Since early April when Special Counsel Robert Mueller\u2019s redacted report on the investigation into Russian interference in the 2016 presidential election was released, a storm of confusion and controversy has raged over what happened in Florida during that election. A cryptic passage in the Mueller report outlines how Unit 74455 of Russia\u2019s military intelligence arm GRU sent \u201cspear-phishing emails to public officials involved in election administration and personnel involved in voting technology.\u201dThe Mueller report states that in August 2016, the GRU targeted employees of a voting technology company that \u201cdeveloped software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network.\u201d The voting technology vendor\u2019s name was redacted in the report.According to the Mueller report, an FBI investigation revealed that in November 2016 the GRU \u201csent spear-phishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election\u201d and malware embedded in Word documents in those emails enabled the GRU to gain access to \u201cat least one Florida county government.\u201dRussian phishing campaign targets VR SystemsWhile the Florida county breach was startling new information, the spear-phishing efforts mentioned in Mueller\u2019s report were reported prior the Mueller report\u2019s release. In early 2017, former military contractor Reality Winner supplied to The Intercept evidence that the NSA had discovered that Russian military intelligence had sent spoofed emails (purportedly from Google) to an unnamed U.S. election software company. \u00a0However, according to The Intercept, the NSA report contained references to a product made by VR Systems, a Florida-based vendor of electronic voting systems. The NSA report on the incident found seven \u201cpotential victims\u201d of the phishing emails but said it is unknown whether the emails successfully compromised the company and what potential data could have been exfiltrated.According to The Intercept, the NSA did find that the Russian hackers sent spear-phishing emails crafted from a Gmail account to appear as if the emails were from an employee of VR Systems to 122 email addresses \u201cassociated with named local government organizations,\u201d probably to officials \u201cinvolved in the management of voter registration systems.\u201d The emails were made to look like benign documentation related to VR Systems\u2019 electronic pollbook, known as EViD, but in fact were embedded with malware that used Microsoft\u2019s PowerShell scripting software to install a backdoor to enable the hackers to monitor the victims and install further malware. (An electronic pollbook is hardware, software or a combination of the two that allows election officials to review or maintain voter register information to verify voter information. Pollbooks do not count votes.)Similar allegations resurfaced in a July 2017 indictment by the Special Counsel\u2019s office against 12 Russian nationals who were charged with computer hacking conspiracies during the 2016 election. The indictment alleges that Russia had targeted a vendor of software systems used to verify voter information, known only as Vendor 1. The indictment also said that the GRU \u201cused an email account designed to look like a Vendor 1 email address to send over 100 spear-phishing emails to organizations and personnel involved in administering elections in numerous Florida counties.\u201dNo intrusion, no breachVR Systems provides voting hardware and software to election jurisdictions in eight U.S. states, including at least 17 North Carolina counties. One of those North Carolina counties, Durham County, claimed it experienced software issues with VR Systems' EViD electronic pollbook on election day in 2016, which forced poll workers to switch to paper poll books, causing voting delays that resulted in long wait lines at the polls.Following the Mueller report\u2019s release, North Carolina\u2019s State Board of Elections wanted to know whether VR Systems was the company redacted from the Mueller report, whether VR Systems\u2019 previous assurances about the security of its products were still valid, and whether its products will be secure in the future. The Board of Elections sent a letter to VR Systems on April 18 asking for "immediate, written assurance" about the security of its products.In a successful legal action VR Systems brought against the State Board of Elections last year to prevent the board from decertifying its pollbooks, the company said during discovery that its EViD system had never been breached and if it had been, it would have discovered remnants of the attacks. Moreover, VR Systems said it had investigated what it admits was a Russian spear-phishing campaign against it but stated that none of its employees had opened the malicious emails and therefore no breach occurred.In its April 22 response to the State Board of Elections letter, VR Systems said it \u201chas no independent knowledge and is unable to confirm or deny whether it is Vendor 1\u201d cited in the July 2017 Russian indictments or the redacted vendor in the Mueller report. The company said neither the DHS, the FBI, nor the NSA has contacted it about the specific \u201chacking\u201d incident (quotation marks were VR Systems\u2019).In the letter, VR Systems defended its security by pointing to the fact it worked with DHS and a third-party cybersecurity vendor. The vendor found no indications of any kind of breach of or malware installed on its systems, the company maintains. VR Systems said it offered to pay for third-party experts to examine those computers but the State Board of Elections refused the offer.As NPR reported, a statement issued on April 18 VR Systems said, \u201c[w]e disagree with the Special Counsel report because top cybersecurity experts, along with the Department of Homeland Security, have tested our network multiple times since 2016 and they found no indication of a breach or installation of malware on our company network.\u201dOn May 8, 2019 Senator Ron Wyden (D-OR), long an advocate for tougher election security measures, sent a letter to Mindy Perkins, CEO of VR Systems raising both the Mueller report and the failure of VR Systems\u2019 pollbooks in North Carolina, saying that the Mueller report\u2019s claim about the malware infection of an election vendor did not jive with VR Systems' denial that it had incurred a security breach. Wyden asked VR Systems to supply any reports or assessments that back up its claims. Wyden also asked VR Systems whether the company employed a CISO or comparable technologist in August 2016 and whether it had implemented the NIST Cybersecurity Framework in August 2016 or since.Following Wyden\u2019s letter to Perkins, company COO Ben Martin told Politico that after The Intercept published Reality Winner\u2019s leak in 2017, the company engaged security firm FireEye to conduct a forensic examination of its own systems and network. \u201cBased on analysis by FireEye, there was never an intrusion in our EViD servers or network,\u201d Martin said.If not VR Systems, who?On May 14, Republican Florida Governor Ron DeSantis fostered even more confusion by hosting a press conference to say he had learned during an FBI briefing that two Florida counties were breached during 2016, not one as the Mueller report indicated. DeSantis then sent the controversy into overdrive by adding that he had signed a nondisclosure agreement with the FBI barring him from publicly stating which counties were involved, although the counties themselves had been notified. \u201cI think they [the FBI] think that if we name the counties, then that may reveal information to the perpetrators that we know kind of what they did,\u201d Mr. DeSantis said. Two days later, the entire Florida congressional delegation was briefed by the FBI and they, too, are barred from publicly stating which two counties are involved.Based on an intensive push by the media and citizen advocates, a tiny jurisdiction in the Florida panhandle, Washington County, and a larger central Florida county, Sumter County, issued what the Tampa Bay Times called \u201cnon-denial denials\u201d that they were the two counties in question. Both supervisor of elections offices said they could neither confirm nor deny they were the counties penetrated by the GRU in 2016. In that same Tampa Bay Times article, however, both the current and previous supervisors of elections in Sumter County denied their jurisdiction was ever hacked, and the current supervisor of elections in Washington County denied to the Florida newspaper last year that her office was hacked.If what VR Systems maintains is true, that the GRU did not implant malware on its systems as the Mueller report indicates, then a host of questions arise about who the redacted vendor mentioned in the Mueller report is and how the Russian hackers gained access to at least one Florida county.The easiest answer to the latter question is that regardless of whether VR Systems was hacked, the information available suggests a phishing email with a malware attachment was sent directly by the GRU to at least one Florida county and was spoofed to look like it came from VR Systems. VR Systems itself says that this scenario is likely the case.In a May 14 statement, the company said, \u201cAfter receiving a media inquiry based on Governor Ron DeSantis\u2019 comments, we immediately called our contact at the FBI who confirmed what we said all along. VR Systems was not the source of any penetration into any county supervisor of elections systems. Based on this information, we stand by our assessment that a spear-phishing email impersonating our company was the likely source."This scenario is consistent with a spoofed VR Systems email that The Intercept obtained and published in June 2018. It also aligns with a Sun Sentinel newspaper investigation that found that at least 13 and as many as 20 election offices out of all the 67 Florida counties admitted they received a GRU phishing email from a Gmail account that appeared to come from VR Systems. (Importantly, Sumter County, one of the counties suspected of being breached by the GRU, denied receiving a GRU phishing email to the Sun Sentinel.)Skilled hackers hide their tracksWhether any Florida counties were penetrated via malware-laden phishing emails sent directly from the GRU, and not from a compromised VR Systems network, some election-related security professionals contend that there is also little doubt VR Systems was compromised. Jake Williams, founder of computer security firm Rendition Infosec and a former member of the NSA\u2019s elite Tailored Access Operations (TAO) hacking team, thinks VR Systems can\u2019t deny it was compromised. \u201cThere\u2019s no question that some portion of their data has been compromised,\u201d he tells CSO.If that\u2019s the case, another explanation for the apparent contradiction between what the Mueller report says and what VR Systems argues is that VR Systems may not really know the truth, which could be due to a lack of skill in understanding what happened or may be a lack of sufficient network monitoring or non-existent forensics. \u201cKnowing how these systems are built, and knowing how little information is preserved, a lot of these systems don\u2019t log the forensic information. It\u2019s mindboggling how there is a fundamental lack of [security] skills,\u201d Harri Hursti, founding partner of Nordic Innovation Lab and a noted election security expert, said. Moreover, it appears that some election vendors, despite what their marketing materials may say, are likely vulnerable to attack. \u201cThese are not hardened systems at all,\u201d Hursti said.Even VR Systems\u2019 reliance on FireEye\u2019s assessment that no malware could be found on its network is not solid proof that the GRU didn\u2019t implant malware on its systems back in 2016 because it\u2019s not clear whether FireEye or any other reputable security firm was monitoring VR Systems\u2019 systems back in 2016. \u201cNo one has asked them if before 2016 \u2018did you have independent security evaluation of your software?\u2019\u201d Hursti said.Finding evidence of a breach by the GRU post-fact appears to be, moreover, likely an insurmountable challenge for a company like VR Systems given the ability of the GRU to deploy top-notch stealth attacks and engage in cutting-edge measures to erase or alter their tracks. \u201cSomething that quacks like a duck, walks like a duck might not be a duck,\u201d according to Hursti. He offered an example of a recent incident where a Microsoft messenger worm was found in a voting server. It was quickly removed and the system was brought back up right away. \u201cMaybe the attacker put it there to get them to reboot the server. Might be a duck but the duck is hiding,\u201d he said. \u201cYou have to think of the sophistication of the attacker.\u201dWere other voting machine vendors hacked?Finally, there is the prospect that the vendor mentioned in the Mueller report is not VR Systems at all. Some election security and intelligence experts have privately floated the notion that multiple vendors were targeted and possibly breached in 2016, even if the Mueller report mentions only one vendor. \u201cIt wouldn\u2019t surprise me if there is another vendor who was compromised,\u201d Rendition Infosec\u2019s Williams said. \u201cI don\u2019t think there\u2019s any question that that should be a concern.\u201dThe New York Times reported in September 2017 that, in fact, current and former intelligence officials said that Russian hackers breached at least two other providers of critical election services that were not VR Systems well ahead of the 2016 voting. \u201cI don\u2019t think it stops at two,\u201d Hursti said.Security experts CSO spoke with identified one vendor who is not VR Systems and who supplies election services to multiple Florida counties as a provider that had possibly been by targeted by the Russians. This vendor denies any knowledge of being targeted or hacked by the GRU during 2016. \u201cWe have simply not been notified of any kind of breach and we have never been a part of this and we have absolutely no reason to believe there has ever been a breach associated with us and I\u2019m not sure why I\u2019m talking to you,\u201d the CEO of the vendor tells CSO.Messages left at the FBI media relations portal seeking comment on the idea that any other vendor has also been targeted by Russia did not receive a response. Multiple messages left for VR Systems and the North Carolina State Board of Elections seeking comment for this column likewise did not receive responses.