Singapore held its most recent general election on July 10 2020, and although they used the electoral system called first-past-the-post (FPTP), a scheme favored by the US, UK, and most English-speaking countries, the road leading to Election Day was not without challenges and obstacles.
While all voters used paper ballots (thus removing the exposure to risk that comes with using electronic voting machines), phishing attempts, disinformation, threats of hacking political parties, and other election cyberthreats were nonetheless ever-present.
In light of the ongoing COVID-19 pandemic and the election technologies we know could be abused in the wrong hands, we look at these and other potential election cyberthreats—past, present, and (if pervasive enough) future—that the security world has observed for quite a while now, so that informed voters can remain informed and hopefully continue exercising your right to vote whenever and wherever that may be.
Avid readers of this blog would know that we stress upon the importance of asking the right questions when it comes to deciding on what to do online, what to buy (and where), and which technologies to use. In this case, we’d like to know which election threats that we’d be facing and the ways we can protect against them or otherwise address them.
And in attempting to answer these, we first need to know what or who could be targeted during an election. This way, we’d also know what to protect and how. So, we ask—
To identify the threats we can likely see/face/observe during election period, it is important to identify an election’s critical assets, which will in turn aid us in recognizing and categorizing threats to these assets and to the election as a whole.
Election assets are:
Infrastructure. This pertains to places where polling is held, including storage facilities for elections and locations where election systems are physically set up. If we want to be granular, the US Department of Homeland Security (DHS) listed some of these as: voter registration databases and their associated IT systems, election management systems (for counting, auditing, displaying election results, etc.), and voting systems.
Materials. Pretty self-explanatory. These pertain to the objects used during the election process. For example, paper ballots or voter registration cards, pens, and indelible inks.
As of this writing, there have been no real or theorized election cyberthreats lodged against such materials. However, this doesn’t mean that no one has attempted to circumvent their use.
Take, for example, the use of the electoral ink. Its indelibility is a means to prevent constituents from casting more than one vote. With the ongoing pandemic, however, hand sanitizing before and after casting votes could impact the product’s effectiveness. Not to mention that there have been cases in the past where the ink used washed off easily and completely.
People and information. Although they are two completely different entities, we cannot really separate them. The people are the political candidates, their staff, and the parties they represent; the third-party organizations that are directly or indirectly involved in the elections; electoral officials and staff; and, of course, the voters. Under third parties, we can include software and hardware manufacturers. Information, of course, refers to all of the content these people share to the public, amongst each other, and within election systems.
Technology. Voting machines aren’t the only technology that countries use for and during an election. Political candidates have freely made use of printers, mobile phones, and the Internet to reach out and communicate with their supporters. Voting technology also includes systems that are used to efficiently manage the elections. Examples of systems are information management systems, election management systems, and yes, the machine’s operating system itself.
With these in mind, we can start identifying potential threats to these assets. Note that such threats can happen before, during, or even after elections.
Oftentimes, it is easy to pin down intent based on the kind of threat being carried out. A phishing email, for example, gives a clear indication that whoever is behind the campaign is aiming to gather something from their target—be it sensitive information or money.
In many cases, the phishing email carries with it a malware payload, or a link to its download location. The malware, once executed, then seeks and siphons out information back to its command center. But things don’t end here.
The malware could reside and remain undetected, allowing attackers to gain a foothold onto the target’s network. Sensitive data, credentials, and other information they may have gleaned can be used for their own benefit—from selling to the highest bidder, leaking to disrupt normal operations or call into question a victim's reputation, and—if some of the files seem personal enough—used to blackmail the victim to extort money.
When it comes to elections, one would likely assume that nation-state actors would interfere to tip the political scales in their favor. Other actors would insert physical disruptions to the otherwise normal election process, either to cover up their true intent—which is usually something more sinister than causing trouble—or “just because.”
There is, however, a solid belief among cybersecurity professionals that the main motivation behind election-fueled attacks is to sow distrust among voters against either their government, the electoral staff and their processes, or the technologies used in conducting the elections. It’s also possible that their aim is all of the above.
Now that we have identified what threat actors would likely target and why they would target them, we move to answering how threat actors would likely attack these targets. Here’s a comprehensive list of (potential) adversarial activities that has been observed (if not theorized) so far:
We already mentioned earlier that election threats can happen months before election day arrives. Suffice to say that while politicians and election administrators are busy planning and preparing for election day, expect that threat actors are doing the same. One of the more subtle (yet still nefarious) ways of interfering with elections in the run-up to election day is to manipulate the discourse to favor one candidate over another, or simply to cast doubt on the entire election process.
When one manipulates the discourse, one asserts "The Good Me" while also highlighting "The Bad Them." Unfortunately, we’re all too familiar now with the ways in which cybercriminals (and politicians alike) do this through disinformation, fake news, and computational propaganda.
Disinformation, fake news, and computational propaganda
Several forms of disinformation from all sides of the political spectrum have been around almost as long as politics itself, and certainly pre-date the Internet. Word of mouth and traditional media have helped amplify such campaigns.
With the Internet, and now especially social media, it is easier than ever to, say, cook up stories about what a certain politician purportedly said regarding a sensitive matter that would anger a certain group of people. This can even be accomplished in real time. According to The Global Disinformation Order [PDF], a paper from the Oxford Internet Institute, online disinformation campaigns have been on the uptick since 2017.
There are those who have no real affiliation with government and politics and merely want to earn easy money by targeting certain partisan groups. However, the cybersecurity industry has seen its share of serious organized criminals—often backed by their respective governments—that bank on disinformation campaigns and fake news to accomplish political subterfuge.
There are a number of reasons why governments and political parties spread disinformation, and the classic reasons are to:
It’s interesting to note that when it comes to conducting deliberate disinformation campaigns, our gut reaction is to point the finger at foreign nationals. There's certainly precedent. For one, Russia has a known history of spinning phony political stories since the 1920's.
But nowadays, Russia isn’t the only country engaged in such campaigns—or what others have started calling computational propaganda, which the Oxford Internet Institute defines as "the use of algorithms, automation, and big data to shape public life." Iran is expanding its online disinformation operations, as are at least 70 more countries. Among these, China has dethroned Russia to become the new king of disinformation.
And then, there is social media manipulation, wherein engineered content is deployed using social networking platforms, and the proliferation of computational propaganda techniques themselves. Threat actors both domestic and foreign have been copying and honing Russia’s disinformation methods from the previous election to influence the outcome of this year’s US general elections.
The Oxford study also asserted that although we have countless social platforms currently in existence, Facebook remains the platform of choice to spread disinformation and fake news.
While governments and groups continue to either point fingers or deny allegations, let's not forget that the recipients of such material can also amplify disinformation to their network, whether that's their intention or not. Some may judge the veracity of the material as legitimate. Others may question it but circulate nonetheless to kick off discourse. Either way, both efforts serve to circulate baseless claims and call into question what is the truth.
In one of our blogs about election systems in the vital Infrastructure series, we touched on how vulnerable elections could be, highlighting that although voting machines have been hacked successfully on many occasions, doing so at a large scale can actually prove more challenging than what was initially thought. To further complicate matters for potential hackers, not all states use the same voting machine make, model, and supplier. But that doesn't mean elections are safe from hacking.
Websites can also be hacked, too. Remember that news about the website of the Florida Secretary of State being successfully infiltrated via an SLQ injection done by an 11-year old? Okay, granted, the website was actually a replica of the real thing, but one can't but help think how potentially vulnerable these supposed critical websites are, especially when being accessed and interacted to by various people—including those with ill intent.
In the last quarter of 2019, McAfee found that swing state election websites aren’t secure from cyberattacks. For starters, the connections of these websites are problematic, as they don’t use HTTPS by default, making them far, far easier to infiltrate. Cybercriminals could make small but significant changes, like altering the websites’ content, that could cause confusion about the dates, locations, and times to vote or otherwise disrupt the election process.
Perhaps, on an even more dangerous note, hackers could do as little as _claim _to have compromised the site to sew seeds of doubt, casting a shadow over the efficacy of the democratic voting system and eroding the integrity of election results in that state.
Hacking is one of the many attacks on infrastructure that a state or country may encounter during a sensitive time like general elections. The act of infiltrating systems and infrastructures is also usually just the first step of a much larger campaign aimed at destabilizing government or other organizations.
For example, once an election or government site has been hacked, cybercriminals could use information and credentials to kick off a social engineering campaign. This could branch off to cyber espionage (which usually involves using malware), data theft, distributed denial-of-service (DDoS) attacks, and extortion. Come election season, attack campaigns would widen to include the possible interruption of ballots for their modification, deletion, or blocking (the act of blocking ballots from arriving to their supposed destination by threat actors).
Foreign spying has always been a challenge for governments, and it doesn’t just happen during the election season. Through the years, cybersecurity experts have investigated nation-state actors who had been involved in election-fueled espionage, particularly advanced persistent threat groups such as APT28, otherwise known as Fancy Bear; the Sandworm team; and APT40, otherwise known as Leviathan.
So far, persistent threat actors have infiltrated diverse targets during elections, from those on staff for a particular candidate or campaign to those responsible for administering ballots or distributing election materials. They are targeted for the sensitive information they have access to, but also for cybercriminals to familiarize themselves with the network’s infrastructure, so they can identity the locations housing critical information that they may use to their advantage.
Data theft is a known and given problem during the elections since there is a huge exchange of information going on within distinct groups: among constituents and the registration databases; chat, email, or phone conversations between or among political staff and candidates; and credential information of electoral staff and administrators among others. And one way of stealing such data is via phishing.
In 2017, then-presidential candidate for France Emmanuel Macron confirmed that his staff and party, "En Marche!" or "Onwards!," were targeted by several advanced phishing campaigns. However, no campaign data was stolen. And this is just one of the many "hundreds if not thousands" of attacks they received from locations inside Russia at that time.
Feike Hacquebord, a researcher from Trend Micro, confirmed these phishing campaigns with some emails containing a malware payload. He also noted that these attacks had telltale signs that connected them previous attacks targeting the campaigns of Hilary Clinton and Angela Merkel in 2016.
Perhaps the most notable political phishing story we can mention here is how President Macron’s campaign was able to turn the tide against the threat actors who were after their data. Led by Mounir Mahjoubi, the campaign’s digital director, they outplayed their attackers using a method called cyber-blurring or digital blurring.
This is a known diversionary tactic in the banking industry, and the Macron campaign used it to slow down and confuse hackers. They did this by deliberately creating fake documents—with some containing outright ridiculous information—accounts, and credentials and mixing them with real but otherwise uninteresting data. As a result, the attackers’ time was wasted, and the burden of proof to justify why they stole or leaked useless information was successfully shifted to the attackers.
Ransomware is seen as one of the big threats during the election season. Some might believe that by using ransomware, threat actors' primary motivation must be profit in the form of digital coins. In fact, security researchers have reason to believe that, just as with other attack methods and threats used during elections, threat actors are more motivated to undermine the confidence of the results, either at the local level or state level.
"If a ransomware hits an election system, you can pay the ransom or pay a consultancy service. You can restore the data, but you still have the damage done. You cannot undo that damage," said Lee Imrey, Cybersecurity Advisor for Slunk, in a candid webinar on election threats, "Because, even if you restore all the votes, you’ve lost confidence that the votes you’re restoring are valid votes."
Possible scenarios also include poll workers not being able to access voter information databases due to them being locked up, which could also happen with websites that post unofficial results on and after Election Day. Some files impacted by ransomware may not being able to reverse their encryption—remember that a notable majority of files affected by a ransomware attack are not typically 100 percent recovered. Finally, a ransomware attack could result in the possible deletion of voter databases and other sensitive data.
It is known that, like some organizations in the private sector, several local governments are ill-equipped to protect themselves from ransomware attacks. Not only do they lack the manpower, they also lack the in-house expertise needed to at least guide them on what to do before, during, and after such a devastating attack.
This is considered an electoral threat because of its high potential to take over high profile accounts belonging to individuals involved in the election proceedings or the politicians themselves with simple social engineering tactics.
Although we have yet to see SIM swap attacks against individuals who are related to the 2020 US General Elections, there is the case of Euridice Pamela Sanchez, an Associated Students Incorporated (ASI) President and CEO candidate for California State University/East bay (VSUEB), being SIM swapped days before ASI elections in March of this year. The still-unknown actor was able to delete all her 3000+ Instagram connections. Since all candidate campaigning is done via social media due to the ongoing pandemic, Sanchez couldn’t reach her supporters to continue her campaign. The attacker also compromised her family’s AT&T account and attempted to access her personal email.
We can only imagine the scale of damage this could cause if political candidates or poll officials—even those in lower positions who may not directly report to them—would become victims of SIM swapping at this crucial time.
DDoS can, no doubt, hinder an election process at any point. Take, for example, the cyber attack that affected the UK’s Labor Party’s websites during the 2019 general elections. Not only was the party hit once but twice over. The first attack failed, as confirmed by a National Cyber Security Centre (NCSC) spokesperson with the BBC.
A DDoS attack against websites also disrupted the voting procedures in South Korea in 2011. It was notable that a botnet attack from 200 devices happened in the morning, the time when the younger population of voters would be able to vote before they head for work. Investigators proclaimed that the threat actors were aiming for a low turnout of voters during this time, which in turn would have benefited the conservative party in South Korea.
Such attacks against this part of the election infrastructure could hinder candidates and their staff from accessing data they can use to plan on what campaigns to run in what areas and who they would be targeting to attempt to change their minds.
Deepfakes have come under the watchful eye of not just technology and cybersecurity experts but law enforcement as well. And why not? In the wrong hands—from nation-states with agendas tipping to their favor to naughty miscreants who just want to disrupt—it could turn the tides of any election cycle.
Many see deepfakes as another way to make disinformation campaigns more impactful and believable. But perhaps the good thing here is that, at this point in time, people are already familiar with this technology and are actually expecting a form of a politically motivated deepfake to emerge before Election Day, especially at the last minute.
But what really worries Kathryn Harrison, founder and CEO of the DeepTrust Alliance, an alliance devoted to fighting deepfakes and misinformation in general, is the emergence of something that is not a deepfake—a video, for example—of which its veracity cannot be verified. A candidate caught doing or saying something questionable could easily cry "Deepfake!" even if a video is truly legit. Researcher in deepfake circles call this conundrum Liar's Dividend.
Other foreseen worries include an authority figure reading out wrong elections results, some fake disruptions at certain polling stations, or miseducating constituents on how they can stay safe during Election Day.
For voters, it’s overwhelming to look at this lengthening list of election cyberthreats they might get affected by and feel they have so little time to prepare for to counter or protect themselves from. Fret not—most challenges on this list can only be addressed by governments in the state, local, and national level.
However, there are two things that voters must start doing (if they haven’t already):
Stay informed. Keeping apprised with the current news, especially those that touch on election cycles that are about to happen in your country or state, is one way of staying informed. And while it’s important to know what’s going on, it is equal if not more important to know credible sources of news you can refer to. Disinformation could be anywhere, and we must become smarter. With the elections drawing near, expect such campaigns to pop up in social media and other platforms.
Vote. Whether you feel like going to the polling station—wearing proper protection and following the recommended guidelines, of course—or you prefer to cast your vote via mail, please vote. The more people exercise their democratic right, the less likely electoral fraud can influence the overall outcome of the elections. It’s a numbers game, and we better make sure that the numbers weigh heavy on the side of an honest election cycle.
Good luck and stay safe!
The post The informed voter's guide to election cyberthreats appeared first on Malwarebytes Labs.