From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > Hacking the Elections

Hacking the Elections

emerging threats

The issue of cybersecurity has surfaced prominently during the current United States election cycle — not merely in terms of driving policy debates between the candidates, but more broadly as outside actors have attempted to influence the outcome (and raise doubts about the credibility) of the electoral process itself.

The United States Intelligence Community recently took the unprecedented step of publicly accusing a foreign government, Russia, of attempting to tamper with the elections through a possible sophisticated information operations campaign. This campaign has resulted in several leaked caches of private e-mails and party documents on websites like WikiLeaks and DC Leaks. These leaks have dovetailed with separate reported incidents of hackers targeting and potentially gaining insider access to state voter registration systems. Though it is still unclear the degree to which the targeting of the latter state voting systems is the product of state-sponsored campaigns, there are nonetheless second-order effects that these disparate cyber campaigns are having on the overall election.

Wikileaks continues to plague the DNC

WikiLeaks founder Julian Assange continues to claim objectivity and transparency in his reporting; however, recent events have shown that WikiLeaks may be a pawn — witting or unwitting — that has been leveraged by the Russian government as an outlet for stolen information damaging to the Democratic National Party. In the lead up to the presidential election, Hillary Clinton and the DNP have become repeated targets of leaked documents. In July, WikiLeaks released 19,252 emails and 8,034 attachments from various members of the Democratic National Committee as part of a “Hillary Leak Series.” The site included boolean search functionality to allow visitors to parse through the emails of the DNC.

On October 4, 2016, Assange announced via video feed that he would publish significant materials pertaining to a number of issues — including the U.S. presidential election. WikiLeaks planned to publish material over a 10-week period as part of a 10th anniversary celebration. From his political asylum at the Ecuadorian Embassy in London, Assange announced that “all the U.S. election-related documents [will] come out before November 8.” However, Assange’s plans to offset the elections have been encumbered by pushback from a variety of countries.

WikiLeaks’s continued provocations against the United States’ Democratic Party have likely led the Ecuadorian Embassy to restrict Assange’s Internet access. In an official statement, Ecuador defended its decision as a sovereign state, claiming that Ecuadorian officials were not motivated by international pressure. Although Assange’s Internet has been severed, WikiLeaks continues to publish materials from the Democratic Party and several politicians aligned with Hillary Clinton’s Presidential Campaign. Russian influence campaigns did not limit itself to just WikiLeaks, but to other sites posting leaked documents like DC Leaks and Guccifer 2.0.

Guccifer 2.0 injects himself; suspicions of state-sponsorship

While WikiLeaks insists that it does not know or disclose the identities of its sources, a would-be “independent” hacker dubbed “Guccifer 2.0” claims to have provided WikiLeaks with a significant amount of data, including a cache of documents reportedly from the Clinton Foundation servers. It is unclear how Guccifer 2.0 obtains his or her information, though it is likely through a variety of techniques including hacking, open source research and document fabrication. While Guccifer 2.0’s sources are debatable, the hacker has indeed been effective in launching an information and propaganda campaign that has, at least to some degree, disrupted the track of the U.S. election.

The moniker “Guccifer 2.0” appears carefully chosen to distance the actor from the tinge of Russian state-sponsorship. The original “Guccifer”, Romanian hacker Marcel Lehel Lazar, was sentenced to seven years in prison in September 2016 for hacking into the email accounts of a number of celebrities and politicians, including Colin Powell. Though the name “Guccifer” was likely meant to be an allusion to the Romanian hacker because of shared political targets, it also provided Russia with a cloak of plausible deniability. Like his predecessor Lazar, “Guccifer 2.0” also purported himself to be an independent Romanian hacker, providing another layer of separation from Moscow.

United States Government Responds

On October 7, 2016, the Office of the Director of National Intelligence (ODNI) released a statement announcing “the U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations.” The tactics recently employed by WikiLeaks, DC Leaks and Guccifer 2.0 were noted for their resemblance to similar campaigns employed against democracies in Europe and Eurasia.

For its part, Russia has vehemently denied any links to the attackers and has aggressively turned blame back on the U.S. and its “flawed” electoral process. This response, however, is consistent with Russian deception and propaganda campaigns.

The U.S. seems to be considering options for a possible reprisal. At a press conference following the ODNI’s statement, the White House announced that they will consider a proportional response to Russia’s cyber attacks. Press Secretary Josh Earnest did not disclose the specific methods of retribution, though sanctions and retaliatory responses are potential options. Any response will likely take precautions not to incite further escalation.

Targeting voter databases

Aside from the various political-influence campaigns, the FBI has confirmed that malicious actors have been scanning and probing state voter databases for vulnerabilities. Though the actors were operating on servers hosted by a Russian company, those attacks are not, for the moment, being attributed to an actual Russian state-sponsored campaign.

This malicious activity is not surprising, as voter databases tend to also be lucrative targets for cybercriminals for a variety of reasons. Flashpoint has observed that a number of voter databases have been advertised for sale on numerous Deep & Dark Web forums. These databases typically contain millions of records of personal information. It is unclear if these databases were carefully targeted or a matter of opportunity.

While the information within these databases is considered public, malicious actors can still exploit it for a variety of illicit activities. Crimes may include phishing attacks and doxing, which can lead to identity theft. Cybercriminals can use stolen personal information for targeted phishing attacks and social engineering schemes to gain access to more sensitive information, such as banking credentials. Since voter databases typically include a large amount of personal information, they are potentially lucrative targets. While state-sponsored actors and hacktivists are traditionally politically and strategically motivated, cybercriminals are most often associated with attacking targets of financial opportunity.

Final Notes

The FBI’s alert was part of a cautionary report recommending that state election systems reinforce their security measures. FBI Director James Comey noted that the malicious activity took place in the voter registration databases, not the election voting system. The ODNI noted that due to the decentralized nature of the voting system and state and local protections, it would be difficult for a state actor to alter ballot counts or election results.

The U.S. election landscape is made up of approximately 9,000 different state and local jurisdictions, providing a patchwork of laws, standards, processes, and voting machines. This environment is a formidable challenge to any actor — nation-state or not — who seeks to substantially influence or alter the outcome of an election. Doing so would require mastering a large number of these disparate cyber environments and finding a multitude of ways to manipulate them. An operation of this size would require vast resources over a multi-year period — an operation that would likely be detected and countered before it could come to fruition.

Russia can most likely achieve a more reliable outcome with fewer resources not by attacking the election infrastructure directly, but rather by organizing a disinformation campaign attacking confidence in the election itself. This approach is more consistent with Russian tactics employed in Eastern Europe. This logic also seems to be echoed in the latest Guccifer 2.0 message posted on November 4, which alleges that U.S. Federal Election Commission (FEC) “software is of poor quality, with many holes and vulnerabilities.” As a consequence, Guccifer 2.0 has warned “that the Democrats may rig the elections… I also call on other hackers to join me, monitor the elections from inside and inform the U.S. society about the facts of electoral fraud.”

Notwithstanding these allegations, vote tampering during the upcoming election is highly unlikely and confidence in the U.S. voting system will remain strong. The knowledge of possible state-sponsored disinformation campaigns helps to dispel their influence over the outcome of the vote. Further, our federated and heterogeneous national voting systems helps to protect the electoral process in the face of foreign influence campaigns. The resilience in our election system currently rests within the plurality and structure of the current systems, but as information technology continues to connect more devices to the Internet, this may not always be true for future elections.

About the author: Ian W. Gray

Ian W. Gray is a Senior Intelligence Analyst at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is a military reservist with extensive knowledge of the maritime domain and regional expertise on the Middle East, Europe, and South America. As a Veteran Volunteer, Ian supports The Homefront Foundation, a non-profit that helps veterans and first responders share their experiences through focused story-telling workshops. His insights and commentary have been featured in publications including Wired, Christian Science Monitor Passcode, ThreatPost, TechTarget, The Washington Examiner, Cyberscoop, The Diplomat, and others. He holds a bachelor’s degree in Middle Eastern Studies from Fordham University and a Master of International Affairs degree from Columbia University.