A recent ransomware attack against Hall County, Georgia, disrupted several of its systems, including one related to election administration.
Officials in the county about 50 miles outside Atlanta first reported on Oct. 7 the attack had disrupted phone and email services at the county courthouse, sheriff’s offices and other public buildings. But on Thursday it was revealed that a database used by the county to verify voters’ signatures on absentee ballots was also disabled.
The spread of the ransomware to the signature-matching system was first reported by the Gainesville Times.
While county officials have said the cyberattack has not impeded the ability of voters to cast ballots, it could slow down the signature-matching process when absentee ballots are returned and processed. The county still has access to a statewide signature database, though some signatures may have to be matched by election clerks manually retrieving voters’ registration cards.
As in many other states, the use of mail-in absentee ballots has exploded in Georgia as a response to the coronavirus pandemic. In Hall County, 13,703 absentee ballots have already been returned, compared with 4,293 in the entire 2016 election. Statewide, nearly 850,000 Georgians have already voted using absentee ballots.
Although the voting process has not been impeded, the incident is the first known example in the 2020 election of a simmering fear among election administrators and cybersecurity industry figures that election systems could be ripe for disruption from ransomware attacks on local government, even if those systems themselves were not the intended target. And ransomware is principally the domain of cybercriminals looking to get rich, not state-backed actors, though federal officials in recent days have accused a hacking group linked to the Russian government of breaching state and local networks recently.
State and local officials have also in recent months said they dread ransomware that affects “elections support systems” — IT assets used for a range of business purposes — because even if their ability to receive, process and count votes is unaffected, a disruption could shake public confidence in the reported results.
Some industry experts said they would not be surprised to see more ransomware incidents that affect election-related systems.
“Cybercriminals often look for the path of least resistance,” Mick Baccio, a security adviser at the software company Splunk, told StateScoop in a Twitter direct message. “The fact of the matter is that ransomware works because it’s easy. I don’t think this is the first ransomware attack on election security systems, and it likely will not be the last.”
Brett Callow, a threat analyst at the anti-virus developer Emsisoft, said the Hall County attack involved the DoppelPaymer malware, which has also been used this year against Torrance, California, and Florence, Alabama. He, too, predicted more communities may suffer ransomware attacks that affect some of the IT used to support election administrators.
“It’s quite likely that other governments’ networks are already compromised, with threat actors waiting until closer to the election to deploy the ransomware,” he said. “They may well think this will provide them with the best opportunity of being able to successfully extort payment.”