Any organization involved in U.S. politics and elections – either directly or indirectly – is a target for cyber criminals. Whether these cyber criminals are nation state actors from Russia or China, or another adversarial group, there are targeted and persistent campaigns to gain intelligence about, and entry into, these organizations to influence the election. These attempts are motivated entirely by financial and political gains.
Elections, like any major worldwide event, are a focus of cyber criminals who have spent years building out multi-pronged attacks. There are two ways in which they focus their attacks – the public and organizations involved.
To understand “how” sophisticated and targeted these campaigns are against the public and politically focused organizations, we have to look at what cyber criminals now have access to. The world has shifted with extensive daily use of digital platforms and applications. Those who build these platforms and applications have a single objective: to capture and store the greatest quantity of data about individuals across the globe. This treasure trove of data is also being shared with third parties (Cambridge Analytica wasn’t the only company accessing data, and it wasn’t just Facebook who shared data).
What the public often fails to understand is that our individual data is being collected and shared in every platform and application we access. It is then aggregated and analyzed to more effectively target individuals. In the right hands, it may be just an ad for a new pair of shoes that is most likely to strike your fancy. Most organizations are using this information within ethical boundaries. But, in the hands of hardened cyber criminals, nation state actors and adversarial groups, this data is ripe for nefarious activities.
Spreading disinformation is a highly successful activity. Look at what Cambridge Analytica was able to produce – aggregated behavioral data about individuals to create further polarization within each political party on who were decided voters and to influence undecided voters. The disinformation within this advertising was granular and highly specific, making it one of the most successful marketing campaigns in history. The most recent data breach from a Chinese firm with suspected ties to the Chinese government proves the extensive data collection occurring around the world. The last five years are a perfect example of the results of disinformation in the wrong hands.
When we look at campaigns being executed across high value targets – political organizations, elected officials, election offices, or any third-party with relationships to these organizations or politicians – cyber criminals tailor their campaigns in a different form of disinformation. They gain access into these organizations using the most prevalent attack vector, and easiest point of entry: email. Why? Because it has the highest success rate.
By crafting highly specific emails, directly aligned to individual personnel or organization, cyber criminals can more effectively evade traditional security defenses. These emails, known as spear phishing attacks, are not new and we know they work.
Phishing is only a single attack vector as part of their overall strategy. However, we know from history that cyber criminals are successful in gaining access to confidential information.
In Florida, an FBI investigation concluded that two counties’ voter data had been breached. In this instance, Russia was behind the phishing attacks that leveraged a Word document, attached in an email that installed malware. The extent of this phishing attack has yet to be made public, but it is known that at least 13 counties received the phishing attacks. Just that statistic alone – a 15% success rate – should cause concern across the United States as adversaries seek to influence our election process.
The Russian hacking group that targeted approximately 3,900 individuals associated with the Democratic National Committee (DNC) used a spear-phishing campaign and successfully gained access to highly confidential information. We know that John Podesta clicked on one of these emails that requested a Google password verification, linking to an impersonated website. Once his credentials were harvested, the attackers had access to collect and exfiltrate highly confidential information.
The exact language in the previously successful spear phishing campaigns against these organizations is not public information. But it’s important for the public to understand what this looks like and how the personal information being collected across many digital platforms and applications can create risk for each individual and organization.
The data available about individual personnel could be personal behaviors (e.g. likes, dislikes, shopping preferences) and organizational information (e.g. accounting cycles, hierarchy, job responsibilities). This data used by criminal organizations can target personnel with tailored emails attempting to harvest credentials and gain access to their systems. The goal is often to collect and exfiltrate confidential information.
If Tom watches the Detroit Tigers, his boss is Cindy, and he has a project the team is working on, here’s what it could look like:
This email, using specific information about Tom is from his boss and has urgency around the action he is being asked to take. Upon opening the file, malware is downloaded so the cybercriminal has access to his computer, his patterns and his data. This level of compromise is typically just the first step in a more strategic approach to gain further access to the entire network.
After watching communication patterns for Tom, the cybercriminal could then send an email to another member of the organization, using Tom’s account, where the goal is to obtain greater access.
When David clicks on the SharePoint link, it is a URL to a Microsoft Login page where he types in his credentials. Then, the page reloads and again prompts for his Microsoft Login credentials, where he then has access to the document on SharePoint.
The first time David typed in his credentials, it was an impersonated login page made by the cybercriminal, harvesting his login credentials. The second time, when the page reloaded, he was redirected to the actual Microsoft login page. These are common tactics. It’s the specificity of these email campaigns that are making them successful.
Now, with the credentials of a high value target, the cyber criminals can watch Tom and David’s communication patterns and behavior between members within the organization or business associates outside the organization. Because they have compromised these accounts and systems, they can gain further intelligence about this specific organization or a third-party organization.
The full magnitude of what these cyber criminals have done in the previously discussed compromised organizations has never been shared with the public. But with access to data and systems, the probability is greater that they have the ability to influence the election in some form. In the current environment, wrought with tension between political parties, the public is in a highly emotional state leading to less rational thinking. This alone has provided the perfect landscape for nation states to prey on the public, leveraging mass quantities of collected and aggregated data to spread highly targeted disinformation campaigns as part of their overall strategy. The result is to influence the election in one way or another and gain money or political clout.