Matt Agorist – On Monday, an official FBI alert from August 18 was leaked to Yahoo News. The alert stated the FBI had uncovered evidence showing that at least two state election systems were penetrated by hackers in recent weeks. The FBI quickly issued warnings to election officials across the country to ramp up security on their systems.

It appears from the Flash Alert that the public was not supposed to know about it.

This FLASH has been released TLP: AMBER: The information in this product is only for members of their own organization and those with DIRECT NEED TO KNOW. This information is NOT to be forwarded on beyond NEED TO KNOW recipients.

The FBI then goes on to describe the nature of the attack and lists the IP addresses associated with the intrusion.

Summary

The FBI received information of an additional IP address, 5.149.249.172, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 185.104.9.39 used in the aforementioned compromise.

Technical Details

The following information was released by the MS-ISAC on 1 August 2016, which was derived through the course of the investigation. In late June 2016, an unknown actor scanned a state’s Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor, detailed in the indicators section below. Continue reading →