Phishing expedition: At least 5 Florida counties targeted by Russian election hack

TALLAHASSEE — Russian hackers tried to break into the computer systems of at least five Florida county elections offices days before the 2016 presidential election, according to five county officials who say they received malicious emails described in a leaked intelligence report.

Election supervisors in Hillsborough, Pasco, Citrus and Clay counties separately told the Times/Herald their offices got the emails, which contained attachments that could have taken over their computers. But all four said their staffers did not open them. Volusia County said it opened one of the infected emails, but not the attachment that could have compromised its systems.

There's been no evidence disclosed publicly that any counties were breached. It's not clear how many counties were targeted, in Florida or across the country. The Times/Herald sent requests for the emails to all 67 elections offices in the state. Nineteen replied back that they searched for them and couldn't find any.

The intelligence report, written by the National Security Agency, was published Monday by the Intercept, an online news outlet, and verified by other national media sources. It described two efforts by a Russian military intelligence unit, the G.R.U., to disrupt the presidential election.

RELATED: Intelligence contractor is charged in first criminal leak case of Trump era

The first attempt, in August, targeted VR Systems, a Tallahassee-based vendor that sells voter registration software to all but three of Florida's 67 counties, according to the report. The second attempt was aimed at 122 election management officials across the country, just days before the election, and was disguised as a routine message from VR Systems, the report said.

RELATED: Russian hackers pretended to be Florida company in phishing expedition

VR Systems' software helps check in voters at the polls and doesn't tabulate ballots. Still, the attack could have infected election workers' computers, VR Systems warned in a Nov. 1 email, which many supervisors credited with helping them avoid opening the files.

Sending fake emails — called "phishing" — is a common way to attack a large organization, said Joe Partlow, the chief technology officer of ReliaQuest, a national IT security firm based in Florida. In many cases, but not all, it would take a forensic review of the system to determine if a hack has been successful, Partlow said.

"It's easy to slip past the controls in place," he said.

The Intercept report was not the first evidence that Russian intelligence sources were attacking local election systems. A federal intelligence assessment released in January reported that "Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards."

But the disclosures cast new light on the scale of the Russians' effort to compromise systems across Florida — involving a random-seeming assortment of some of the state's largest and smallest counties.

While Pinellas officials said a search for the suspect email turned up nothing, Hillsborough officials said in November they immediately noticed that the suspect email came from a strange VR systems email address and that it was blocked.

Pasco County Supervisor of Elections Brian Corley said the malicious message was in his agency's inbox on Oct. 31. "I didn't open it," Corley said. "Phishing emails? We get them all the time."

In Daytona Beach, Volusia Supervisor of Elections Lisa Lewis said three of her staffers got the email on Nov. 7, the day before election day.

The email was opened but all three staffers say they didn't open the attachment, she said.

"There's no way to know for sure. Other than the word of everybody remembered getting the warning, not to open the attachment, so that's what we're going with," she said.

She said the state hadn't contacted her to investigate, and she heard nothing about the email between November and Monday.

"Never ever, I promise you, did it ever cross my mind that it would be a Russian e-mail," she said. "That they were behind it. Never."

Clay County Supervisor of Elections Chris Chambless said his office got a copy of the phishing e-mail but it was stopped by an anti-virus filter. He said his office gets 3,500 phishing or spam messages daily that get blocked.

Miami-Dade County said it didn't get an email. "We have no indication at this time that a Miami-Dade County system, or one of our valued partners, has been breached," a spokesman for county Mayor Carlos Gimenez said.

Broward Supervisor of Elections Brenda Snipes said her office didn't get it either, though digital data attached to the copy sent to Clay — reviewed by the Times/Herald ­— appeared to show the hackers attempting to send one to an email address in her office.

"We haven't had any to my knowledge," Snipes said. "Honestly we just have gotten nothing on this, nothing."

"To our knowledge, there has been no Florida county that executed this phishing attempt," said Chambless, president of the Florida State Association of Supervisors of Elections.

"It's so hard to know what they were trying to do," said Lawrence Norden, a voting expert with the Brennan Center for Justice. "But the thing about doing something like this over the internet is it doesn't take a lot of extra effort to send it to every single county, so it doesn't really surprise me. And this is what makes cyberattacks so much more dangerous than an individual attack that involves physically getting a person to a particular place."

Citrus Supervisor of Elections Susan Gill said she recalled receiving it at her Inverness offices.

"Yes, we did receive it, and we immediately received an email from VR Systems telling us not to open it," Gill said.

Gov. Rick Scott's chief elections official, Secretary of State Ken Detzner, declined to field questions Tuesday.

Detzner's spokeswoman, Sarah Revell, said the state voter registration database is secure.

"We have no indication that any unauthorized access occurred. Steps taken to secure databases include implementing software, hardware and firewalls to protect information," she said.

VR Systems chief executive officer Mindy Perkins issued a statement in response to the Intercept's report that said in part: "When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment. We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result."

After the first suspicious email was sent last August, the FBI's Jacksonville office held a conference call on Sept. 30 with county supervisors of elections to alert them to "a malicious act found in a jurisdiction" in Florida, according to Ion Sancho, the former Leon County elections supervisor who was on the call.

Sancho and other election officials who spoke to the Times/Herald Tuesday said they had not heard any more about the federal investigation until the Intercept's report appeared Monday.

A 25-year-old intelligence contractor from Augusta, Ga., Reality Leigh Winner, was charged Monday with leaking the NSA report to the Intercept.

Times/Herald staff writers Michael Van Sickler and Mary Ellen Klas and Herald staff writers Doug Hanks and Amy Sherman contributed to this report, which also used information from The New York Times. Contact Steve Bousquet at sbousquet@tampabay.com. Follow @stevebousquet.