Updated at 5:18 p.m., Oct. 30: A computer hacker who took over Hall County networks in a ransomware attack earlier this month has released election files after a ransom was not paid, the Wall Street Journal has reported. But a state voting system expert says the attack did not penetrate a voter registration database.
The website of the DoppelPaymer ransomware group claims that Hall is one of several organizations whose “time to pay is over.”
The Wall Street Journal’s review of the files found named individuals with provisional ballots that were flagged for signatures not matching; voter names and registration numbers; and an election equipment inventory. The Times has been unable to independently confirm the Journal’s reporting.
County spokeswoman Katie Crumley declined to comment Friday, Oct. 30, on details about the ransomware attack. The county released a statement on its website addressing the concerns.
“Hall County officials want to specifically highlight that the elections process has not been compromised in any way, and a voter's ability to safely and securely vote is still in place,” the statement reads. “For security purposes, specifics related to the ransomware attack itself are not being released.”
Commissioner Billy Powell said the county has still not received a ransom request from the hackers.
Richard Higgins, Chairman of the Hall County Board of Commissioners, as well as Commissioners Kathy Cooper and Jeff Stowe, declined to comment, referring questions to Crumley.
Commissioner Shelly Echols did not respond to requests for comment Thursday and Friday.
The attack has slowed the process of verifying voter signatures on absentee ballots, The Times has previously reported. One of the databases used to verify signatures has been down, although signatures can be manually verified and some are available on a state database that has been unaffected. Voting machines are provided by the state and were unaffected by the attacks on county networks.
Gabriel Sterling, Georgia's statewide voting system implementation manager, said the computer that was hacked isn’t connected to any voting machines, and the hacker did not penetrate the state’s voter registration database.
"There is no connective tissue between those things, so I want to put everyone's mind at ease on that," he said in a statement.
The attack “never touched the state system,” Sterling said.
"They weren't targeting an election system. They were just targeting anywhere where they could get in," he said.
Under state law, all voter data is public record, with a few exceptions — month and day of birth, Social Security numbers, email addresses, driver’s license numbers and bank statements that voters may present to confirm their identity.
While the full birthdate of a voter is private, the year they were born is public record. What someone selects on their ballot also remains private and is not public record.
The DoppelPaymer ransomware is an “advanced cyberattack” because it combines the “ransomware approach and the data breach approach in one event,” according to Ash Mady, department head for computer science and information systems at the University of North Georgia.
Ransomware attacks, which cut off file access and demand a payment in exchange for restoring access, do not always involve stolen information, Mady said. But DoppelPaymer both locks files and accesses information, he said.
“This software runs a process on the computer to prevent the computer from acting to protect itself. It stops everything to react,” Mady said. “Then, the malware starts extracting the files and encrypting these files to prevent access to it.”
Mady said hackers usually start by releasing a few files.
“After this process is completed and the actors … have the information, they tend to release a few files online to bring awareness, show credibility of what they have and the success of their process, as well as put pressure, significant pressure, on the victim, stating that if you don’t comply with our demands, we will release the rest of the information out there,” he said.
It is unclear where DoppelPaymer attacks originate, Mady said.
“They are typically groups of smart people, unfortunately with malicious intent. They create these things, and they could be collaborating online from various locations,” he said. “... They might not be from one country or one location.”
The hackers’ motivation is usually financial, Mady said.
“Even if it comes at the time of elections, that may have some characteristics of being political, still the actors will get paid from one source or another,” he said. “The bottom line of attacks like this is financial."
The attacks usually originate from an infected website or email, Mady said.
Douglas Orr, department head for criminal justice at UNG, echoed Mady, saying hackers’ main motivation is a payout.
Orr said about 75% of organizations that are hacked have strong virus protection programs. The incidents often start internally, with an employee accidentally clicking an infected link or file in an email, he said.
Many ransomware cases go unreported to law enforcement because some companies, especially financial institutions, do not want to admit that they have been hacked, Orr said. Law enforcement recommends to companies not to pay the ransom demand, he said.
“(That) behooves the company to have a very, very good backup system, so that they can wipe and go,” Orr said.
Crumley declined to comment Friday on whether law enforcement was involved in the county’s ransomware case.
Under the Georgia Personal Identity Protection Act, state and local agencies are required to notify those affected when some information — such as Social Security numbers, driver’s license numbers, bank account, credit and debit card numbers or account passwords — is leaked in a data breach. But the notification may be delayed as law enforcement investigates.
That state law took effect in 2007 and was co-sponsored by Gainesville’s State Rep. Lee Hawkins, according to the Georgia General Assembly website.
Mady recommended that citizens take precautions to protect their own information, especially as more people work from home and do business online during the COVID-19 pandemic.
“Now, online threats are more significant than any time before, because we are more online than any time before,” Mady said.
Mady said people should avoid using the same password for multiple accounts and keep separate computers for work and personal use if possible. He said accounts should also be set up using two-factor authentication, which requires someone to verify the account on two devices — for example, if a website sends a user a text message with a code when they log in on their computer.
People should not wait for an incident to take precautions, either, Mady said.
“You have a lock on your house door. You don’t put on the lock after you get an incident of theft,” Mady said. “This is a good practice, whether your house has been threatened or not.”