Library, not voter database, was Russia hack target
It turns out Russian hackers didn’t target Arizona’s statewide voter-registration database in an incident the U.S. Department of Homeland Security warned about this fall — they targeted the Phoenix library.
That’s according to city and state officials who spoke with The Arizona Republic about reports that the Russian government tried to infiltrate a database in Arizona during the 2016 election.
The confirmation is the latest twist in a confusing series of intelligence updates that have trickled out regarding potential Kremlin data-fishing activity in Arizona.
Phoenix police Sgt. Jon Howard recently said U.S. Department of Homeland Security officials notified the state, which notified the city, of “Russian entities” conducting low-level scans of Phoenix’s library system in August 2016.
The city’s IT department ran a report in October and found no indication Russians breached the library’s database.
“Attempted breaches are extremely common and well-guarded against,” Howard said in an email. “Any time someone raises a concern about specific attempts, we work to determine the source and severity to guarantee our systems remain secure.”
Nevertheless, the revelation that Phoenix’s library was targeted helps to solve the mystery of whether Russians actually tried to access Arizona voter information.
The confusion started this fall, when Homeland Security officials called Arizona Secretary of State Michele Reagan with a belated warning.
In September, Reagan’s office said the DHS notified her that Arizona’s voterregistration system was targeted by Russians during the 2016 election. The DHS said it was one of 21 states where Russians attempted to hack elections systems.
“DHS has let us know that the Russian government targeted our voter registra-
tion systems in 2016,” Reagan tweeted on Sept. 22. “I’ll receive a detailed briefing soon.”
But details of the alleged hacking incident shifted dramatically after DHS agents traveled to Phoenix in early October to give her a more detailed briefing.
After that meeting, Reagan said federal officials “could not confirm that any attempted Russian government attack occurred whatsoever to any election-related system in Arizona, much less the statewide voter registration database.”
Reagan’s office initially didn’t release further details about the briefing or answer questions about what had changed so dramatically in the intelligence reports from the DHS.
But Reagan this week explained the confusion to The Republic. She said DHS officials hadn’t been specific in their initial explanation. They simply said Arizona had been one of the 21 states where the elections system was targeted.
During a meeting with DHS officials at her office, Reagan said, they told her it wasn’t the elections system after all. Foreign cyberactors had probed a local government database that has “nothing to do with elections,” she said.
Reagan would not say what local government database was targeted.
“The bottom line is, I’m relieved,” she said. “We shouldn’t have been on that list (of 21 states).”
However, Reagan said she was frustrated that the DHS couldn’t provide concrete answers and had incorrectly warned of an attack on the voter-registration system, causing many Arizonans to believe Russia targeted their voter information.
“We all just kind of walked away not really having any answers,” she said of her meeting with the DHS. “It was very disappointing.”
Reagan also clarified that the instance was unrelated to an earlier report of hacking from the FBI, which involved a Gila County employee who opened an infected email attachment with malicious software.
Matt Roberts, a spokesman for Reagan’s office, said the FBI notified Arizona in summer 2016 that a hacker had gotten a Gila County election official’s login and password and tried to access the voter-registration database.
But, Roberts said, the database’s security system prevented the hacker from logging in. State officials took the voter-registration system offline for about 10 days due to that incident.
Roberts said the hacker used a server in Russia, but the FBI couldn’t confirm whether the hacker was tied to the Russian government or simply a cybercriminal.
However, he said, DHS officials have confirmed the latest hacking attempt was directly tied to “a Russian governmental entity.”
While Reagan’s office would not say what city or locality had been targeted in the latest attempt, multiple Phoenix city officials confirmed that state officials notified them about the Russian probe of the library system.
Phoenix city officials said despite the
“We all just kind of walked away not really having any answers. It was very disappointing.” Michele Reagan, Arizona secretary of state, on meeting with Department of Homeland Security
data-fishing attempt, residents have nothing to be concerned about, because public databases get “scanned” by various entities all the time.
Randell Smith, chief information-security officer for the city of Phoenix, said the city’s network gets “probed” by other systems about 5 million times per day.
Most of these probes are performed for legitimate purposes, he said. Other systems from media outlets or businesses may scan the city’s system to synchronize public data or to check that the information is still available.
Smith said cybercriminal scans act the same as their aboveboard counterparts, but the difference is intent.
“It’s called probe reconnaissance,” he said, when a would-be hacker surveys the digital landscape for vulnerabilities.
Smith stressed that the city has multiple layers of defense to protect from cyberattacks.
It’s unclear from the IT department report whether a Russian-based system did, in fact, probe the city’s library system last year, said spokeswoman Yvette Roeder.
“The way it works, they can only see if there’s an anomaly in the report,” she
said.
Now that Arizona officials have established that the elections system wasn’t the hacking target, one obvious question remains: Why, of all things, would Russians target the Phoenix library?
The Republic asked the DHS to confirm that a local government database in Arizona, unrelated to elections, had been the target.
DHS spokesman Scott McConnell said the agency cannot discuss specifics of Arizona or any other state. He released a statement that said the agency’s assessment of attempted hacking came after it observed malicious IP scanning of public databases.
In some cases, McConnell wrote, the warning to states was based on intelligence that cannot be publicly disclosed.
He said the agency stands by its statement that “Internet-connected networks in 21 states were the target of Russian government cyber actors seeking vulnerabilities and access to U.S. election infrastructure.”
McConnell wrote that, in most cases, the Russians only scanned networks — preparatory probing that hackers sometimes use to find potential vulnerabilities in a system.
“In some cases, this involved direct scanning of targeted systems,” he stated. “In other cases, malicious actors scanned for vulnerabilities in networks that may be connected to those systems or have similar characteristics in order to gain information about how to later penetrate their target.”
Ultimately, it seems, the reason Russians would target the Phoenix library might remain a mystery.