What happened when Russian hackers targeted the U.S. election infrastructure?

Russian operatives launched a widespread cyberattack against state voting systems during the 2016 presidential election. Former officials say no votes were changed but an Election Day attack could have created chaos at the polls

The US intelligence community has concluded there is no doubt the Russians meddled in the 2016 US presidential election, leaking stolen e-mails and inflaming tensions on social media.  While Congress and Special Counsel Robert Mueller investigate Russian interference, including whether the campaign of Donald Trump colluded with Russia, we focused on one vector of the attack on American democracy:  the sweeping cyber assault on state voting systems that US intelligence tied to the Russian government.  You're about to hear what happened from the frontline soldiers of a cyberwar that was fought largely out of public view.  As we first reported in April, it took place on digital battlegrounds in states throughout the country.  

hack1.jpg

The first shots were fired here in Illinois, not far from downtown Springfield, in a nondescript shopping center, the kind you'll find anywhere in the United States. There, in a repurposed supermarket, is the headquarters of the Illinois State Board of Elections.

Bill Whitaker: This doesn't look like a war zone.

Steve Sandvoss: No, it doesn't, actually.

Steve Sandvoss is the executive director.  He told us, in his first television interview about the attack, that this office is on the front lines of a cyberwar.

Steve Sandvoss: We have-- a good I.T. department. But --

Bill Whitaker: No match for the Russian government.

Steve Sandvoss: Bows and arrows against the lightning, hate to say it.

Bill Whitaker: Bows and arrows against the lightning? Is that what it felt like?

Steve Sandvoss: At-- at first, yes.

He vividly remembers the call from his IT director on July 12th, 2016 just weeks after the Democratic National Committee announced that Russian hackers had infiltrated its computer network.

Steve Sandvoss: I picked up the phone. And it's like, "Steve, we got a problem." And I said-- "Okay, what happened?" He says, "We've been hacked." I said, "Oh my God."

A staffer noticed the server for the voter registration database, with the personal information of 7.5 million Illinois voters, had slowed way down. The IT team discovered a malicious attack -- a barrage of digital hits.

Steve Sandvoss: I suppose you could analogize it to a fast-growing tumor-- in the system. it was unlike anything we had ever seen.

Bill Whitaker: Did you determine what they were after?

Steve Sandvoss: It was of a very random nature.

Bill Whitaker: They weren't looking for all the Democrats or all the Republicans or all the people who lived in one district or another?

Steve Sandvoss: There was no rhyme or reason to it.

Steve Sandvoss showed us the voter registration website where the hackers exploited a security flaw to get in. His IT team determined the attackers had been in their system unseen for three weeks. They only noticed when the hackers suddenly ramped up their attack and, in just a couple of hours, scooped up complete records of 3,500 voters, and bits of information on as many as a half million. His engineers upgraded the firewall and plugged the website holes. That stopped the data heist, but not the attack.

hack-3.jpg
Steve Sandvoss speaks with 60 Minutes correspondent Bill Whitaker CBS News

Steve Sandvoss: The hits continued-- even though they weren't penetrating. the logs revealed that-- about a million and a half hits were coming in.

Bill Whitaker: A million and a half--

Steve Sandvoss: Yes. Yeah, five queries per second for a period of-- approximately 30 days.

Bill Whitaker: This almost seems like they wanted to be noticed?

Steve Sandvoss: The only thing they didn't do is identify themselves as the Russians.

Sandvoss says he suspected the hackers wanted to sow doubt about the integrity of the vote. Illinois notified the FBI.  

Anthony Ferrante: What Illinois discovered set off a chain of events that take us to today.

Former FBI agent Anthony Ferrante was director of Cyber Incident Response for President Barack Obama's National Security Council.   

Bill Whitaker: When you go in to investigate this intrusion that the State of Illinois saw, what did you see?

Anthony Ferrante: The F.B.I. identified digital fingerprints left by the intruder Think of it as a crime scene where fingerprints are dusted and pulled, we do the same thing when investigating-- a computer intrusion.

Bill Whitaker: And your analysis pointed the finger at Russia?

Anthony Ferrante: It did indeed.

hack9.jpg
Anthony Ferrante, who was director of Cyber Incident Response for President Barack Obama's National Security Council CBS News

The Department of Homeland Security was so alarmed by what it saw the Russians doing, it took the unprecedented step of arranging a conference call with election officials from all 50 states. The FBI put out this flash alert. But the intelligence community wasn't prepared to publicly implicate Russia, so the call and the alert simply warned states to be on the lookout for the kind of malicious attack that had hit Illinois.  

Bill Whitaker: Did information from other states start flooding in?

Anthony Ferrante: I would show up to work every single day and learn of two, three, four more states that had been actively targeted by the same actors. And it was after two or three weeks of this my colleagues and I said, "We have to believe that this is a large-scale, coordinated campaign to target every single state in the union."

Anthony Ferrante reported what he was learning to Michael Daniel, President Obama's cyber czar.   

Bill Whitaker: What was the reaction when you saw this in the White House?

Michael Daniel: I think that was at the point we realized that we were playing a different game, that we had thought that we were dealing with the normal sort of espionage routine that was associated with presidential elections. And we now realized that we were potentially dealing with something way more serious.

60 Minutes obtained this previously undisclosed Department of Homeland Security internal document that details the scope of the Russian cyberattack - a snapshot of what investigators were seeing on October 28th, less than two weeks before the presidential election. The document shows hackers tried to get into 20 state election systems and an election IT provider in Nebraska. Hackers successfully infiltrated Illinois, a county election database in Arizona, a Tennessee state website, and an IT vendor in Florida.  

Michael Daniel: But it was always our working assumption that we did not detect all of the potential Russian activity that was going on.

Bill Whitaker: There's other stuff that they might have done that we don't know?

Michael Daniel: It's entirely possible.

"We have to be prepared for wars without blood."

They quickly ruled out the Russians were tampering with voting machines. There are tens-of-thousands of them and they're not connected to the internet.  

Michael Daniel:  What seemed much more likely to us was causing chaos at the polls on election day. So if you intrude into a voter registration database, and you change two digits of everybody's address so that their voter ID doesn't match what's in the voter rolls when they show up at the polls.

Bill Whitaker: And that creates chaos?

Michael Daniel: Sure and those stories start to spread. Lines begin to-- to form. Election officials can't figure out what's going on you would only have to do it in a few places. And-- and it would almost feed on itself.

Compounding that worry: states were reluctant to accept cybersecurity help from Homeland Security. Under the Constitution, states run elections. Several pushed back against what they saw as federal intrusion, still unaware the threat was coming from Russia.

Bill Whitaker: Our system was under attack. Why not scream it from the top of the roof and let the states know that this was a serious and credible threat?

Anthony Ferrante: The Obama administration did not want to appear to be biased. We had a presidential candidate who was-- campaigning on the fact that the election was rigged and he wasn't certain he was going to get a fair shot at the presidency.

Donald Trump: And I'm afraid the election is going to be rigged, I have to be honest.

Anthony Ferrante: It was a very sensitive issue.

hack6.jpg
Michael Daniel, President Obama's cyber czar, with correspondent Bill Whitaker CBS News

On October 7th, three months after the Illinois hack and one month before the election, the Obama administration decided it had enough evidence to call out the Russians. But there was no press conference, no pronouncement from the Oval Office, just this three-paragraph statement saying the Kremlin, "intended to interfere with the US election process."

Bill Whitaker: Did that statement get the reaction that you would hope for?

Michael Daniel: There were some other news events that happened around the release of that statement that tended to swamp some of it out.

Bill Whitaker: The Access Hollywood tape--

Michael Daniel: --wood tape, yes.

The hacked e-mails of Hillary Clinton's campaign chairman John Podesta were also leaked the same day. The press and the public paid little attention to the administration statement on Russian hacking. So the National Security Council did something never done before – contacted Russia on the cyber hotline, a communication channel added to the old nuclear hotline in 2013 to prevent cyber war.

Bill Whitaker: So what did the message say?

Michael Daniel: It basically said, "We know that you are carrying out these kinds of activities. And stop. (LAUGH) Knock it off."

Bill Whitaker: Was that tough enough?

Michael Daniel: So I think certainly--

Bill Whitaker: Stop?

Michael Daniel: The fact that this was the first time we had ever exercised this channel, which was supposed to be, you know, for very serious cyber incidents and cyber issues-- I think that, in and of itself, sent-- sent a message.

The Russians brushed it off. The administration was bracing for the worst. It drew up this election day response plan which called for war rooms at the White House, the FBI, and Homeland Security, and planned for the unprecedented deployment of "armed federal law enforcement agents" should a cyberattack cause complete breakdown at a polling place. On election day, the teams saw no signs the Russians tampered with the vote.

Bill Whitaker: Why do you think they didn't pull the trigger on election day?

Anthony Ferrante: I don't know. I don't know if we'll ever know.

Bill Whitaker: Do you think they would have succeeded in creating chaos?

Anthony Ferrante: Absolutely.

The agency charged with helping states protect elections from attack is the Department of Homeland Security, DHS. The agency has been criticized for a slow response. We tried repeatedly to interview Secretary Kirstjen Nielsen or one of her deputies but DHS denied all our requests. Instead, we were directed to the Secretary's March testimony before the Senate Select Committee on Intelligence.  

Secretary Kirstjen Nielsen: The threat of interference remains and we recognize that the 2018 midterm and future elections are clearly potential targets for Russian hacking attempts.

Secretary Nielsen told the senators DHS is offering to run security checks of state online election systems. It's also granting security clearances for state officials to receive classified cyber threat briefings. Many senators expressed frustration with the agency's response.

Senator Angus King: With the possible exception of North Korea's nuclear weapons, this is the most serious threat that our country faces today and we are not adequately dealing with it.

Senator Susan Collins: I hear no sense of urgency to really get on top this issue.

With the midterm elections fast approaching, only 17 states have requested extensive, on site security checks from DHS.  So far, the agency has completed 16. Illinois, where it all began, didn't get its security check until May, six weeks after it held its primary election.  

Senator Kamala Harris: We have to be prepared for wars without blood.

Senator Kamala Harris, Democrat from California, and Republican Senator James Lankford of Oklahoma are on the Senate intelligence committee.  Democrats and Republicans don't agree on much, but there's bipartisan agreement on the committee that our democracy is under attack.

Bill Whitaker: What was the Russians' end game?

Senator Kamala Harris: To disrupt our democracy to disrupt-- Americans' confidence in their government and their democracy, and in that way, weaken our standing in the world.

Senator James Lankford: This could be the Iranians next time, could be the North Koreans next time. This is something that's been exposed as a weakness in our system that we need to be able to fix that, not knowing who could try to test it out next time.

Senators Lankford and Harris are backing legislation to set minimum cyber security standards and streamline communication between states and the federal government. But even that modest bill has languished in the Senate.  

Bill Whitaker: This does not seem like the kind of response that you would have to a nation under attack by a foreign power. Are we doin' enough?

Senator Kamala Harris: No. We're not doing enough. We're not doing nothing, but we are certainly not doing enough.

Since our story first aired, Special Counsel Robert Mueller indicted Russian intelligence agents for hacking into state election systems in 2016.  And just this month, the heads of DHS, the FBI, the NSA, and the director of national intelligence warned that Russia is still targeting US elections.  They said our democracy is quote "in the crosshairs."   

Produced by Marc Lieberman and Ali Rawaf. Associate producer, LaCrai Mitchell.

Editor's Note: This story originally aired on April 8, 2018.