State Dept. using email software the NSA says is being exploited by Russian hackers, report says

The cybersecurity firm Area1 says candidates and agencies using the software are vulnerable to the same Russian operatives who hacked Democrats in 2016.
Image: Three policemen patrol Red Square in Moscow
Three policemen patrol Red Square in Moscow on May 17, 2020.Yuri Kadobnov / AFP - Getty Images

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Ken Dilanian

WASHINGTON — The State Department, local governments and at least 50 candidates running for election in 2020 are using email software that the National Security Agency says is being exploited by Russian government hackers, according to a new report by a cybersecurity firm.

Area1, a Silicon Valley security firm, says in its report that candidates and government agencies using the software are leaving themselves vulnerable to the same Russian operatives who hacked the Democrats to interfere in the 2016 presidential campaign.

Click here to read the report.

If the hackers take advantage of the software flaw, "they can exploit the email server and become an administrator on it, which means they can create new email accounts and they can start sending email from [your address]," said Oren Falkowitz, Area1 co-founder and a former NSA cyber warrior. "They can use it to get further into your network."

It is not known if the entities identified in the report have been victimized.

Cybersecurity firms can determine who is using the software, known as Exim, by conducting scans of ports open to the internet.

"Within the United States government, Exim servers that are vulnerable to (the) exploitation have been identified within the State Department networks, (as well as) various state and local government networks, such as Lewisburg, Tennessee, the Township of Ocean in New Jersey, and Paducah, Kentucky," the report says.

Falkowitz said political campaigns in particular should immediately stop using the software and instead rely on email systems run by Google or Microsoft, which have huge security operations designed to protect their users from hacking threats.

"These are the types of things that nation states really take advantage of," he said.

Exim is a free "message transfer agent" developed at the University of Cambridge for use on Unix systems connected to the Internet. In 2019, a vulnerability was discovered that would allow hackers to take complete control of a user's server. A patch was distributed to fix the flaw, but there is always a percentage of users who fail to patch their systems.

On May 28, the NSA issued an unusually explicit public warning that a Russian hacking group dubbed "Sandworm" — identified by the U.S. and U.K. as part of the GRU, Russia's military intelligence agency — has been targeting Exim.

The NSA noted that many users had failed to patch their systems, leaving a flaw that gives hackers "pretty much any attacker's dream access."

Before that warning, analysts at the cybersecurity firm RiskIQ did a scan of open internet ports in early May and found more than 900,000 Exim web servers running older versions of the software that were vulnerable, according to a report by the firm.

Area1's report lists seven members of Congress whose campaigns are using Exim software. If they were using it before the patch was issued, attackers could have gained access to their networks and could still have that access, Falkowitz said.

One of them, Rep. Jim Banks, R-Ind., serves on the Intelligence Subcommittee of the Armed Services Committee. A spokesman for Banks said his campaign‘s software was patched and no longer vulnerable, but is moving email operations to a Google server to be safe.

"We're 150 days from the election," Falkowitz said. "People need to take this seriously."