Democracy Hacked: Why the Black Hats Are Turning Their Attention to Elections

With senior officials in the US, France, UK and Germany all blaming Russia for targeted attempts to influence their elections, Phil Muncaster takes a look at a turbulent year for democracy and asks ‘what next’?

It’s a headline-writer’s dream and could be a government’s worst nightmare. Something that would have been unthinkable just a few years ago is now a reality all over the Western world: persistent attempts to undermine democracy by hacking and leaking vast troves of sensitive material about political candidates ahead of major elections. This is coordinated, systematic and in some cases highly sophisticated stuff, according to the experts. It happened in the US, where Hillary Clinton now claims it helped her opponent to win, it happened in France, and there are fears it could happen in Germany. 

Russia has been blamed for much of the recent activity, but if the allegations are true, it certainly won’t be the last regime to use these tactics to further its geopolitical ends. The question is, what can governments do to stop it happening, and as we move to an increasingly digital world encompassing e-voting, is there an even greater threat to democracy waiting in the wings? 

A Turbulent Year
As recently as 18 months ago, one could argue that we lived in simpler times. The Obama administration seemed to spend most of its time focused on the ‘economic espionage’ cyber-threat from rival superpower China. Russian activity in cyberspace was largely ignored by the mainstream media because the assumption was the US was doing exactly the same, carrying out cyber-espionage in the interests of national security and geopolitics.

Then everything changed ahead of the 2016 US presidential election. On July 22, WikiLeaks published a trove of sensitive emails from Democratic National Committee (DNC) officials, which it received via a ‘Romanian hacktivist’ going by the handle Guccifer 2.0. Suspicions were raised at the time, and later by organizations like ThreatConnect, that the latter was merely a ‘faketivist’ persona invented by Russian state operatives.

In any case, the emails were incendiary, suggesting that the DNC was actively trying to derail Bernie Sanders’ nomination as the official Democratic Party candidate and revealing the lengths party officials were going to in order to secure funds from big money party donors. DNC chair Debbie Wasserman Schultz, CEO Amy Dacey and CFO Brad Marshall were all forced to resign in the aftermath. 

Subsequently, Hillary Clinton’s campaign chief John Podesta’s Gmail account was hacked and some 20,000 pages leaked via WikiLeaks in October and November as the race for the White House neared the finish line. Despite being on Gmail, many of these were work related emails and were highly embarrassing to Clinton, revealing internal feuding at the Clinton Foundation; her view that politicians “need both a public and a private position”, leading to accusations of untrustworthiness, suggestions of collusion with CNN to get interview questions early and much more.

“There have been a number of attempts to put in place such laws, but these tend to fail because of the competing geopolitical interests of nation state groups"

The Attribution Game

Despite Julian Assange’s protestations that he had no dealings with Russia over the leaks, the US Department of Homeland Security and Director of National Intelligence on Election Security in October directly blamed Russian state-sponsored hackers, claiming only the most senior officials could have authorized such a strategy. A statement explained:

“These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow – the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.”

In December there followed a much more detailed white paper claiming to provide information on: “the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the US election, as well as a range of US Government, political, and private sector entities.”

However, the report arguably still lacked crucial forensic evidence linking the attack definitively to the Kremlin.

Yes, Putin was known to favor Donald Trump as the next President, and the latter has subsequently shown himself to be a friend of Russia on many levels. There’s also an echo of the past in the Cold War KGB-style tactics used here to destabilize Russia’s capitalist enemies in the West. In a rare revelation, Russian defense minister, Sergey Shoigu, admitted in an address to the Duma’s lower house that Moscow has invested significantly in establishing “information operations forces” and that they’ve proven far more effective than any other for “counter-propaganda purposes”.

Yet the attribution problem remains. Putin himself looks to have deliberately muddied the waters by claiming the DNC hacks could have been the work of “patriotically minded” hacktivists. Although this directly contradicts previous Kremlin statements, it’s almost impossible to refute – in fact, governments could hire the services of such zealots, through intermediaries if necessary, to ensure plausible deniability.

“We’ve got to start educating the public that just because this stuff was dumped on the internet it doesn’t necessarily mean it’s true”

Europe Under Attack

However, that hasn’t stopped European officials warning of Russian interference in their elections. German domestic secret service, the BfV, pointed the finger at the Kremlin for an attack on the Bundestag in 2015, and officials have voiced concerns over possible attacks designed to undermine the legitimacy of September parliamentary polls.

Meanwhile, in France, long-mooted fears were realized when a huge 9GB data dump was released online ahead of voting in the presidential elections. Yet again, the release was designed to target just one of the candidates, the moderate Emmanuel Macron rather than Putin-supporter Marine Le Pen. On this occasion, a slightly new tactic was revealed: alleged false or doctored documents slipped in among a majority of authentic ones, purporting to show that the former finance minister was involved in a raft of shady business dealings.

In the UK, the intelligence services have been more circumspect in public, but reports suggest they privately warned of Russian attempts to disrupt the June election. In the end, nothing major came to pass, but that could be more to do with the fact a snap election was called. This gave too little time for the hackers to plan their campaign, according to Brian Lord, former deputy director for GCHQ Cyber and Intelligence and now managing director of PGI Cyber.

APT28 Uncovered

The group at the center of the majority of election ‘hacking’ stories surfacing over the past year or so is known as APT28, Fancy Bear, Sofacy Pawn Storm, Sednit and many other monikers. Its activity has long been tracked by cybersecurity researchers, although so problematic is attribution in cyberspace that they too have largely refrained from linking the group directly to the Russian government. In a detailed report on the long-running group’s most recent activity, Two Years of Pawn Storm, Trend Micro goes no further than stating the group’s interests are “allied” to those of Russia. Aside from the US Democratic Party, the group has registered phishing domains for the Macron campaign, Angela Merkel’s CDU party, the Turkish Prime Minister’s Office and many non-political entities including anti-doping agency WADA.

The report reveals a well-funded, sophisticated, aggressive and determined cyber-espionage outfit. The sheer size of the group is impressive: it maintained a running list of thousands of targets and has coordinated 50 phishing campaigns at the same time over a nine-month period, it claims. Often the first stage of an attack involves credential phishing of a webmail account. However, while many users believe they can spot phishing attacks, these are composed in flawless English and evade spam filters with ease. Only selected high value targets are chosen to infect with second-stage malware such as XAgent, after initial reconnaissance work. The group has also been known to use spear phishing, DNS switching and so-called ‘tabnabbing’ techniques to achieve successful outcomes, the report claims.

In France, long-mooted fears were realized when a data dump was released online ahead of voting in the presidential election
In France, long-mooted fears were realized when a data dump was released online ahead of voting in the presidential election

The Legal Argument

Part of the problem for governments looking to safeguard their democratic processes is that there are no international laws in place to deal with this new breed of cross-border attempts to subvert elections.

“There have been a number of attempts to put in place such laws, but these tend to fail because of the competing geopolitical interests of nation state groups. The issue is dealt with where possible on a bilateral basis, but this is only effective to a limited degree and the reality is that attacks continue anyway,” Taylor Wessing partner Paul Glass tells Infosecurity.

“Work to establish international laws could help. However, many in the cybersecurity industry believe that certain hacking groups which are ostensibly independent of the state are in fact either acting on direct instructions, or with the tacit approval of nation states. This gives the state plausible deniability on activity such as election hacking”, Wessing continues.

Where Do We Go from Here?

So now that we know what we’re up against, is this the ‘new normal’ for democratic elections?

“Every state will be at this sooner or later,” Lord tells Infosecurity. “In fact, interference in the political affairs of another country is nothing new.”

The democratization of hacking tools now means email hacking/

leaking is easy enough for any hacktivist or cyber-criminal with the right motive. That makes it all the more important to create a “proactive consensus between the parties and the responsible press” not to publish or make political gain from any dubious data dumped online ahead of an election, argues Lord. This kind of agreement wouldn’t prevent ‘election hacking’ but it would “defuse the effects of it” and hopefully make it a less attractive option for the bad guys, he continues. This must be combined with a better effort at improving the public’s awareness and credulity around fake news and leaked data.

“We’ve got to start educating the public that just because this stuff was dumped on the internet it doesn’t necessarily mean it’s true”, says Lord.

There are also more practical technical measures that those organizations in the firing line should consider, advises FireEye director of systems engineering, David Grout.

“The journey to protecting an organization from attacks starts from acknowledging the risks. It’s key for the organization to understand that they can be targeted. The second step is to apply and deploy IT hygiene, which starts with the security foundation triangle: process, people and technologies,” he tells Infosecurity.

“You then need to ask yourself the right questions: ‘When will I be hacked and by whom?’ To mitigate the potential impact, you need to train your employees and practice incident response plans, which are imperative in order to minimize exposure, but also to reduce time to remediation.”

A Darker Future?

The big question going forward is whether things could get any worse. At the time of writing, a new NSA leak seems to reveal Russian election hacking in 2016 went much further than stealing and leaking sensitive DNC data. It details an effort to phish VR Systems, a company producing software for eight states which verifies voters on election day, and from there, local election officials. However, it fails to say what the impact may have been and the very heterogeneity of US e-voting systems is thought to make it virtually impossible for external hackers to have any real effect on election outcomes there. It’s also true that it’s difficult to target swing states, as they tend to change from election to election.

That said, the Netherlands government was forced to ditch digital systems at the last minute earlier this year after election security concerns were raised.

“To be clear, if you want to do voting electronically, you’re asking for trouble. It’s really hard to secure these machines. Even if it’s not online when you vote, you need to put software on it in the first place which raises the opportunity to put malware on them,” KPMG partner Martijn Verbree says. “If you must do e-voting, you need a physical aspect to check against; such as voting on paper and then loading it into a machine to count.”

Verbree also raises the alarm about ransomware, which could effectively act as a denial of service if launched against e-voting systems. There have also been warnings about the DDoS threat not just against voting machines but also websites that provide crucial voter information, such as the location of polling booths and candidates.

In the end, it remains to be seen whether fake news and/or pre-election leaks have the power to sway voters, although Hillary Clinton has already blamed her defeat in part on the activities of ‘Russian WikiLeaks’. However, what we’re seeing now is likely the start, not the end, of a troubling period for democracy.

“We cannot continue to wait for an event before trying to tackle this issue. Cybersecurity needs to be part of our DNA from citizen level, all the way through to world leadership”, says FireEye’s Grout

What’s Hot on Infosecurity Magazine?