Late-game election security: What to watch and watch out for

As we head into the final inning of what has been a dramatic US presidential election season, it’s clear the country has so far been spared the kind of high-stakes hacking and disinformation campaigns that marred the 2016 election. Still, US intel and cyber defense organizations are on the lookout for last-minute ransomware attacks and have been joined by their private sector counterparts while social media companies appear to be clamping down on disinformation efforts.

The most striking evidence that the US  may be better prepared than it was in 2016  is the extraordinary actions taken by US CyberCommand (CyberCom) to meddle with the Russian-language Trickbot botnet network, used to deliver malware, including ransomware, and frequently exploited by Russian military intelligence for plausible deniability. Following a scoop by journalist Brian Krebs that an unknown actor was meddling with Trickbot, news leaked over the weekend that CyberCom was the meddler.

CyberCom’s goal was to thwart any possible ransomware attacks on selected or strategically important jurisdictions. The military cyber arm might have also been pushed into action by a Trickbot-enabled ransomware attack on top healthcare provider Universal Health Services (UHS), which was forced to shutter digital operations when 400 of its computer systems were locked up by Ryuk ransomware.

CyberCom was not the only party messing with the Trickbot outfit, though. Another parallel but coincidental effort to dismantle Trickbot was underway by an international coalition of telecom providers and tech organizations led by Microsoft. Tom Burt, vice president of consumer security and trust at the software giant, offered details of this Trickbot take-down attempt in a blog post in which he reiterated that “ransomware is one of the largest threats to the upcoming elections.”

Microsoft and its partners pursued a legal approach to get at the Trickbot organization, successfully arguing in the US District Court for the Eastern District of Virginia that many of the internet servers used by Trickbot abuse the company’s trademarks. The court granted Microsoft’s requests to shut down those servers.

Neither CyberCom nor Microsoft believe they have taken down Trickbot permanently. “We fully anticipate Trickbot’s operators will make efforts to revive their operations,” Burt wrote. The parallel strikes against the world’s largest botnet likely made a big enough dent to dampen Trickbot’s damage before election day.

Swaying voters and sowing doubt

What kinds of digital or disinformation damage can foreign threat groups inflict at the eleventh hour, if any? The US should look out for two types of threats, FireEye’s director of intelligence analysis John Hultquist explained in an industry briefing. The first are “late game” events designed to sway voters.

These are “threats that are dramatic by nature and designed to shift voting patterns and change different perceptions of voters in a way that may actually affect the election,” he said in an online presentation, referring mostly to hack-and-leak operations carried out by Russian, North Korean and other threat actors.

The second type of attack that could still strike the US is aimed at creating lingering problems long after election day is over. “There are sort of these lingering threats that go beyond election day that are really designed to undermine the confidence in our election system,” Hultquist said.

He cites the example of the Russian state-backed hacking group APT29, better known as Cozy Bear, gaining access to Ukraine’s election system in 2018 and posting the wrong election results. The intrusion didn’t change the real vote tally but it did sow seeds of doubt about the system.

Likewise, Sandworm, Unit 74455 of Russia’s military intelligence arm GRU, targeted Ukraine’s election systems in 2016 and caused no real harm other than to raise doubts about those systems. “What we’re concerned with is that somebody will do something noticeable, or noticeable enough that people will start talking about the integrity of the system at large. That’s what really worries us,” Hultquist said. “These sorts of questions go on for a long time.”

Beware last-minute leaks

Another concern Hultquist has is some kind of hack-and-leak operation dropping at the last minute, depriving the opposing party of sufficient time to respond. This tactic was deployed by Russian hackers with the so-called Macron Leaks during the 2017 presidential election in France. In that situation, Russia’s APT28, better known as Fancy Bear, also associated with the GRU, leaked 20,000 emails right before a 24-hour media blackout before voting took place.

“They officially dropped this leak right before the blackout period. The purpose behind that was so the story couldn’t be unwound by the other side,” Hultquist said. “Our concern is that something of that nature could happen.”

Another operation Hultquist has seen that is perfect for last-minute malfeasance entails planting stories on websites that are associates with fake documents and images. “They’ll forge a fictitious document or they will photoshop an image,” he said. “In one instance they photoshopped an image of German soldiers desecrating Jewish graves in the Baltics. They wrote an article about it and used the [image] to back up the article and they placed it on a website.”

Russia is the main threat actor

Despite the administration’s chain-rattling over China and Iran, it’s Russia that most concerns Hultquist. “They are probably the most aggressive actor [and have] the longest history of successful large-scale cyberattacks of different kinds. Compared to the other actors, we just don’t have the same level of concern.”

Hultquist acknowledged that ransomware attacks are a concern but doesn’t see the current ransomware operators causing much of a problem. “It’s certainly possible. These are criminal operations that are hit or miss … there could be some incidental operations that could have an effect on some operations.”

Russia also just happens to be responsible for the largest fake ransomware operation in history, the NotPetya attacks that occurred in 2016. They have repeatedly used fake ransomware as an attack tool, he said, but even fake ransomware is not a top-of-mind concern for Hultquist. “Do we think that some fake ransomware attack will have an effect on the outcome of the election? No, I don’t.”

The best way the US can prepare for last-minute attacks on the election is “to calmly and clearly call out what’s happening when we see it,” he said. “I think we have a responsibility to talk about what’s happening and to make sure that information gets out there. And then we have to discuss the limitations of that activity.  The biggest limiter is our recognition that somebody on the outside is trying to manipulate us. If we recognize that, we can really inoculate ourselves.”

More on election security:

• Election security status: Some progress on ballot integrity, but not on Russian interference
• Security in the spotlight as the US heads into elections
• Time running out to protect US November elections
• US elections remain vulnerable to attacks, despite security improvements
• Online voting is impossible to secure. So why are some governments using it?