Ransomware Hits Election Infrastructure in Georgia County

A Georgia county is ground zero for what may be the first ransomware attack to hit election infrastructure this political season.

Source: CNN | Published on October 23, 2020

ransomware on the rise

The attack on Hall County — home to Gainesville and located roughly an hour north of Atlanta — was disclosed on Oct. 7, but the impact to election infrastructure is only now coming to light.

Among the county's affected systems were a voter signature database, as well as a voting precinct map hosted on the county's website, according to Katie Crumley, a Hall County spokesperson. The affected systems were first reported by The Gainesville Times.

"We are currently bringing various programs back online, and those two items are included in that process," Crumley said. "However, the voting process for our citizens has not been impacted due to the network issues."

The initial disclosure by county officials said that the attack had hit "critical systems within the Hall County Government networks" but provided few additional details. Crumley declined to discuss further specifics, citing an ongoing investigation.

Ransomware is a type of malicious software that locks up a victim's computer and renders it unusable until the victim pays off the attacker, frequently in bitcoin. This type of cyberattack is worsening, and in recent years ransomware attacks have hit targets as varied as Baltimore's city government, the website of an Illinois public health district and the University of California.

The attackers in this case do not appear to have specifically targeted election systems; other county functions, including phone and email services, were also disrupted. Ransomware attackers are typically financial criminals driven by profit, experts say, not political actors with a political motive.

But the incident marks the first known case of a ransomware attack affecting election infrastructure in the 2020 election, three cybersecurity experts told CNN.

"This is the first incident that I'm aware of which has directly impacted election-related infrastructure," said Brett Callow, a threat analyst at the security firm Emsisoft. "At least 18 county or municipal bodies have been impacted by ransomware since the beginning of September — about three per week — so it's very likely that other bodies will be hit in the run-up to the election."

Ekram Ahmed, a spokesperson for the cybersecurity firm Check Point, called the Georgia incident "alarming and significant."

"Often, hackers like to run experiments on smaller places and institutions, treating them as testing-grounds for larger-scale attacks down the road," Ahmed said. "We urge voters to be extra cautious in the days leading up to election night, especially when it comes to their inbox."

Fraudulent emails can often contain malicious links or attachments that allow hackers to penetrate unpatched or vulnerable systems. So-called phishing attacks are the most likely way for ransomware incidents to begin, experts say.

The ransomware attack also comes as US intelligence officials have warned of an email-based election interference effort linked to Iran that relied on stolen email addresses.

Morgan Wright, chief security advisor at SentinelOne, said the Hall County attack is unlikely to be related to the Iranian threat outlined by US intelligence.

"I don't think they're tied together," he said. "I think these guys are just opportunistic."