GRU wants,” Kalember said. “If I were running an intelligence operation, I’d absolutely want to use [malware] like Emotet because there’s plausible deniability on multiple different layers.”
This year, ProPublica revealed the frailty of parts of America’s patchwork election infrastructure, including outdated websites that publish voting results. We found that at least 50 election-related websites in counties and towns voting on Super Tuesday were particularly vulnerable to cyberattack.
As of June 2019, Texas requires all elected officials and county employees who have access to local government computer systems to undergo cybersecurity training every year. The Texas Association of Counties, which represents county officials, offers a free course that it says meets the state’s requirements. Jody Seaborn, a spokesman for the association, said that he had not heard about the Hamilton County malware episode and that the group “strongly encourages” counties to adopt cybersecurity best practices. A representative of the secretary of state’s office said that Hamilton County employees recently renewed their security training, as is required annually by Sept. 1.
Jackson said she works 60 hours a week, often returning to the office after dinner. She said she doesn’t have time to also be her department’s IT staff and wouldn’t know how to do it if she wanted to.
She remains in the throes of planning for November, having gotten little rest after just organizing a July runoff election. “I am still trying to master elections,” she said. “How am I supposed to do that if I can’t use my email?”