Ransomware Attacks Take On New Urgency Ahead of Vote

A Texas company that sells software that cities and states use to display results on election night was hit by ransomware last week, the latest of nearly a thousand such attacks over the past year against small towns, big cities and the contractors who run their voting systems.

Many of the attacks are conducted by Russian criminal groups, some with shady ties to President Vladimir V. Putin’s intelligence services. But the attack on Tyler Technologies, which continued on Friday night with efforts by outsiders to log into its clients’ systems around the country, was particularly rattling less than 40 days before the election.

While Tyler does not actually tally votes, it is used by election officials to aggregate and report them in at least 20 places around the country — making it exactly the kind of soft target that the Department of Homeland Security, the F.B.I. and United States Cyber Command worry could be struck by anyone trying to sow chaos and uncertainty on election night.

Tyler would not describe the attack in detail. It initially appeared to be an ordinary ransomware attack, in which data is made inaccessible unless the victim pays the ransom, usually in harder-to-trace cryptocurrencies. But then some of Tyler’s clients — the company would not say which ones — saw outsiders trying to gain access to their systems on Friday night, raising fears that the attackers might be out for something more than just a quick profit.

That has been the fear haunting federal officials for a year now: that in the days leading up to the election, or in its aftermath, ransomware groups will try to freeze voter registration data, election poll books or the computer systems of the secretaries of the state who certify election results.

With only 37 days before the election, federal investigators still do not have a clear picture of whether the ransomware attacks clobbering American networks are purely criminal acts, seeking a quick payday, or Trojan horses for more nefarious Russian interference. But they have not had much success in stopping them. In just the first two weeks of September, another seven American government entities have been hit with ransomware and their data stolen.

“The chance of a local government not being hit while attempting to manage the upcoming and already ridiculously messy election would seem to be very slim,” said Brett Callow, a threat analyst at Emsisoft, a security firm.

The proliferation of ransomware attacks that result in data theft is an evolution in Russian tactics, beyond the kind of “hack and leak” events engineered against the Democratic National Committee and Hillary Clinton’s campaign chairman, John Podesta, in 2016. By design, whether the attacks are criminal or state sponsored is not clear, and the attacker does not always have to be successful everywhere. Just a few well-placed ransomware attacks, in key battleground states, could create the impression that voters everywhere would not be able to cast their ballots or that the ballots could not be accurately counted — what the cybersecurity world calls a “perception hack.”

“We have been hardening these systems since last summer,” Christopher Krebs, who runs the Cybersecurity and Infrastructure Security Agency for the Department of Homeland Security, said this month. He noted that the agency was trying to make sure local election officials printed out their electronic poll books, which are used to check in voters, so that they had a backup.

The United States has made “tremendous progress” in the effort, Mr. Krebs added, by “getting on this problem early.”

Still, some officials worry that President Trump’s repeated assertion about the election that “we’re not going to lose this except if they cheat” may be the 2020 equivalent of “Russia, if you’re listening” — seen as a signal to hackers to create just enough incidents to bolster his unfounded claims of widespread fraud.

So far Mr. Trump has focused on mail-in ballots and new balloting systems, but on election night there would be no faster way to create turmoil than altering the reporting of the vote — even if the vote itself was free of fraud.

That would be a classic perception hack: If Mr. Trump was erroneously declared a winner, for example, and then the vote totals appeared to change, it would be easy to claim someone was fiddling with the numbers.

The Russians tried this, and almost got away with it, in Ukraine’s presidential election six years ago. That is one reason the F.B.I. warned last week that the days after the election could result in “disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.”

The F.B.I. warning made no mention of Mr. Trump’s own declarations that if Mr. Biden wins, the election must be illegitimate, or his baseless attacks on the use of mail-in ballots. But on Saturday night at a rally in Pennsylvania, the president openly speculated how an uncertain outcome could throw the election into the courts or Congress, both places where he believes he has an advantage.

Sign up for On Politics to get the latest election and politics news and insights.

That is why the surge in ransomware has become such a rising concern. Should an attack be well-timed enough to make it difficult to count votes or certify tallies, it would add to the uncertainty — just what the Russians, and perhaps Mr. Trump himself, are seeking.

Part of the problem is that the full scale of ransomware attacks is not always disclosed.

It was three years after the 2016 election that the Department of Homeland Security, the F.B.I. and even Florida state officials learned that Palm Beach County — which played a critical role in deciding the 2000 election — had its election offices seized by ransomware just weeks before the election.

Over the past 18 months, cybercriminals — primarily based in Russia and Eastern Europe — have hit the American public sector with more ransomware attacks than in any other period on record, according to Emsisoft, which tracks the incursions. A record 966 ransomware attacks hit the American public sector last year — two-thirds of them targeting state or local governments.

Among them: A Texas county that voted for Hillary Clinton in 2016 as well as counties that helped determine the 2016 election in Ohio, Pennsylvania, Florida and Georgia, and other cities and counties that will most likely play a critical role in deciding close Senate races in South Carolina, Kentucky, Colorado and Maine in November.

The F.B.I. concluded that ransomware “will likely threaten the availability of data on interconnected election servers” in November, according to a bureau analysis leaked this summer. The agency cited two recent examples: a ransomware attack in Oregon that locked up county computers and crippled backup data, and another in Louisiana in which cybercriminals hacked the secretary of state’s offices, then waited three months to detonate their ransomware the week of Louisiana’s statewide elections for governor and legislative seats last November.

The Louisiana election proceeded unscathed because officials had the foresight to separate voter rolls from internal networks. Still, some analysts feared the attack was a dry run for Nov. 3.

Sometimes victims pay — as a small town in Florida did. Sometimes they refuse, as Atlanta did — though it ended up spending more than the ransom demand reconstructing its systems.

The latest victim, Tyler Technologies, has been vague about the details of its attack. Citing a continuing investigation, the company declined to elaborate on the ransom demands, say whether it paid or offer any details about the attackers. And while the company claimed that none of its products “support voting or election systems,” its Socrata dashboard software is used by some election officials to aggregate and share election results.

That display software is precisely the kind of soft target that intelligence agencies warned could be subject to foreign manipulation on Election Day. In the Ukraine case in 2014, Russian hackers got into the software that reported the country’s election results to the media, altering it to falsely claim victory for a far-right candidate. Ukrainians caught the hack just in time and reported the correct results on television that night. Tellingly, Russian state media still reported that the far-right candidate had won the presidency.

It was a classic perception hack because even if the actual ballots are untouched, an attack that delayed the vote or cast doubt on the ultimate results could create enough uncertainty in voters’ minds that somehow the election was illegitimate.

The Republican-led Senate Intelligence Committee report into the 2016 election even warned against the kind of proclamations Mr. Trump is making about “rigged” elections from the White House press room and at rallies.

“Sitting officials and candidates should use the absolute greatest amount of restraint and caution if they are considering publicly calling the validity of an upcoming election into question,” the report said, noting that doing so would only be “exacerbating the already damaging messaging efforts of foreign intelligence services.”

Christopher A. Wray, the F.B.I. director, countered the president’s claims on Thursday, telling lawmakers that his agency had “not seen, historically, any kind of coordinated national voter fraud effort in a major election, whether it’s by mail or otherwise.” He was immediately attacked by the White House chief of staff, Mark Meadows. “With all due respect to Director Wray, he has a hard time finding emails in his own F.B.I.,” Mr. Meadows said on Fox News.

Still, American officials are walking a thin line. They are trying not to ramp up too many fears about ransomware for fear of amplifying the uncertainty.

But at the same time, security researchers have noted with growing alarm that the ransomware attacks hitting American systems are evolving in disturbing ways. Attackers are not just locking up data, they are stealing it, dumping it online in some cases, and selling access to victims’ data on the dark web and privately to nation-state groups. Researchers at Intel471, a threat intelligence firm, recently discovered that Russian cybercriminals had been selling access to victims’ data to North Korean hackers, and Russian cybercriminals have a long track record of working hand in hand with the Kremlin.

When the Treasury Department imposed sanctions on members of an elite Russian cybercrime group last December, they outed the group’s leader as a member of Russia’s Federal Security Service, or F.S.B., a successor to the K.G.B.

Three years ago, the Justice Department accused two F.S.B. agents of working closely with two cybercriminals to hack 500 million Yahoo accounts. Russian agents allowed cybercriminals to profit from the attack, while mining their access to spy on journalists, dissidents and American officials.

“There is a pax mafiosa between the Russian regime and its cybercartels,” said Tom Kellermann, the head of cybersecurity strategy at VMWare, who sits on the Secret Service’s cyberinvestigations advisory board. “Russia’s cybercriminals are treated as a national asset who provide the regime free access to victims of ransomware and financial crime. And in exchange, they get untouchable status.”

“It’s a protection racket,” Mr. Kellermann said. “And it works both ways.”