Domestic and foreign cybersecurity threats surrounding the 2020 election

Digital Shadows released its latest research examining foreign threats to the 2020 US presidential election. After infamously compromised elements of the 2016 Election, connected to malicious actors linked to the Russian state, Digital Shadows has uncovered further evidence related to similar efforts this year:

1. The Russian state is among the most successful actors when it comes to digital disinformation campaigns

Russia’s attempts at broader political influence overseas have been facilitated by its use of state-owned traditional media, bots, “hack and leak” operations, and cooperation between organized crime groups and Russian government agencies. Operations uncovered by US and UK intelligence communities can be linked to Russia’s Foreign Intelligence Service (SVR) and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), two institutions that have a history of anti-democratic actions.

Russia’s Internet Research Agency (IRA), which allegedly takes its direction from the Kremlin, has been primarily responsible for this interconnected “carousel of lies,” as one former member of the IRA described it. In many cases, the fake news stories they spread are more appealing to Americans due to pop culture references, pictures, and cartoons. In September 2020, it was reported that Facebook had taken down groups and accounts that were affiliated with the deceptive news organization, Peace Data, but not before hundreds of stories were shared on Facebook.

Far-right conspiracy group QAnnon, have also found ways to propagate false information to attract followers. Russian cybercriminals were hard at work, helping push QAnon conspiracy theories.

2. Iranian cybercriminals are likely focusing on online influence operations leveraging social media.

William Evanina, the United States National Counterintelligence and Security Center (NCSC) Director, recently named Iran as a “top three” threat to the election. Digital Shadows says Iranian cybercriminals are likely focusing on online influence operations, including social media disinformation campaigns and promulgating anti-American content. These operations were evident in a report issued by the United States Department of Justice (DOJ) in early October, confirming that Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted the US from multiple separate domains with Iranian propaganda to influence US domestic and foreign policy.

3. Actors linked to China are attempting to sway public opinion through Twitter and YouTube by spreading information that reflects on China favorably and which highlights controversies in the United States.

Earlier this year, cybersecurity teams at Twitter and Google observed a broad campaign from Chinese cybercriminals that overlapped on several social media platforms, primarily on Twitter and YouTube. On Twitter, the compromised accounts spread geopolitical narratives favorable to the Communist Party of China (CCP) and pushed reports about the political dynamics in Hong Kong.

4. The intelligence community warns that adversaries’ attacks focus on advancing the candidate that they perceive to best align with their national interests.

State actors have been observed sending spearphishing emails to the respective campaigns’ employees, attempting to access internal networks and confidential information. It was observed that Russia’s “Fancy Bear” (aka APT28) attacked more than 200 organizations, including political campaigns, advocacy groups, parties, and political consultants. “Judgement Panda” (aka APT31), a Chinese state-associated APT group, attacked email accounts of some high-profile individuals from the Democratic (Joe Biden) campaign, and “Charming Kitten” (aka APT35), an Iranian state-associated APT group, made multiple attempts to attack the personal accounts of individuals associated with the Republican (Donald Trump) campaign.

"There is a serious concern with the development of cyberattacks and ransomware campaigns that may seek to target networks and machines critical in running US elections, primarily since nation-state attackers have already conducted surveillance operations on infrastructure that could impact the day of the US election," writes Austin Merritt, Cyber Threat Intelligence Analyst at Digital Shadows.

In the coming days, says the author, disinformation campaigns may attempt to play on voters' fear, uncertainty, and doubt (FUD), even more so during the pandemic as more Americans are voting via mail-in ballots and absentee ballots than ever before. As a result, the election results may remain unknown for days or even weeks by some experts' predictions. Cybercriminals may attempt to spread false information regarding voter suppression and the launching of attacks on infrastructure, voter or ballot fraud, and other problems intended to convince people of the elections' illegitimacy.

In addition to these foreign threats, possible threats to the election and to the electoral process include, but are not limited to, cyberattacks, information warfare campaigns, reputational threats and physical threats.

According to Netenrich's Threats Surrounding The 2020 Elections, recent examples of these threats include:

Campaign app misuse: The Official Trump 2020 app also experienced security related issues. In June, the app’s Android APK files exposed hardcoded secret keys associated with its Twitter and Google services. Researchers also found that the app collects large amounts of data, which includes tracking users. The Android version of the app requests a large amount of data including but not limited to access to user contacts and location, phone status and identity, the ability to read and delete SD card contents, permissions to view network connections, and permissions to prevent the phone from sleeping. In addition, users must provide their name, phone number, email address, and zip code at signup.
Violent or disruptive actions: Considering the recent protest culture and ensuing riots over political and ideological stances, such as the Black Lives Matter protests, anti-police demonstrations, and Antifa riots, the potential for physical disruption at polling locations must be considered. Disruptions by activist or domestic terror groups may include physical attacks or intimidation targeting election workers or voters, otherwise peaceful protests that block voters from accessing the polls to vote, disruptive demonstrations or riots causing destruction, or other events orchestrated to hinder or intimidate voters.
Smear campaigns: The DNC also reportedly used information related to a meeting at the Kremlin to try to tarnish Trump. Likewise, Trump leveraged disputed reports of Hillary’s campaign finance records and of her alleged misuse of official email during her tenure as Secretary of State as “evidence” of his claim that she was unfit to run as a presidential candidate.
Fabricated media: Deep fakes and other synthetic media can be used to fabricate “evidence” to convince a target audience that a candidate or other individual did or said something that is scandalous or potentially damaging to their reputation, thereby affecting their candidacy for an elected or appointed position.

For more Digital Shadows findings, please visit https://www.digitalshadows.com/blog-and-research/foreign-cyber-threats-to-the-2020-us-presidential-election/

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.