A Cybersecurity Operative Explains Election Hacks

We are now one week from Election Day.

In recent days, multiple reports have emerged suggesting that Russia and Iran seek to influence the outcome of the process. This is, of course, an especially fraught situation, because that is more or less what happened in 2016.

To get a better sense of the current threats, and what’s being done to thwart them, we spoke to a veteran cybersecurity expert — let’s call them “X” — who has worked on multiple election cycles and is currently working to protect the election infrastructure and processes of a major American city. (We’ve granted them anonymity to speak candidly, but they declined to identify specific threats to the system.)

Below, X discusses in their own words what it’s like to combat an attempted election hack in real time, from the “war games” their team uses as preparation to the minute-to-minute processes they’ll be executing on Election Day itself. Their responses have been condensed and edited for clarity.

Honestly, the information operation domain is too vast and complex for any single election board to be able to defend against. Insofar as cyberattacks and technical attacks, a major challenge in the United States is that small rural counties run their own elections and they are not getting enough support from the state or the federal government. That leaves them very vulnerable to technical attacks.

One of our biggest concerns is undermining confidence in the election process. In the current environment, where everyone is willing to buy into a conspiracy theory, what is the likelihood that people will trust the results of this election? What if this was the first election where, say, Illinois swings from Democrat to Republican, and Trump wins a majority? How many people would think this is a result of a cyber attack?

The biggest vulnerability we have in America has to do with misinformation. It’s the mental state of its citizens and voters, far more than the election process itself. It’s much easier for today’s electorate to believe things about the other side than it was four or 12 years ago.

Honestly, we worry more about the perception of lack of integrity than about actual integrity. I worry about information that would dissuade people from casting ballots — a cyber attack that would, for example, stop the climate control system in a polling station, which would prevent people from casting ballots on time. Anything that would impact either the vote-casting process, discourage people from going to vote, or making the general public distrust the results.

We think there’s more activity from Russia and Iran coming, at this point. Attribution is always a low signal, but this is the signal we have. According to the threat intel we have — which is impossible to validate — with Iran, you have a lot of hacktivists who are inspired on their own to do something, but you also have the people who work for the government. Identifying them is quite obvious; they don’t work on Friday, for example. You see a lot less activity on Friday.

In the case of Russia, it’s much more of a federated system. You see a lot more attackers who do it for profit but also are willing to take a job or two for the government in return for being allowed to operate without any repercussions.

There are two general categories of detection. Most of it is automated detection. It all happens so fast, it has to be automated. Then we have what we call threat hunting, where you have analysts who sort through information about attack tactics that were not known [at the time of their initial deployment]. Perhaps we find out that type of attack was going on for the last two weeks and we didn’t know about it. If the tactic is new to us and has been around for two weeks or a month, we need to go back and look at our logs, to make sure that this attack doesn’t happen in our environment. Threat hunting detections are very rare because we have things buttoned down much better than [during the last election].

There’s a very rapid evolution to these attacks. For example, recently they’ve been able to use Google docs as a vector. A month ago, we didn’t see that. That’s an evolution of attacks that worries us because a lot of people, when they see a Google doc link, think they can just follow it. But there are always new ways to attack, new vulnerabilities.

Other vectors include really clever catfishing [1] and spearphishing [2], but that’s nothing new. We see a lot of situations where attackers try to get you to go to a site that you think you know, but is not in fact the real site. Watering hole attacks [3] take over the source and add malware to the site and when you go to that site, you infect your computer. We’ve seen a lot of that.

GLOSSARY

1. Catfishing: A scam where someone, the “catfish,” creates a fictitious online identity and seeks out online relationships. (FindLaw)

2. Spearphishing: An email or electronic communications scam targeted towards a specific individual, organization or business. (Kaspersky)

3. Watering hole attack: A security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. (TechTarget)

Everyone is being targeted. Whatever sticks, sticks. Attackers have figured out the psychology regarding how users behave. For example, if you send the phish in the first half an hour after lunch, there’s a much higher chance of that phish being clicked than if you send it at 11 a.m. There are patterns for people paying attention and patterns for people not paying attention.

We have not seen any attacks on a poll box or a system that tallies the results. It’s early still, and I hope it stays quiet, but there are just a lot of new protections that most attack groups would expect if they go that far. That’s probably part of why no one is attempting that. It’s also much harder to do it. I can only imagine how US Cyber Command or the NSA would respond.

So far, we’re not seeing targeted threats. We are, however, seeing financially motivated attempts, things that could lead to a ransomware event [4] or a denial-of-service event [5]. We’re seeing a lot of identity theft-type attacks. But honestly, on the perimeter security side [6], these things happen so often, it’s impossible to track and to differentiate unless you have a piece of threat intelligence — such as, say, IP addresses associated with a Russian attack group or a domain associated with North Korea or Iran.

4. Ransomware: A type of malware that denies access to your system and personal information, and demands a payment (ransom) to get your access back. (CrowdStrike)

5. Denial-of-service (DoS) attack: When legitimate users are unable to access information systems, devices or other network resources due to the actions of a malicious cyber threat actor. (CISA)

6. Perimeter security: Preventative measures designed to protect entry points to a network, comprising systems like firewalls and browser isolation systems. (Techopedia)

You can think of every attack as a mission. Organized attackers know what their missions are, but it is difficult for us to know what the mission is prior to them completing the cycle. We, of course, cannot possibly let attackers get away. If we are able to track them, we would never let them go all the way to the point where we actually ascertain their mission targets. I can tell you, in general, some attackers have an information collection objective. Some are interested in getting a payday or are financially motivated. They try to either sell data or make this data unavailable to you through ransomware, or extort you: We’re going to publish this data if you don’t pay us…

If we’re familiar with the threat group, we can surmise what they are looking for based on their history. But there is no reason why they would not decide to change their playbook. The attack process has been commercialized. There’s an active marketplace, with many different types of targets. You could be attacked by something like DoppelPaymer, for example, which is a group that normally does ransomware and recently compromised an election board in Georgia. But attribution is for the most part very untrustworthy. I know there’s a lot of commercial companies out there that try to say, “Well, this was APT 30” [7] or whatever, but when you dive deeper, you find that they base it on very low signals [8]. It’s very hard to ascertain these things.

7. APT 30: An advanced persistent threat group most likely sponsored by the Chinese government.

8. Signal: Refers to any data set that provides evidence for the origin of an attack. Low signals, says X, mean the underlying information is unreliable.

I personally don’t trust the methods used for identifying the origin of attacks, because they are based on very low signals. If you are able to tell, for example, what IP address set they are coming from, or if, when you reverse engineer the malware, you see what appears to be the native language of the people who coded this malware, you might be able to see what the time zone was set in the computer that compiled it. That’s a whole bunch of signals. Attribution makes for marketing excitement, and this is why a lot of companies engage in it. But from where I stand, once I stop them, I don’t need to know who the attackers were.

We’ve seen fewer than 10 serious attacks over four months. Serious means a payload is executed. Someone sends you a phish and you click on it, then something executes on your computer. That’s a serious problem because it needs to be contained immediately.

The closer you get to an important event, the fewer changes you will make to a system. In elections and others, you can only introduce new preventative measures until the event becomes so nearby. At that point, you switch to observation and protection mode. You identify, you prevent, you detect, you respond and you recover. That’s the cycle.

As we get closer to election day, and then certification of the results, we do a lot of war gaming. You bring in a lot of smart people to the table to discuss potential attacks, to identify technical, administrative or other types of vulnerabilities, and how to fix them.

As we get closer to election day, the nature of the attacks don’t change, but the volume increases.

The odds for a cyber technical attack affecting the final vote are very minimal. An information operation, however, has a very good chance of affecting the final vote — either by discouraging people from going to the polls or making people change their mind about who to vote for.

But we’ve seen the level of vigilance today on the information operation side is much, much higher than it was in 2016. Night and day. There’s a lot of eyes on it because people who care about elections know that this is where the fight is at. It used to be we’d hear that Twitter turned off 3,000 fake accounts, right? Today, when Twitter turns off one account, we know about it.

There is no particular scenario regarding the next seven days that keeps me up at night. The scenarios I can imagine already have enough conditions in place to deal with them. They will be painful, but they don’t keep me up at night. My biggest concern is something that we didn’t think about, that will come up as a new vector of attack, and suddenly everyone is surprised and unprepared. Adversaries seem to be a lot more creative than the defenders in this case, generally.

A successful attack would look like network infiltration, whether it’s through a stolen username and password, or a phish, or whatever. Someone lands in a workstation, and the group turns off the defenses of the workstation and therefore suppresses alerts. They make their way into the network until they find, for example, voter rolls, and then either eliminate a whole bunch of people from the voter rolls, or just cause chaos. That would not be a gigantic attack, but it would still create enough trouble that people would question the results. This is not the worst-case scenario, but it’s a bad enough case scenario that I would never want to see it.

What’s so important is that you need to evaluate information without introducing your biases into the process. Keep a cool head. Try to differentiate between fiction and reality. Know that your vote is going to be counted properly and it’s not going to be modified. That’s what I would tell people.