Questions have lingered for two years about whether Russians hacked a Florida maker of election-related software in the run-up to the 2016 presidential elections.
VR Systems acknowledges that Russian hackers targeted several of its employees in a spearphishing campaign in August 2016, but has long insisted its systems weren’t compromised.
But the recent report by special counsel Robert Mueller and the 2018 indictment of 12 Russian military officers indicate otherwise. Those say a company fitting VR Systems description was successfully hacked by the Russians and that the attackers installed malware on the company’s network.
Now, Sens. Ron Wyden (D-Ore.) and Amy Klobuchar (D-Minn.) are hoping to extract answers from the FBI and resolve this contradiction. They sent a letter on Wednesday morning to the bureau asking what steps it took in 2016, if any, to examine VR Systems servers for evidence of a breach.
The FBI has the ability to resolve the discrepancy between the company’s words and the government report, since its investigation of the Russian hacking operation is evidently the basis for the assertions in the Mueller report and indictment. But the bureau has so far refused to answer questions from POLITICO and others about VR Systems, including whether it conducted any forensic investigation of the company’s network in 2016 after VR Systems reported the spearphishing campaign to it.
If the FBI didn’t do a forensic exam, it raises questions about how it could know whether or not the company was hacked.
In addition to finding out what if any investigation the FBI completed, the lawmakers want to know if its agents ever reviewed the findings of a forensic investigation report produced by FireEye, which VR Systems hired in 2017 to determine if the Russian spearphishing campaign the previous year succeeded.
VR Systems has never responded to questions from POLITICO about whether the FBI conducted a forensic investigation of its systems and network in 2016 or if, at the very least, the bureau obtained mirror images of its hard drives to preserve for a later forensic investigation if needed.
The FBI also would not tell POLITICO if it obtained mirror images.
But POLITICO recently learned that FBI agents did visit VR Systems offices in 2016 after the company reported the spearphishing campaign to it, according to someone familiar with the issue. VR Systems made the revelation in a conference call with North Carolina election officials in April to discuss the Mueller report, according to someone familiar with the call.
VR Systems told the officials that the FBI “looked” at its system, according to the person, though it’s not clear what that entailed. North Carolina officials didn’t ask the company to clarify if that meant the FBI did a forensic investigation or merely took a cursory look at the systems, the person told POLITICO.
Resolving the question of whether VR Systems was hacked is particularly important because, as POLITICO recently reported, the company remotely accessed a county machine in North Carolina the night before the 2016 election. If the company was hacked, a remote-access connection to its customers would allow any intruders on its network to potentially breach customer networks as well.
In a letter Wyden sent the company last month, he asked what was the basis for its assertion that it had never been hacked — had any private security firms or government agencies conducted a forensic investigation? In VR Systems’ reply, it cited the FireEye investigation and report done in 2017 and a “hunt” that a DHS team conducted in its network in 2018, looking for malware or signs of a breach. It did not mention any investigation or findings by the FBI.
Notably, in its phone call with North Carolina officials last month, the company revealed that it had contacted the FBI in 2017 following the publication of a leaked NSA document, the person familiar with the call told POLITICO.
That document was the first to indicate that a Russian spearphishing campaign against a company fitting VR Systems description may have breached the email account of at least one employee. VR Systems contacted the FBI seeking a retraction or public clarification of the information in the NSA document so that people wouldn’t wrongly conclude the company had been hacked, according to the account the company gave North Carolina election officials on the conference call, the person said.
VR Systems reminded the FBI that the company had determined that no employee had clicked on the malicious emails, the person said. But the FBI felt there was no need to change or rectify the information in the NSA document, since the document didn’t assert definitively that an employee had clicked on a malicious link or that the company had been hacked, only that an employee may have clicked on the link, according to the account VR Systems gave North Carolina officials on the phone, the person said.