■ Between 13 and 20 counties received phishing attack.
DeSantis says two counties were hacked
The search is on to determine which two Florida counties’ voter data was accessed by Russian hackers.
A South Florida Sun Sentinel investigation found that at least 13, and as many as 20, elections offices in Florida were sent an email by GRU, a Russian military intelligence agency. According to an FBI investigation, that email included an attachment that appeared to be a harmless Word document, but contained software that allowed the sender to access the computer files of anyone who opened the attachment.
The emails came from a Gmail account that appeared at a glance to come from VR Systems, a Florida-based elections software company that serves many elections offices throughout Florida. The practice of disguising a malicious email to appear as though it comes from a trusted source is known as spear phishing.
The malicious email address has since stopped accepted emails, suggesting it has been shut down.
Gov. Ron DeSantis announced Tuesday that the FBI informed him the spear phishing attempt was successful in two Florida counties, but he added that he could not say which counties because he had signed a nondisclosure agreement with the FBI.
The Sun Sentinel filed a public records request for the agreement but was told DeSantis did not have a copy. A Freedom of Information Act request has been filed with the FBI, but getting the results of a FOIA request can take a long time.
Prior to DeSantis’s announcement, the Sun Sentinel filed a public records request to all 67 Florida county supervisors of elections offices for all emails sent from the email address used by the Russian hackers to their offices in a date range that included several weeks before and after the 2016 election, when the FBI reported the attack had taken place.
Of the 67 county elections offices contacted, 47 replied that they did not receive the email. That could mean they didn’t receive it, or that it was immediately quarantined and didn’t turn up in a search of email records. The other option is that employees of these elections offices destroyed the email or lied and refused to turn it over, both of which would be a violation of the state’s public records law.
Thirteen counties confirmed they were sent the email from Russian hackers but say they did not open it: Alachua, Broward, Citrus, Clay, Duval, Gulf, Lee, Leon, Pasco, Putnam, Taylor, Volusia and Wakulla. The political makeup of these counties is all over the map. For example, Wakulla is closely balanced between registered Democrats and Republicans, while Clay has a more than twoto-one Republican advantage and Broward has a more than two-to-one advantage in favor of Democrats.
Of the seven remaining counties, four acknowledged receiving the public records request but never responded with a follow-up offering either the requested email or a statement that a search of their records hadn’t turned it up. Those counties were Charlotte, Escambia, Highlands and Hillsborough.
Three others never acknowledged receiving the public records request: Calhoun, Jefferson and Washington counties.
The Sun Sentinel sent the records requests to elections offices on April 24, a few days after the release of the redacted report on Russian interference in the 2016 election produced by Special Counsel Robert Mueller. The Mueller Report noted an FBI investigation had found that “in November 2016, the GRU sent spear phishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election. The spear phishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.”
According to the report, the spear phishing attempt “enabled the GRU to gain access to the network of at least one Florida county government,” though Mueller’s office did not independently verify the FBI’s findings.
Further, as part of a 2017 report on a leaked National Security Agency document detailing the spear fishing attempt, the online news publication The Intercept printed the email address Russian intelligence used in sending the emails to Florida elections office officials. This email address became the subject of the Sun Sentinel’s public records request.
It’s still unclear just which two counties opened the attachment in the email sent by agents of a Russian intelligence agency.
Florida members of Congress were given a classified briefing Thursday morning, after which a source familiar with what was discussed told the Sun Sentinel that neither Broward nor Palm Beach counties were among the two hacking victims.
Broward Supervisor of Elections Peter Antonacci has stated unequivocally that the spear phishing attempt was not successful in his office.
On Wednesday, the Miami Herald published the results of its own survey, in which the paper’s reporters asked each county supervisor of elections whether their offices were one of the two that was hacked. All said they were not, except those in Gadsden and Hardee counties, which did not respond to reporters’ questions. But Gadsden and Hardee elections officials responded to our public records request, saying they had not received the spear phishing email.
Something doesn’t add up, and Florida’s elected officials are demanding that the FBI release the counties that were hacked.
The FBI Jacksonville field office said federal investigators are not obligated to release the names of the affected counties, and a timetable for any potential release doesn’t exist.
“That information is classified,” FBI Jacksonville spokeswoman Amanda Videll told the Sun Sentinel Thursday.