Election hacking is back in force in 2020. Threat actors with documented and well-known ties to nation-state apparatus are working diligently to spy on our political activities and influence the upcoming presidential election and beyond. They have many tactics, techniques, and procedures to manipulate social media involving various candidates and to breach, damage, manipulate data and even ransom the election-critical information technology infrastructure. These are equal-opportunity threats – they are targeting both Republican and Democratic institutions.
On September 17, the Federal Bureau of Investigation Director Christopher Wray made it clear that Russia was continually active in their interference with the upcoming U.S. presidential election1. How? With a “steady drumbeat of misinformation.” Director Wray further noted that “the intelligence community’s consensus is that Russia continues to try to influence our elections.”
The Director of the National Counterintelligence and Security Center (NCSC), William Evanina, noted in a statement released on August 7, 2020, that, “Ahead of the 2020 U.S. elections, foreign states will continue to use covert and overt influence measures in their attempts to sway U.S. voters’ preferences and perspectives, shift U.S. policies, increase discord in the United States, and undermine the American people’s confidence in our democratic process. They may also seek to compromise our election infrastructure for a range of possible purposes, such as interfering with the voting process, stealing sensitive data, or calling into question the validity of the election results2.”
Microsoft has also gone on record on September 10, 2020, to disclose their visibility into election-related threat actor activity. Per the recent Microsoft blog3, “In recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns.” Microsoft further noted that it was “clear that foreign activity groups have stepped up their efforts targeting the 2020 election.” The Microsoft blog identified threat actor groups operating from Russia, China, and Iran. The foreign groups involved are many of the same nation-state hackers that have previously breached the 2016 Democratic campaign.
The local and national voter registration databases and systems are highly vulnerable because they generally must remain connected to the internet. Per the Cybersecurity Infrastructure Security Agency (CISA), the additional possibility of ransomware remains front and center for the election process. State and local governments must square off against these cyber attackers to prevent information theft, vote manipulation, ransomware, and more. What would you pay to regain access to your information if it is locked up ransomware? How can you be sure your electronic vote counts have not been manipulated?
APT28 Threat Actors – a Long History of Malicious Activity
One of the threat actors front and center to this malicious and brazen activity is APT28. APT28 goes by many names, including Strontium, Fancy Bear, Group 74, Tsar Team, and more4. APT28 is a cyber-attack unit funded and coordinated closely with Russia’s GRU military intelligence. They were linked publicly to Russia’s Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment.
APT28 is attributed to the Democratic National Committee’s compromise and attacks on Hillary Clinton’s campaign in 2016 in a well-documented attempt to interfere with the U.S. presidential election process. They were associated almost continually with attacks on NATO, the Georgian government, journalists covering the Caucasus, and eastern European civilian and military components.
Election Hackers APT28 Target DNS with Lookalike Domains
APT28 uses a wide variety of known tactics and techniques to reach their goals. DNS is part of the mix. Lookalike domain attacks that have been used by APT28 have targeted DNS domain names. The selected domain name is designed to appear legitimate under cursory inspection.
For example, APT28 has been associated with the acquisition and registration of domains that imitate both the North Atlantic Treaty Organization (NATO) and the Organization for Security and Cooperation in Europe (OSCE) security websites and Caucasus information resources.
This technique of imitating domains through lookalike domains is also referred to as “domain typosquatting” or homoglyphs5 attack. APT28 can use this technique to socially engineer targets via email and the websites they might visit to support critical election infrastructure, research, or other related information. These websites are necessarily frequented by parties that prepare for and administer the election processes and the various associated parties and vendors that work with them.
The goal is to manipulate users into exposing passwords and other sensitive data that enable APT28 to reach their nefarious goals. This data can then be used to support an attack on election critical infrastructure.
Lookalike domains are created, for example, by substituting a “1” to replace an “I” (capital i) in a domain name or a URL. Many character substitutions can be detected, but we tend to see what we expect to see. These substitutions are often overlooked and missed by the targeted victims. I use this example for Yahoo frequently to illustrate how relatively easy this is to do:
| “УАНОО” is not the same as “YAHOO” |
Researchers also find that cybercriminals use valid Transport Layer Security (TLS) certificates to make the lookalike domains appear legitimate. In late 2019, researchers noted that more than 100,000 lookalike domains were impersonating legitimate owners. In some instances, extra words or characters are added to complete the deception. In other cases, different characters are substituted, from other languages or fonts, APT28 may also manipulate election-related website content and URL paths. A site’s content may be a modified copy of an existing, legitimate website. APT28 will update this content overtime to make the attack more effective. Attackers need to present a credible URL path to support the deception. It can look like the real URL or obscure the real URL in some way.
Foundational Security Can Help
BloxOne Threat Defense is a security solution that uses foundational infrastructure – DNS – to secure networks against data theft and modern malware campaigns. It includes Custom Lookalike Domain Monitoring to enable you to stop lookalike socially engineered attacks upon your team and your infrastructure proactively. You can submit your domain or domains frequently used by your organization to the Infoblox Cyber Intelligence Unit (CIU). The CIU will analyze and identify likely lookalike domains that will require monitoring. If these lookalike domains generate any suspicious activity, your organization will promptly receive an alert to potential damaging activity and block access to these malicious domains.
Of course, this is just one of the many attack vectors that threaten DNS infrastructure and the election process. Foundational security adds a robust layer for state and local governments to add resilience and enhanced capability to their defense-in-depth architecture. We have helped many customers improve their security posture using DNS.
For more information on BloxOne Threat Defense: https://www.infoblox.com/products/bloxone-threat-defense/
If you want to know more, please reach out to us directly via https://info.infoblox.com/contact-form.
1https://www.cnbc.com/2020/09/17/fbi-director-wray-warns-russians-actively-influencing-2020-election.html
2https://www.dni.gov/index.php/newsroom/press-releases/item/2139-statement-by-ncsc-director-william-evanina-election-threat-update-for-the-american-public
3https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/
4https://attack.mitre.org/groups/G0007/
5https://en.wikipedia.org/wiki/Homoglyph
