Forensic evidence shows signs that a Georgia election server may have been hacked ahead of the 2016 and 2018 elections by someone who exploited Shellshock, a critical flaw that gives attackers full control over vulnerable systems, a computer security expert said in a court filing on Thursday.

Shellshock came to light in September 2014 and was immediately identified as one of the most severe vulnerabilities to be disclosed in years. The reasons: it (a) was easy to exploit, (b) gave attackers the ability to remotely run commands and code of their choice, and (c) opened most Linux and Unix systems to attack. As a result, the flaw received widespread news coverage for months.

Patching on the sly

Despite the severity of the vulnerability, it remained unpatched for three months on a server operated by the Center for Election Systems at Kennesaw State University, the group that was responsible for programming Georgia election machines. The flaw wasn't fixed until December 2, 2014, when an account with the username shellshock patched the critical vulnerability, the expert’s analysis of a forensic image shows. The shellshock account had been created only 19 minutes earlier. Before patching the vulnerability, the shellshock user deleted a file titled shellsh0ck. A little more than a half hour after patching, the shellshock user was disabled.

A timeline provided by the expert shows the following:

12/2/2014 10:45 – the user mpearso9 is modified using the Webmin console

12/2/2014 10:47 - shellshock user created using Webmin console

12/2/2014 10:49 - /home/shellshock/.bash_history last modified

12/2/2014 11:02 - /home/shellshock/shellsh0ck file is deleted

12/2/2014 11:06 - bash patched to version 4.2+dfsg-0.1+deb7u3 to prevent shellshock

12/2/2014 11:40 - shellshock user disabled using Webmin console

There was more: The shellshock account’s bash_history—a file that typically records all commands executed by the user—contained a single command: to log out of the server. The expert said that the absence of commands showing the creation and later deletion of a file in the user’s directory was “suspicious” and led him to believe that the bash history was modified in an attempt to hide the user’s activity. The expert also noted that the patching of vulnerabilities is a common practice among hackers after breaking into a system. It prevents other would-be intruders from exploiting the same bugs.

Taken together, the evidence indicates that someone may have used Shellshock to hack the server, the computer expert said.

“The long unpatched software, unusual username, potentially modified command history, and near immediate patching of the shellshock bug are all strong pieces of evidence that an outside attacker gained access to the KSU server by exploiting the shellshock bug,” wrote Logan Lamb, who is an expert witness for plaintiffs in a lawsuit seeking an end to Georgia’s use of paperless voting machines. Lamb said more forensic analysis was required to confirm the attack and determine what the user did on the server.

Drupalgeddon and more

The affidavit comes 31 months after, as Politico first reported, Lamb discovered that the elections server at Kennesaw State University was unpatched against another high-severity flaw, this one in the Drupal content management system. The risk posed by the vulnerability was so great that researchers quickly gave it the nickname “Drupageddon.” Lamb’s discovery of the unpatched server happened in August 2016, 22 months after the flaw came to light and a Drupal update became available.

After reading the Politico report, a group of election-integrity activists sued Georgia officials and eventually sought a copy of the server in an attempt to see if it had been compromised through the Drupalgeddon vulnerability. The plaintiffs would later learn that Kennesaw officials had wiped the server clean two days after the complaint was filed.

The plaintiffs finally obtained a mirror image taken in March 2017 by the FBI. The bureau had been called in to determine if Lamb and another researcher had violated any laws. (The investigation later determined they had not.) State officials opposed the plaintiffs’ motion for a copy of the mirror image but eventually lost.

Evidence that the server may have been hacked through the Shellshock vulnerability wasn’t the only concerning thing Lamb said he found. He also found “scores of files” that had been deleted on March 2, 2017, shortly before the server was taken offline and handed over to the FBI. Lamb still doesn’t know what the deleted files contained, but based on the filenames, he believes they’re related to elections.

BallotStation

The mirror image also shows that direct-recording electronic voting machines used in Georgia were running outdated and vulnerable versions of software called BallotStation. Lamb also found that elections.kennesaw.edu, which state officials represented was supposed to be used for a few purposes limited to elections administration, was, in fact, used for a variety of purposes.

Additionally, he discovered that Drupal access logs, which store all requests made to the server, went back only to November 10, 2016, two days after the 2016 election.

“The missing logs could be vital to determining if the server was illegally accessed before the election, and I can think of no legitimate reason why records from that critical period of time should have been deleted,” Lamb wrote.

As Politico noted in an article posted on Friday, it’s not unusual for access-log data to be deleted over a set period of time. This Drupal.org page shows that, by default, the retention period is four weeks and that all data after that period will be deleted. That default, of course, can be changed. The span that passed between November 10, 2016—the first day reflected in the logs—and March 2, 2017, is 16 weeks.

In a statement, a spokesman for Georgia Secretary of State Brad Raffensperger wrote: “These plaintiffs have failed to prevail in the voting booth, failed in the General Assembly, failed in public opinion, and now, they are making a desperate attempt to make Georgia’s paper-ballot system fail as well by asking a judge to sabotage its implementation.” Through the spokesman, secretary of state officials declined a request for an interview.

Of most concern in Lamb’s affidavit is the evidence someone may have used the Shellshock vulnerability to gain unauthorized access to the elections server. If correct, it calls into question the integrity of Georgia voting machines during two elections.