As the United States closes in on one of the most divisive elections in its history, many organizations are concerned about the high level of security risk in the coming weeks and months, especially if the election results are contested.
And just as in 2016, multiple nation states are attempting to influence the outcome. Along with aggressive state-sponsored threat actors heightening tensions across the political spectrum, there is the very real fear of potential social unrest and unstable financial markets.
Beginning with the comprehensive Microsoft report published in September, three nation states were spotlighted for actively attempting to disrupt and influence the U.S. elections. We have also identified specific threats to software and phishing techniques as areas organizations need to be prepared for.
Here are five election security threats and threat actors companies should be watching for to protect their brand, data, employees and customers:
1. Russian threat actor FancyBear
2. Chinese threat actor HurricanePanda
3. Iranian threat actor CharmingKitten
4. Threats to software
5. Election-themed phishing lures
The Russian threat actor FancyBear (also known as APT28 and Strontium) has “evolved their tactics since the 2016 election to include new reconnaissance tools and new techniques to obfuscate their operations.” Microsoft asserts FancyBear is cycling through 20 IP addresses daily to mask their infrastructure, as well as leveraging Tor anonymization. Microsoft believes that by adopting new techniques like brute force and password spraying, the threat group has scaled their operations through automation. Users of the Splunk(r) Enterprise Security Threat Intelligence Framework will be able to alert on this activity by ingesting a TOR node feed.
The report also highlights Chinese threat actor HurricanePanda (also known as APT31 and Zirconium) as prolific in targeting the election. One of HurricanePanda’s key techniques is using web tracking to validate if and when a user opens their phishing email. Because of the web tracker hidden in the text or attachment, the mere act of opening the email — not even clicking on anything — beacons back to a website the threat actor controls, immediately informing them that they have an active victim. Microsoft says it detected thousands of these attacks, resulting in nearly 150 compromises, all attributed to HurricanePanda.
Splunk customers can leverage the Command and Control and Suspicious DNS Activity analytical use cases from Enterprise Content Security Update (ECSU) to detect outbound network activity originating from a threat actor’s tools.
We have also learned from Microsoft reporting that CharmingKitten (also known as APT35 and Phosphorus), an Iranian-based threat actor, is targeting both administration officials and campaign staff via phishing emails. The most recent Iranian activity highlighted by the U.S. Director of National Intelligence (DNI) details their broad, email-based influence operations that directly target U.S. voters.
Threats to Software
Election-related targeting of this sort has been going on all year. For example, in February, a data breach by Campaign SideKick, an application used since 2002 to collect and analyze voter information, was a warning to all software vendors supporting the election. Not only was the company’s source code taken, sensitive voter information was also exposed. Targeting voter databases is not new either; Florida’s entire voter database was listed for sale in criminal forums in 2019.
The power of big data to analyze and act is critical. The attack on Campaign Sidekick was successful because the .git directory containing the company’s source code was set with world-readable permissions on their main public web server. Splunk Enterprise has allowed companies to monitor for changes to directory permissions for a long time.
Unfortunately, the threat to software vendors does not end there. In September of this year a major vendor of election software to state and local governments sustained a network intrusion according to Krebs on Security. The vendor’s solutions are used to visualize the election totals and status that appear on TV screens across the U.S. on election day.
In fact, Russian threat actors compromised similar software in 2014 to falsely report that the Russian-backed candidate won the Ukrainian election. While the company, in this most recent incident, initially reported the attack as a typical case of ransomware, the company has since advised all of their customers to change their passwords after observing suspicious login activity.
In an alarming correlation, a threat actor with the handle “Mr_APT” posted the Dekalb County voter database for sale in a criminal forum for $3,500, with potentially far-reaching implications. Dekalb County is the largest Black and primarily Democratic county in Georgia and this data would be enormously valuable to those looking to interfere in the election.
Also this October, Hall County, another Atlanta-area constituency, was affected when ransomware took their digital system offline, forcing the county to use paper backups.
Election-themed phishing lures
Finally, where most organizations will be at significant risk is through the use of election-themed phishing lures. For example, the crime threat group MummySpider (TA542, Gold Crestwood), came back with a vengeance this month after being dormant for some time.
The collective had previously used COVID-19 themes, and is now using subjects like “Team Blue Take Action” to directly imitate campaigns and trigger an emotional click.
These emails contain malicious attachments like “Volunteer.doc” that contain the malware Emotet. Once downloaded, the second-stage payload delivers Qbot. This threat can be detected using both the suspicious email and emotet malware analytical stories found in the Splunk Enterprise Security Content Update. Splunk Phantom(r) users are also able to orchestrate their response to these threats by using automated phishing playbooks.
Election Risk Forecast
While the FBI is currently stating that the election system and anything specifically related to voting and tabulating have not been compromised, the risk of disruption both to the election and your business is high.
The next few weeks will be different than any U.S. elections observed in modern times. And the threat doesn’t end once all the votes have been counted. On the cybersecurity front, we anticipate opportunistic phishing campaigns that seek to compromise users with election-themed emails claiming to contain the latest news and updates.
In addition to the recommendations above, we advise Splunk customers to deploy the newly released TA-Drovorub by James Brodsky, as it detects FancyBear activity on Linux systems. This is also an ideal time to test and optimize your Splunk detection rules using the free Splunk attack range tool.
Paul Jaramillo, Splunk Senior Manager Threat Hunting & Intelligence
Charlotte Guiney, Splunk Senior Intelligence Analyst