Many election officials across the US are using email systems that could make them more susceptible to phishing attempts, according to a new report in The Wall Street Journal. Area 1 Security found less than 20 percent of 10,000 state and local election administrations had advanced anti-phishing controls in place, and about 666 of the election officials were relying on personal email addresses for election-related matters.
Jurisdictions in several states were using a version of free Exim software that Russia’s GRU intelligence service had targeted for online attacks starting in 2019, according to the Journal. Security experts told the Journal it was unlikely that weak email security would lead to vote hacking, however, since the email systems aren’t connected to systems that count votes.
But it raises concerns that local election officials may be underprepared for possible intrusions into their email systems. GRU was accused of stealing and leaking emails from Hillary Clinton’s presidential campaign in 2016, and in 2018, GRU had registered web domains that appeared to spoof government web addresses, ostensibly for phishing purposes. Microsoft seized the domains before officials believe any damage was done.
And already this year, foreign hackers have targeted the personal email accounts of staffers working on the campaigns of presumptive Democratic nominee Joe Biden and President Trump. State-backed hackers from China tried to target staffers’ emails on the Biden campaign, while Iranian hackers targeted the Trump campaign staff’s emails. Google, which reported the attempts, said last month it had not seen evidence that those attacks were successful.