Cyber Incident Victim: Center for Election Systems at Kennesaw State University
Date:
Dec 2014
Location:
United States of America
Summary
A server managed by the Center for Election Systems at Kennesaw State University, responsible for Georgia election machine programming, exhibited multiple security failures including prolonged exposure to critical vulnerabilities like Shellshock and Drupalgeddon. Forensic analysis revealed suspicious activity tied to an unauthorized user account created to patch Shellshock, accompanied by deleted files and altered command logs, suggesting potential exploitation. Additional files related to elections were deleted shortly before the server was turned over to law enforcement. The server was wiped after legal action sought to investigate compromise risks, complicating efforts to confirm the extent of unauthorized access or data manipulation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A Georgia election server managed by the Center for Election Systems at Kennesaw State University (KSU) exhibited critical vulnerabilities that may have allowed unauthorized access between 2014 and 2017. Forensic analysis of a server image revealed the system remained unpatched against Shellshock—a severe Linux/Unix vulnerability allowing remote code execution—for three months after its September 2014 disclosure. On December 2, 2014, an account named "shellshock" was created via the Webmin console at 10:47 AM. Within 19 minutes, this user deleted a file titled "shellsh0ck" and patched the bash software to address Shellshock at 11:06 AM before being disabled at 11:40 AM. The account's bash_history file contained only a logout command, with no records of the file deletion or patching activities, suggesting potential tampering to conceal actions. Security expert Logan Lamb noted these anomalies—including the unusually named account, missing command history, and immediate patching—as indicators that an external attacker likely exploited Shellshock to gain access.
Further investigation revealed additional security lapses. The same server was found unpatched against "Drupalgeddon," a critical Drupal content management system vulnerability, in August 2016—22 months after the flaw's disclosure and available patch. This discovery prompted election-integrity activists to sue Georgia officials, seeking server access to assess potential compromises. KSU officials wiped the server clean two days after the lawsuit filing, though plaintiffs later obtained an FBI forensic image from March 2017. Analysis of this image showed scores of election-related files were deleted on March 2, 2017, shortly before the server was decommissioned and handed to the FBI. The bureau had previously investigated whether researchers violated laws by accessing the unpatched server but found no wrongdoing. Lamb's affidavit emphasized that while the Shellshock evidence strongly suggested intrusion, full confirmation required additional forensic work to determine the attacker's activities during the access period.