Attempts by the Russian military to hack the U.S. presidential election were directed at a company based in Tallahassee, according to published reports and local election officials.
Revelations that Russian hackers targeted VR Systems, a company founded in the capital city 25 years ago, were included in leaked, classified National Security Agency documents first reported by The Intercept and later picked up by other media outlets.
The company provides election-related software to most of Florida’s 67 supervisor of elections offices, including Leon County’s. However, Leon County Supervisor of Elections Mark Earley said hacking efforts were not directed at the local elections office.
“Leon County was absolutely not hacked,” Earley said in an interview with the Tallahassee Democrat.
The Florida Department of State said it saw no security breaches during the most recent election cycle. The state’s online elections databases and voting systems remained secure throughout 2016, said Sarah Revell, spokeswoman for Secretary of State Ken Detzner.
“We have multiple safeguards in place to protect against election fraud and prevent any possible hacking attempts from being successful,” she wrote in an email.
But news of the cyberattack is prompting some elections supervisors around the state to redouble their safeguards against hacking.
Earley said that while his staff is well trained in security matters, he is considering hiring an outside consultant to make sure the office is adhering to the latest and best practices. He said the cyberattacks underscore the need for "nonstop vigilance and professionalism.”
"This is not a game," he said. "The threats are real. These are nation-state level threats. And our efforts to ensure that elections have paper trails and verifiable and transparent audit systems in place are very important."
Redacted versions of the NSA documents, published Monday afternoon, shielded the identity of the company targeted by the Russians. But the same documents included references to VR Systems. According to published reports, the NSA documents and Tallahassee Democrat interviews, Russian hackers in August executed a spear-phishing campaign targeting seven employees of the company.
The NSA report said it was likely that at least one of the accounts was compromised through phishing, an operation in which hackers try to lure people into opening harmless looking email attachments that contain malicious programs.
Information taken in the attack — perhaps including email contacts of VR Systems’ clients — was likely used to launch a subsequent hacking operation in the fall, when Russian hackers reportedly sent a malicious email from an account called “firstname.lastname@example.org” to up to 122 local government offices.
The NSA report said it was unknown whether the second attack, which happened Oct. 31 or Nov. 1, was successful. However, Mindy Perkins, CEO of VR Systems, said in a statement sent Monday night to its clients that there is no sign the intended victims were compromised.
“When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment,” Perkins said. “We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result.”
Earley said his office did not receive any of the phishing emails, which he said contained broken English and were obvious fakes. However, at least one Florida elections office, in Clay County, got one of the phishing emails.
Chris Chambless, Clay County’s supervisor of elections, said his office’s virus detection software isolated the malicious email before it was picked up by a server. He noted his office is subjected to numerous hacking attempts on a daily basis.
“We told VR we received the email and it was quarantined,” he said. “This really isn’t uncommon, and most (supervisors) don’t even know if they were ever sent it.”
Chambless, who serves as president of the Florida State Association of Supervisors of Elections, dismissed any notion that the 2016 election was impacted by the VR Systems breach.
“I say balderdash,” he said. “This type of concern, while it makes for good headlines, is not an issue with any of the supervisors of elections in Florida or across the country.”
Secretary of State Detzner’s staff took part in a Sept. 30 conference call about elections security with the FBI and a number of supervisors of elections, including Leon County’s then-Supervisor Ion Sancho.
An official who was on the call said at the time a “malicious” incident that occurred in Florida was discussed, but no election systems had been hacked. Sancho said at the time he was not aware of any vulnerability to the state, but he noted that additional security steps would be taken.
On Tuesday, Sancho said in an interview that federal law enforcement never said which vendor or foreign country was involved in the attack, though he surmised the culprit was Russia. He also said the feds never followed up with his office to detail exactly what had happened. He didn't know the full story until reading coverage of the leaked documents.
"Secrecy is never a healthy thing in American elections," said Sancho, a nationally recognized elections expert. "We really do need to know what's going on in order to protect ourselves from it. And hiding the truth from the American public is a prescription for disaster."
Sancho noted the Leon County Supervisor of Elections Office is one of the few in the state and the country to conduct forensic audits after elections to confirm the accuracy of every vote cast.
"A majority of Florida counties and a majority of jurisdictions in the country do not engage in this practice," Sancho said. "It's crazy."
David and Jane Watson of Tallahassee started VR Systems in 1992. It was founded in part to help the Leon County Supervisor of Elections Office move its voter registration data from the county’s mainframe to a custom-made system, Earley said. It sold its first system to Leon County the following year.
The company created and patented an electronic poll book system designed to replace old paper systems at polling locations and speed up voter check-ins. The Electronic Voter Identification system, known as EViD, is in use in more than 50 Florida counties, including Leon, Broward and Miami-Dade. The company, which became employee-owned in 2010, serves clients in more than a dozen states.
Over 2014 and 2015, the Leon County Supervisor of Elections Office spent $711,000 to purchase nearly 330 electronic poll books from VR Systems. The office also has annual contracts with the firm totaling about $105,000.
Last year, during the Aug. 30 election night, a clerical error at VR Systems’ office in Tallahassee caused erratic and incorrect results to be posted online in several Florida counties, including Leon and Broward.
But Earley said the firm is widely respected and has been proactive in solving any unexpected problems that arise.
“VR Systems is a very highly regarded outfit that has grown up as a company deeply rooted in the elections world,” Earley said in an email. “They understand the high importance of security in the elections environment, and I believe they have been good stewards of the trust the elections community has placed in them.”
Company officials did not make themselves available for questions. In a statement to clients and the media, VR Systems noted that none of its products involve ballot marking or tabulation.
“We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats,” CEO Perkins said. “We have policies and procedures in effect to protect our customers and our company.”
REACTION FROM AROUND FLORIDA
Supervisors of elections around Florida defended the electoral process Tuesday after a leaked NSA document revealed that a Florida elections software and hardware company, VR Systems, was targeted by Russian hackers in a growing scandal around the 2016 election.
Lee County is among Florida counties using voter registration systems provided by VR Systems.
Election officials say the system is not used to tabulate votes but to sign up and verify registrations.
“The delineation has nothing to do with counting votes at all, that’s a tabulation that is separate from the voter registration system which is ‘who can vote’,” said Todd Putnam, systems administrator for the Lee County Supervisor of Elections.
“Once the people have cast votes ballots it goes to separate system,” Putnam said. “VR Systems does not make or sell any piece of equipment that tabulates a single vote.”
Putnam said that on hearing of the issue with VR systems, the county scanned its email system and found no emails received from an account email@example.com which was implicated in the database intrusions reported elsewhere.
“Ninety percent of the information in our voter registration database is public record, all someone has to do to ‘hack us’ is call and pay the $10 fee,” Putnam said. “All that is not public are Social Security numbers and other information that is legally private.”
Brevard County Supervisor of Elections Lori Scott posted the following statement on her office’s website:
“With the arrest of Reality Leigh Winner for releasing top-secret NSA documents, Russia’s attempts to access voter information is once again in the headlines. Security remains one of my top priorities.
“Prior to the 2016 presidential election, I, along with my fellow Florida supervisors, was communicating with the FBI and Homeland Security to guard against phishing attempts to access voter information (registration), whether by Russia or any other source.
“There is no indication or record of any attempt to illegally access Brevard County voter information.
“As a reminder, our election tabulation system is a closed system, with no direct access to the internet. Every election is verified with a post-election audit conducted where votes tabulated are verified against your paper ballot, as prescribed by state law.”
Collier County Supervisor of Elections spokeswoman Trish Robertson said an employee in her office also received one of the suspicious VR System emails. But that employee followed directions from the company and did not click on the malicious email link.
Robertson said VR Systems manages the software Collier County Supervisor of Elections employees use to maintain its voter database. The information in the system was never compromised, Robertson said.
“We were warned about something happening and VR gave us instructions on what to do,” Robertson said. “We still have a good relationship with them.”
In northwest Florida, Escambia and Santa Rosa counties both use VR Systems. David Stafford, supervisor of elections in Escambia County, said the county is one of 60 plus Florida counties that use VR Systems to interface with the Florida Voter Registration System and uses VR System for an electronic poll book, known as EViDs.
“My experience over the years is that VR Systems is a highly capable company with a proven track record here in Florida,” Stafford said. “Security is an increasingly important concern for anyone dealing with information technology, and I’m very confident in VR’s commitment to helping provide us the tools to do our job in the most effective and secure means possible.”
USA TODAY NETWORK - Florida contributed to this report.