28/10/2024
CTI
Elections: a year of threats – Episode 4 | The American election
All shoots are fired.
The threat landscape cannot be understood without understanding the geopolitical landscape. This is even more true during elections, especially a major one like in November.
Like in 2020, the 2024 elections promise to be far from boring. National and international issues are intertwined in what seems to be a drama show. Americans will vote with mostly domestic policy in mind. However, foreign policy must be considered when looking at the possibility of interference.
Not to change China, Russia and Iran have been identified by the United States as the three majors foreign cyberthreats. Those countries are conducting hybrid cyber-operations (both cyber-attacks, interference, and disinformation). The election context is the perfect platform for opportunistic and/or targeted actions from either cybercriminals or state actors. And those actions are in direct connection to the following geopolitical issues.
Update October 2024 - The last stretch to the White House
November 4th, American voters will go to the polls. Who can be certain of the impacts of the numerous influence operation on the people choice. If the United States doesn’t really care for disruption in the actual voting infrastructure, each election they have been more and more adamant about the disinformation and disruption attempts against the American public. This 2024 Election run has been in the context of multiple ongoing wars, distrust between the powers, a United States looking inward, and most importantly the economic state of the country. Understanding all that turmoil, threat actors, sponsored or not, never cease to look for the way in and profit (financially or politically).
VOTERS
- INFLUENCE
Influence operations conducted by foreign entities have been on the rise since the beginning of the US election campaign. They are themed around (i.e. economic failure, industry protection) to, if not sway opinions, at least accentuate division. The strategies vary from targeting the presidential race to focusing on the regional and local elections
- DISRUPT
Phishing attacks and scamming are flourishing as the ultimate motive is to gather PII on voters and donors. Threat actors have registered many new domains to usurp legitimate US Election related website, especially fundraising or political parties’ websites.
THREATS IDENTIFIED BY THE US GOVERNMENT
- IRAN: APT35 and APT33, believed to be sponsored by IRGC, have tried multiple times to compromise government bodies and the Trump administration. In August, the US government accused IRGC linked threat actors to have compromised and send sensitive information on Trump to the Harris campaign managers.
- RUSSIA: The ongoing “Operation Doppelganger” has been under close surveillance. Targeting most European countries and the US, it’s a disinformation campaign. Hacktivist groups like Storm-1516, a group specialized in influence operation have also been propagating false information by created fake websites,
- CHINA: Taizi Flood conducted influence operation targeted US universities, propagating false information to deepen the existing ideological divide and influence diaspora votes at a local scale
ORGANISATIONS / GOVERNMENT BODIES
- DISRUPT
Through phishing attacks or ransomware, threat actors are looking to gather sensitive information, PII or stolen credentials. Those data breaches are the key to conducting more attacks directly on voters or people working directly in election-related organisations. - UNDERMINE
Sponsored threat actors are targeting the candidates’ communication infrastructures to gather intelligence and increase confusion and distrust in the democratic process.
Foreign and domestic issues
Ukraine
As a revival of Russian operations on the front is expected to happen this summer, the Biden administration hasn’t been clear on its position regarding the war in Ukraine. The gap between the talks condemning Putin’s actions and the actual support is another evidence of America’s disengagement in Europe.
The Trump administration, as in 2016, can be expected to follow the vision of their leader “In fact, I would encourage to do whatever the hell they want”1. Talking about Russia, Trump has always processed – and he isn’t the only one – that some NATO members (mostly European) don’t meet the defence budget required. That recurrent topic puts pressure on discussions of common actions regularly. Russia’s interference is expected to reinforce this rhetoric and campaigns from Russian speaking threat actors has been discovered. The objective is to manipulate opinions to lessen the support to Ukraine. Propagate this rhetoric is encouraging parts of the population that already share the opinion that Europe should deal with Russia which will serve the Kremlin political agenda. By pushing for Trump victory, Moscow wants to ensure that no American sanctions will be applied when there is another salvo of attacks.
Made in America
Behind this marketing argument lies true political and economic challenges. Seeing China as their great foe, the U.S. have been trying to counterbalance Chinese exportations rate to promote their own national production lines and restore the economy. The trade policies put in application impacting Chinese and European industries have put a strain on the world economy. Part of the “made in America” concept and under the Inflation Reduction Act, both Trump’s and Biden’s administrations had the ambitions to protect the U.S. national security and maintain their leadership on key advanced technologies and market shares. This is a major issue in this election as part of the population is blaming the actual President for trade policies crippling the U.S. national economy. China could be using that opportunity to sway opinions via diasporas to influence American trade policies in the long run by encouraging candidates less opposed to economics exchanges with China.
Gaza
The Middle East is again at the heart of geopolitical tensions. The Israeli-Hamas war is testing the relations between the United States and Israel, its forever ally. The Abraham agreements signed in September 2020 by Israel, Bahrain and the United Arab Emirates were intended to define the terms of a de-escalation in the region. The recognition of Israel as a regional state, which is still scattered, was intended to contain Iran’s ambitions. Iran is a key player in the region and the war is an opportunity for Teheran to affirm its regional leadership in the Middle East. By delaying the cease fire advocated by the United Nations and potentially supporting Israel with troops on the ground, the United States are facing, like Israel, threats of retaliation from the Iranian government. Iran could respond to military interventions and geopolitical sanctions by using the United States’ election platforms to conduct disruption operations and demonstrates its power.
Trust in our democratic system
The fear is that looking to either influence, undermine or disrupt, threat actors and cybercriminals will target the election. To understand what that means we should consider the whole voting ecosystem as it’s composed of multiple devices and third parties (shown under).
Operations les by the United States since the 2000s
More than ever, media and authorities are warning from the risk of cyber-attacks during the US elections. Voting machines have been under the scrutiny of cybersecurity experts as vendors were not open to let them look under the hood of their vulnerable business. Not all is due to suspicion or lack of interest for security but also to the thinking mode of industries.
It is true, like most operation infrastructure, cybersecurity wasn’t the priority in the voting devices industry and teemed with exploitable vulnerabilities. Like the energy sector taken as an example in our latest Threat Landscape, the same technical constraints are identified in the voting industry. That makes it difficult to update and patch devices for well-known vulnerabilities.
Experts have come across well-known vulnerabilities:
- Weak password stored in clear;
- Security features deactivated allowing the e-pool book to load unsigned code from any source;
- Lack of physical security that allows threat actors to become root and access the unencrypted drive;
- Lack of patch management with systems not updated.
CISA has advertised on vulnerabilities in the Dominion Voting Systems in 2022. It is important to note that to this date, no successful attacks have been registered during any US elections using this vulnerability.
The DefCon report is eloquent on the vulnerabilities found but also on possible attacks. For most attacks, a physical presence would be required to compromise the systems and remote exploits isn’t an easy task. Not saying it isn’t possible, but we must look at the threat actors that would have the means and the motivation to conduct such operations.
However, we must also keep in mind that sometimes saying that it can be done is enough to manipulate. The overbearing talks about the vulnerability of our core democratic system is as dangerous as a real attack. It creates a sense of mistrust in the population, that impact election result.
Next to vulnerability exploits on voting devices, other threats have been identified. Those aren’t new but in the context of elections they must be taken into counting.
Operations les by the United States since the 2000s
- Distributed Denial of service attacks
Disrupt means to interrupt or alter a system, a process, or an event. Regarding the elections cycle, disruption occurring at key moments to elections’ related services could impact the ability for voters to register, access critical information, etc.
- Social engineering
Elections, like the Paris Olympics, represent an opportunity to conduct spear-phishing campaigns. Those attacks can be opportunistic (mostly fraud) or targeted for example on official staff to retrieve authentication information to be used in later attacks.
- Information operation
Undermine or influence could be transpired through propaganda, disinformation and/or misinformation campaigns. Becoming a common threat, compromised social media, or valid accounts are used to discredit, manipulate opinions, or dispute election integrity and results. Generative IA is another layer to maximise the audience reach.
Information operations are mostly conducted by state actors. Even though they are using similar means of information manipulation, the way they are using them can diverge depending on those motivations.
Information operations are mostly motivated by influencing and undermining objectives. Often used interchangeably, there is a nuance to those terms. Undermine means to weaken a process or an authority gradually, often through indirect means. Influence means to cause a change in behaviour, belief, or opinion.
Conclusion
No doubt that American authorities and cybersecurity experts will increase their monitoring until November 6th and for some time after that. Other countries will likely do the same as cyberthreats don’t know borders. They will watch for not only cyber-attacks and warning signs but also the development of the conflicts undergoing and diplomatic relations.
The Voting Village launched in 2017 has shown that the collaboration for better and more secure elections is possible in the United States. Progress in patch management and implementation of the security in depth approach in the manufacturing of those devices are essential.
In the long run, the tangible impact is that democracies are put in doubt because the focus is diverted from actual issues to one core matter: can our democratic system still be trusted?
References
- CNN Politics. 2024. https://edition.cnn.com/2024/02/10/politics/trump-russia-nato/index.html
- Global Government Forum. 2024. https://www.globalgovernmentforum.com/a-subtle-opponent-chinas-influence-operations/
- The Intercept. 2024. https://theintercept.com/2024/03/06/homeland-security-us-elections/
- Congress Gov. 2024. https://www.congress.gov/event/116th-congress/house-event/LC65449/text
- CBS News. 2024. https://www.cbsnews.com/news/russia-iran-china-likely-to-engage-in-new-election-interference-efforts-microsoft-analysis-finds/
- Dark Reading. 2024. https://www.darkreading.com/ics-ot-security/hackers-let-loose-voting-gear-us-election-season
- Dark Reading. 2024.https://www.darkreading.com/cyber-risk/how-can-we-make-election-technology-secure-
- Dark Reading. 2024. https://www.darkreading.com/threat-intelligence/foreign-influence-operations-gearing-up-for-us-election
- Homeland Threat Assessment. 2024. https://www.dhs.gov/sites/default/files/2023-09/23_0913_ia_23-333-ia_u_homeland-threat-assessment-2024_508C_V6_13Sep23.pdf
- HackerOne. 2024. https://www.hackerone.com/ethical-hacker/election-security
- Chatam House. 2024. https://www.chathamhouse.org/2024/03/how-foreign-policy-might-impact-outcome-us-election
- DEF CON 27 Voting Machine Hacking Village. 2024. https://harris.uchicago.edu/files/def_con_27_voting_village_report.pdf
- Iran International. 2024. https://www.iranintl.com/en/202402238236
- Wired. 2024. https://www.wired.com/story/voting-machine-makers-hackers-ess/
- Wired. 2024. https://www.wired.com/story/voting-machine-vulnerabilities-defcon-voting-village/
- Security Affairs. 2024. https://securityaffairs.com/108135/cyber-warfare-2/china-russia-iran-target-us-election.html
- BAE systems. 2024. https://www.baesystems.com/en/digital/blog/the-cyber-impact-on-elections-safeguarding-democracy-in-2024
- Belfer Center. 2024. https://www.belfercenter.org/publication/state-and-local-election-cybersecurity-playbook
- The Diplomat. 2024. https://thediplomat.com/2024/04/us-and-europe-2-different-approaches-to-restricting-chinese-evs/
- CISA. 2024. https://www.cisa.gov/news-events/ics-advisories/icsa-22-154-01