The Department of Homeland Security is reviewing a cyberattack that occurred just weeks before the 2016 presidential primary. The Palm Beach County elections office was targeted by ransomware but never reported it.
(TNS) — Less than five weeks before Florida’s March presidential primary, the Department of Homeland Security is investigating a previously unreported cyberattack on Palm Beach County’s elections office, according to Supervisor of Elections Wendy Sartory Link.
Link, who was appointed last year by the governor to oversee the county’s beleaguered elections department, said she contacted the FBI in November after a veteran IT employee told her that the office had been infected by a ransomware virus only a few weeks prior to the 2016 election. The virus was not publicly disclosed in 2016.
Link said the FBI referred her to DHS, which sent a team of a half-dozen employees to her office late last month to do a “deep dive” into her department’s network. She said a report of their findings and recommendations is expected shortly.
“We’ve had the top experts in the country here and they spent a lot of time with our system. When we get the report, we’ll be able to take care of everything we can take care of,” Link said in an interview Thursday. “I wanted this done before March if at all possible.”
Florida’s presidential primary is March 17. Hundreds of thousands of mail ballots have already been sent to voters.
Link says she’s “confident” that Palm Beach County’s elections are secure given months of work with state and federal cybersecurity experts in efforts unrelated to the 2016 infection. But the revelation that the office had been infected by a virus — and that no one was told about it for three years — is raising alarms in a state that was heavily targeted in 2016 by Russian hackers attempting to tamper with U.S. elections.
U.S. Rep. Ted Deutch, D-Boca Raton, tweeted Thursday that he’s reached out to the FBI about the reported intrusion. U.S. Rep. Stephanie Murphy, an Orlando Democrat who has filed a bill that would create greater transparency around election-related cyberattacks, said Link’s “troubling” story reinforces the need for government to quickly alert the public to hacking attempts.
“It should not have taken the public this long to find out about this intrusion,” she said.
Link said she first became aware last fall that the Palm Beach County Supervisor of Elections office had been hit with a ransomware attack. She says she learned of the incident from a top technology employee while interviewing him to see if he was capable of filling in for her former IT director, who’d been fired following a scuffle with investigators looking into whether he’d possessed child pornography.
Link said the employee, Ed Sacerio, mentioned that he was unsure what ever came of a ransomware attack around Sept. 14, 2016, that had alarmed elections office workers and sent them scrambling to unplug computers. According to Link, multiple employees, including fired former IT director Jeff Darter, confirmed that a virus either began encrypting files or changing file names, and that text boxes began popping up demanding cash payments in exchange for the release of files.
She said she was told the compromised files were mostly Microsoft Word and Excel files. “Nobody has reported it had anything to do with voter files,” she said.
Sacerio told her that employees had printed out reams of code to try to document the attack. She said he later found the box full of paper in her former IT director’s office. She said she doesn’t believe anyone reported the incident or documented it internally.
“When I learned about it and I called the state Division of Elections and I called the FBI and my contact at Homeland Security, none of them were aware of it,” Link said. “And, in my conversation with our IT director, he did indicate, to his knowledge, that it hadn’t been reported.”
Susan Bucher, the former supervisor of elections in Palm Beach County who was suspended by Gov. Ron DeSantis following a problem-plagued 2018 election recount, told the South Florida Sun-Sentinel that she would “swear on a stack of Bibles” that her office was not the subject of a cyberattack.
But Link said she sent the box of printed-out code to the FBI, which informed her office that it appeared they’d been infected by a ZEPTO virus. The virus, deployed by hackers seeking a ransom, scrambles files and renames them “.zepto” until a decryption key is deployed.
The town of Palm Beach was infected with ransomware in 2016. Other municipalities, including Key Biscayne, were hit in 2019.
Florida Secretary of State Laurel Lee said Thursday that her office had not been told of the ransomware attack in Palm Beach County in 2016.
The FBI declined to comment. The Department of Homeland Security referred the Miami Herald to Palm Beach County.
Tammy Jones, the head of the Florida State Association of Supervisors of Elections, said it’s not that surprising that a cyberattack would have gone unreported in 2016. The state’s local elections officials became aware that summer that hackers were attempting to gain access into elections networks, but protocols for what to do and who to alert in case of a breach were less clear than they are today, she said.
“It’s just a known fact [now] that you report it” Jones said. “There was nobody to report it to in 2016.”
But Ion Sancho, a former Leon County elections supervisor who has been brought in as an expert witness in recent elections-related court cases, said the apparent decision not to report the ransomware attack threatens the credibility of elections. He noted that the FBI kept confidential that two of Florida’s elections offices had been breached until Special Counsel Robert Mueller detailed that information in his report last year into elections interference.
The FBI has since confirmed the breaches, but did not publicly disclose which two Florida elections offices were hit in 2016 — a lingering issue that Sancho said is “causing unease and uncertainty.”
“In order to not start a panic, you need accurate and truthful information,” Sancho said. “We need to make the information public and explain what safeguards were taken and what the ramifications might or might not be. Honesty is always the best policy. If the supervisor of elections loses credibility ... it could contribute to loss of faith in the process.”
Lee, the secretary of state, said through a spokesman that the state is committed to secure elections and noted the hiring of five cybersecurity navigators to help the state’s 67 elections departments. She said an elections-specific risk assessment has been conducted in every office, and the state has previously touted the widespread use of a new system that detects attempted cyberattacks.
“The department is working with each supervisor of elections to address any weaknesses or vulnerabilities that are identified in their county prior to the 2020 elections,” she said.
Link, who revealed the cyberattack Wednesday during an interview with the Palm Beach Post editorial board, said she’s positive that her office is not compromised as a result of the ransomware. She said the elections department has been working for months with the state’s cybernavigators, and there have been no indications that her office is compromised.
She said her office had also worked with the FBI and DHS before the ransomware attack was disclosed to her.
“We wanted to really be very secure. Understanding that sometimes viruses are attached to different types of things and can live in your system and hide there and be reactivated, we wanted to have somebody who really understood what they were doing come do this for us,” she said. “That’s what this last step is.”
©2020 Miami Herald, Distributed by Tribune Content Agency, LLC.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.