Democracy Under Attack: Summarizing the Elections Threat Landscape

By Gal Fenighstein, Threat Intelligence

Introduction

The election process, all over the world, has been modernized. From online voter registration forms to debates waged on social media all the way to electronic voting machines, these high-tech upgrades bring new benefits as well as new pain points.

Namely, election systems and infrastructure have emerged as a main battleground for cyberwarfare. Motivated by a broad spectrum of interests, more and more threat actors are using cyber-attacks as a means to achieve political influence. Every step in the voting process is considered a possible target for the cyber-attacker: the election websites (both voter registration processes and results-reporting websites), the election management systems storing voter data, the digital campaign arena, and the voting machines are all vulnerable to malicious cyber activity.

The threat actors are often either rival parties looking to disrupt each others’ campaigns, “hacktivists” with ideological motives seeking to influence public opinions, or foreign state-sponsored cyber attackers conducting a form of espionage. It’s important to understand the overall threat landscape in order to start working towards protecting these vital organs of modern democracy.

The First Step: Registering to Vote

Threats lurk in the very first step of the voting process – the voter registration.  With three-fourths of all US states offering online voter registration, the websites supporting the registrations have become attractive targets for threat actors seeking to disrupt or prevent voters from registering.

Last September, Harvard researchers released a study showing how easy it would be to manipulate voter data using the online registration systems. For example, by compromising the “Change Your Registration” forms which available on the websites of many states, attackers can change voter information, move number of voters to different polling places, and prevent these voters from voting. In some cases, threat actors can change or block specific key information on state websites, information critical for voters to get to their polling places.

The United States Senate released a report stressing this, warning that Russian-linked agents attempted to access voting-related websites in at least six states.

And that’s just the beginning.

Hacking The Campaign Trail

Last June, the website of the Mexican political opposition party was hit by a DDoS attack during the television debate between the presidential candidates. In a similar 2015 attack, shortly before a meeting between German and Ukrainian leaders, the German government websites – including Chancellor Angela Merkel’s page – were hacked and left temporarily inaccessible.

Indeed, using DDoS (distributed denial of service) or website defacement attacks are the most popular methods when threat actors attempt to destabilize political candidates, sabotaging their campaign and damaging the candidates’ reputations.

War propaganda plays an essential role in these kinds of attacks, as actors conduct disinformation attacks – targeting or mimicking state and local officials’ social media accounts to sow misinformation and mistrust. For example, a month before the US November midterm elections, Facebook removed more than 800 pages and accounts presenting “inauthentic behavior” – sending spam or posting provocative comments created to stir up political debate.

In addition, the elections databases that used to host the data from the polling stations are ripe targets for cyber-attacks, as compromised voter registration databases can allow attackers to change or delete voter information.

In the 2016 US elections, Russian hackers scanned voter databases for vulnerabilities and managed to successfully infiltrate the voter registration database in multiple states. The most prominent hack occurred in Illinois, where the attackers managed to steal over 15 million people’s private, sensitive information – names, birthdays, genders, and partial Social Security numbers. In a different, unidentified US state, the attackers were able to get information from a campaign finance database, which would give them insight into the financial connections between certain voters and candidates.

Moreover, investigations have shown that the cyber intruders aimed to delete or alter the voter data they managed to get their hands on. These databases become highly vulnerable when they run on servers or PC with old operating systems, unpatched, with no firewalls or antivirus software.

Zero-Day on Election Day

After long, intense campaigns riddled with cyber attacks, data breaches, and social media trolls, it’s time to finally vote.

And yet, a myriad of critical vulnerabilities affecting the electronic voting machines (EVM) have started to surface, putting the integrity of the voting results in danger. A major cyber-security conference recently challenged hacking experts in attendance to digitally break in to the electronic voting machines.

The result? They were able to gain full control over the voting machines: once inside, they were able to change the recorded votes that presented as the results, change the voting poll information, and they could even give an un-listed candidate most of the votes.

They did this by exploiting various security flaws in the equipment, in the program installed, or in their configuration; including exploiting expired SSL certificates, accessible memory cards, and remote-access software installed on the election-management systems.

Conclusion

While there hasn’t been any officially observed attacks on the election infrastructure in the upcoming US midterm elections in November 2018, there is no doubt that threat actors are aware of the vulnerabilities residing in the election infrastructure and are already seeking opportunities to exploit them, undermining the elections in order to weaken American democracy’s integrity.

Adopting basic cyber security measures can prevent most attacks from succeeding – simply staying up to date and familiarizing with industry best practices goes a long way to stopping threat actors in their tracks.

Follow Check Point on social media to learn more about cyber security – from our threat intelligence team’s monthly top malware reports to our incident response team’s musings from the field, it’s our mission to make the internet a safer place via cyber security awareness and education.