Election night cyberattack was smokescreen
KNOXVILLE — Knox County information technology director Dick Moran and county IT staff were ready for Election Day and the higher amounts of traffic that would undoubtedly come to the county election commission website with former WWE wrestler, Glenn Jacobs, on the Republican ballot.
At 7:50 p.m., Moran instructed the website be checked to make sure the early voting results could be posted when the polls closed 10 minutes later. Everything checked out. Everything was working.
Seven minutes after his request, Knox County’s election commission website was attacked and the results, although not impacted by the attack, wouldn’t be displayed until nearly 9 p.m., sowing more chaos into an already energetic and unpredictable night.
All of the disruption, it has been determined since, was an effort to distract the county while another, simultaneous attack was happening behind the scenes accessing county information, according to Moran and Deputy IT Director David Ball.
A SMOKESCREEN
The original and much less hidden cyberattack, a distributed-denial-of-service (DDOS) attack, was an attempt to overload the county server’s capacity with high internet traffic. It worked.
The internet protocol addresses — unique numbers that identify individual web portals — tied to the cyberattack spanned every continent but Antarctica, 65 countries in all.
The attack worked by tying
up space in the server. A request came to the server, the server accepted it and sent a message back to the requester. By this time, the request had ended and another request had been made from a different IP address, but the server was still waiting on a response from the original request.
“That’s one way these DDOS attacks work,” Ball said. “You tie up all of the available connections within the web server with something that will make it time out … we were seeing them in the thousands and thousands.
“The ( hackers) don’t want everything knocked down to where they can’t get in,” he said. “They just want to have something that ties you up.”
All of this was enough to shut down the site.
Screens in the Knox County Republican Party’s suite at the downtown Crowne Plaza hotel showed nothing but the message, “Service Unavailable.”
Elections results, however, were not affected.
Election officials gather data at
each polling station and hand-carry the memory cards from voting machines to the election commission to be totaled on computers that can’t access the Internet.
ELABORATE HACK
By Wednesday, Sword & Shield Enterprise Security, a Knox County- based IT security firm, was busy dissecting the attack. The firm charges $250 an hour and within a day had a good grasp on what had happened.
It wasn’t until the following Monday, May 7, six days after the attack, that Sword and Shield became aware of the other attack, Ball said.
“It took (Sword & Shield) until Monday to find this because you only had four or five malicious things going on between millions of kinds of errors.”
The attackers had hacked into a county server and looked around. No personal or confidential information was in the server, only publicly available information like court dockets, Moran said.
“It was not an attempt to actually change any data or put anything onto our servers; it was an attempt to take things off of our servers, to read what was there … they were looking to get things, not give things,” Ball said.
Ball said the original DDOS attack wasn’t overly impressive, the county has had DDOS attacks before. The background attack, however, was more sophisticated, he said.
Once Sword and Shield found the other attack, they performed, with the county’s permission, a similar attack to see if they could replicate it. They, too, were successful.
“They (did it) and brought us right to our knees (even) with all of the resources we had,” Moran said.
With that, Sword and Shield knew what happened and how it happened and the two worked to patch up the county’s system to prevent another breach.
Moran said the hole has been plugged.
WHAT’S NEXT?
Law enforcement officials from the Department of Homeland Security and the FBI, both the Knoxville regional office and the headquarters in Washington, D.C., are investigating the attack.
Going forward, Moran and crews are continuing to prepare, always readying for an attack. They expect to be a bigger target than normal in the August general election.
“I’m always alarmed,” Moran said. “I lose sleep every night over security stuff … if you’re connected to the Internet, you’re at risk, you will be hacked. The FBI gets hacked, the Department of Defense, the White House gets hacked, they all get hacked.”