On October 21, the FBI held a press conference alerting U.S. citizens about new details concerning nation-state interference with the upcoming U.S. elections. According to news reports, attackers have gained access to stolen voter registration data and are using it to confuse and even potentially intimidate voters. Director of National Intelligence, John Ratcliffe said, “This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos, and undermine your confidence in American democracy.” These are serious charges.
If we learned anything from 2016, it’s that nation-states, criminal organizations, and other malicious actors view infiltrating and disrupting elections as a brass ring and are continually looking for ways to make their mark. The recent U.S. indictment of one nation-state group shows the disruption these groups can cause.
The cyber attacks of the last presidential election primarily manifested in the form of disinformation campaigns. But as we’re already seeing, in 2020, the goal of disruption and chaos will play out with greater intensity — and it will last well after Nov. 3. In addition, the continued lack of consistent regulations guiding voting and security across States, counties, towns, and even local polling precincts is exacerbating this issue.
The CyberArk Labs team has been closely monitoring the events leading up to the U.S. election. Based on analysis of ongoing attack techniques and the inherent vulnerabilities in government and voting infrastructure, here are five ways we think attackers could seek to disrupt this year’s election, both directly and indirectly.
1. Social Engineering on the Rise
According to the Verizon Data Breach Investigations Report, social engineering attacks are increasing year-over-year and more than 80% of all data breaches tied to hacking involve the theft and use of stolen credentials.
Attackers use social engineering attacks to target individuals in hopes of stealing their credentialed access to systems and data. The recent Twitter breach was a prime example of this: attackers targeted a small set of employees with a coordinated social engineering campaign which resulted in stolen credentials being used to gain unauthorized access to an administrative tool that led to the compromise of high-profile accounts. This included the democratic presidential nominee, Joe Biden.
While attackers will certainly be looking to infiltrate those close to each party, the threat goes much farther than a campaign team or the nominee themselves. State and local governments that are charged with holding and protecting elections will also be attractive targets. It only takes one compromised account for an attacker to potentially breach an organization’s entire infrastructure.
2. Targeting Volunteers and Campaign Staff to Become Privileged Insiders
Identity-centric attacks will most likely be used on election volunteers, including polling staff. While campaign staff are always targets, you don’t need to breach a John Podesta to damage a campaign. Every staffer, every volunteer and every contractor connected to the campaign has the potential to become a privileged insider based on the data or applications they have access to.
Attackers know this and will look to exploit this privileged status – targeting these individuals with social engineering attacks to steal their insider access. With this level of access, attackers can exfiltrate ‘compromising’ material and information, use their status to disseminate disinformation across trusted channels like social media and email, or even lock down campaign operations through targeted malware and ransomware attacks.
The same concept applies to the more than estimated 460,000 poll worker volunteers expected at precincts across the country this year. While volunteers do not necessarily have access to election infrastructure itself, they are likely provided access to the networks at polling places for their phones, laptops, and other devices. Targeting a volunteer’s personal device could provide an easy backdoor for attackers to infiltrate the network, elevate privileges and move laterally into a network to launch ransomware or similar attack on a polling precinct. This massive drive for poll volunteers is also ripe for a bevy of online scams and fraud activity. Anyone signing up for volunteer status should only do so through reputable sources.
3. Targeted Attacks on Critical Infrastructure to Cause Chaos Pre- and Post- Election
Atlanta. Baltimore. New Orleans. Three U.S. cities that had civic operations ground to a halt in the last year due to massive ransomware attacks. A coordinated attack of this nature timed for election day could cause widespread chaos – from shutting down public transportation and making it harder for voters to get to the polls, to crashing phone systems to prevent voters from asking questions or volunteers from reporting results. Targeted attacks of this nature, focused on battleground states, might suppress critical votes that could change the very outcome of the election.
Post-election scenarios are grim as well. Targeted attacks on state and local agencies overseeing the election may postpone result totals from being reported, or worse, from being trusted. Given the contentious nature of this year’s election, attacks on critical infrastructure like the energy grid or water treatment facilities could amplify social unrest and further cause chaos during the transition period.
4. U.S. Election Databases
The myriad problems with election infrastructure are well known. Last year, it was discovered that attackers were able to breach election databases in two counties in Florida in 2016. The attackers used the typical phishing approach to trick unsuspecting workers, stealing access to the networks.
Voter registration databases that collect state-wide voter records present a good opportunity for attackers to target. Typically connected to networks to facilitate record sharing, attackers might look to infiltrate these databases to manipulate the data that they hold. By doing so, threat actors could perform simple functions like changing registration information in targeted districts to make it more difficult for people to vote.
And while absentee, mail-in ballots are broadly considered secure, the push to allow for broader mail-in voting opens up new possibilities for malfeasance. The actions of changing voter information may alter where eligible ballots are delivered, delay delivery, or otherwise impinge the process.
5. New Types of Disinformation Campaigns Emerge
The social media-based disinformation campaigns of 2016 were well documented and are expected to continue to amplify as we get closer to the vote in 2020. These tactics could be amplified by targeting trusted sources – like prominent politicians or news personalities, the candidates themselves or their staff, or even local politicians and elected officials to push propaganda.
As we saw with the Twitter hack and subsequent crypto-scam earlier this year, no channel is safe. Identity-centric attacks designed to steal access to social media profiles could be weaponized to spread disinformation at the most inopportune time. While candidate disinformation may be more easily dismissed, attackers could subvert these trusted platforms to push misinformation like polling locations, polling times, and election results before polls close impacting voters everywhere.
Combine these attacks with the growing use of deep fakes – which are manufactured media in which existing images or videos are maliciously edited – and the opportunities for disinformation have never been greater.
We should expect attackers to continue to target government agencies and websites as an avenue to push misinformation. Organizations like the CDC could be targeted to promote COVID-19 related disinformation on or before election day. Attackers, for example, could potentially suppress in-person voting by releasing false information on COVID outbreaks in targeted counties or push public opinion in direction of one campaign or another by promoting false vaccines, outbreaks, or more.
Disinformation attacks could also provide false voting information for both mail-in and in-person ballots, release fake election results early to inhibit continued voting and more.
Protecting U.S. Elections Starts with Securing Privileged Access
Many of the attacks mentioned above have been battle-tested by threat actors in the private sector. What we’ve learned from studying these attacks is that obtaining and exploiting privileged credentials is a top priority for attackers. Privileged access gives attackers the ability to reach critical systems, spread ransomware, exfiltrate sensitive information, compromise social channels, and more.
Securing the U.S. elections in 2020 and beyond requires a comprehensive approach that enforces Identity Security with a strong foundation in privileged access management. This can harden defenses against a fluid attack landscape, protect against evolving vulnerabilities, and minimize the ability for attackers to exploit the people associated with the campaigns.
To stay up to date on emerging attack techniques and research, visit the CyberArk Threat Research blog.