DC Board of Elections breach: Voter data is now online and up for sale 

Earlier this month, the District of Columbia Board of Elections (DCBOE) warned that a threat actor may have gained access to the personal information of their registered voters. This would include personally identifiable information (PII) such as contact details, partial social security numbers, dates of birth, and driver’s license numbers.

In an X post on Friday 20th October, the agency was keen to stress that it was only a possibility the voter roll had been accessed. However, since then, the Outpost24 Threat Intelligence team (KrakenLabs) have been able to confirm that voter PII has been made available for purchase on dark web forums.

Attack summary

  • Who was targeted: DC Board of Elections
  • Attack type: Ransomware, Data exfiltration
  • Entry technique: Hacked third party web server
  • Impact: Stolen U.S. voter data
  • Who was responsible: RansomedVC (confirmed)

What’s been leaked and are victims at risk?

Threat group RansomedVC have claimed they extracted data from a stolen MSSQL database that contained the details of more than 600,000 voters from the District of Columbia. Since then, DCBOE have confirmed that the attack started through a breached web server operated by their hosting provider DataNet Systems. No internal DCBOE databases or servers were directly compromised. There is also some dispute about the number of records compromised, with DCBOE claiming there fewer than 4,000 registered voters from D.C. were affected.

Following the announcement of the leak, KrakenLabs identified several posts attempting to sell the records stolen during the attack. There was some disparity in the numbers, with some posts claiming to possess 600,000 records, and others up to 700,000. In the XSS forum, a user known as “UnsafeInternet” (a potential affiliate of RansomedVC) shared a sample of the stolen data. This included private information about the voters, including but not limited to social security numbers, driving licenses, and political affiliation, all of which could be leveraged in a plethora of social engineering attacks and scams.

This kind of hack poses significant risks to victims, as threat actors could exploit the data for identity theft and fraudulent financial activities. People are also at heightened risk of phishing, scams, and even physical risks to their safety due to their email addresses, phone numbers, and addresses becoming available. With voting data in particular, there’s also the added possibility of voter impersonation and election manipulation.

From their investigation into underground forums and Telegram channels, KrakenLabs were able to confirm from a leaked sample that the following data was compromised:

  • Full names
  • Voter IDs
  • Registration data and IDs
  • Driver license numbers
  • Party (political affiliation)
  • Phone numbers and email address
  • Dates of birth
  • Full addresses
  • Polling place names and addresses

Screenshot from the RansomedVC data leak site
Screenshot from the RansomedVC data leak site

Outpost24 analysis: Who are RansomedVC?

Outpost24’s threat intelligence solution contains the following information about the threat actor.

 RansomedVC is a financially motivated group built on the traditional modus operandi of Ransomware-as-a-Service (RaaS) groups. However, unlike conventional ransomware groups, RansomedVC does not deploy ransomware with the intention of encrypting the victim’s information. It only carries out defacements of the victim’s infrastructure and exfiltration of data to later coerce the victim into paying to avoid data being published on a dedicated Data Leak Site (DLS).

RansomedVC defines itself as a penetration tester group that ‘offers a secure solution for addressing data security vulnerabilities within companies’ and ‘seek compensation for their professional services.’ Moreover, the group claims that their ‘operations are conducted in strict compliance with GDPR and Data Privacy Laws. In cases where payment is not received, we are obligated to report a Data Privacy Law violation to the GDPR agency!’

That last idea leads to one characteristic of the group, which is the extortion method followed with their victims. Based on the data shown in their DLS, the group requires relatively low ransoms of their victims (from $8,000 up to $50,000) and claims to be ‘obligated’ to report to the correspondent regulators if a data privacy violation is committed. They’re ‘forced’ to publish the information if the victim does not pay the ransom. If that’s the case, the group claims that fines would reach a higher value than those initially demanded by them.

How to leverage threat intelligence for your organization

Threat Compass is Outpost24’s modular cyber threat intelligence solution, designed to detect and deter external threats to your business. Each Threat Compass module is backed up by our world-class in-house analyst team, KrakenLabs. The solution helps businesses identify targeted threats and reduce incident response times.

Threat Compass is especially useful if sensitive employee information has been compromised, as it can be leveraged by bad actors to target business accounts via social engineering attacks. Get a live demo today to identify your risk profile.

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.