Security news that informs and inspires

Expect ‘Fluidity’ From Threat Actors Ahead of the Midterm Elections


While awareness about election security has increased since 2016, threat actors launching espionage and disinformation campaigns are also leveling up, warn security experts.

With the U.S. midterm elections approaching in two months, security researchers are warning election organizations and administrators, political parties and government officials to stay vigilant against imminent espionage campaigns and other threats.

As previous U.S. election cycles have proved, the security challenges facing elections are multi-pronged and include disinformation campaigns aimed at swaying voter opinions, disruptive cybercriminal activity like ransomware or distributed denial-of-service (DDoS) attacks targeting election-related infrastructure and espionage attacks.

The latter is particularly concerning, with researchers with Mandiant saying they are “highly confident” that election organizations will see espionage campaigns aimed at information collection, establishing footholds on networks and stealing data that can be used in later attacks against critical election infrastructure. However, in addition to these known security risks, researchers also say that threat actors will use new tactics in future elections, as seen in the 2020 election cycle when Iranian actors impersonated the “Proud Boys” organization and sent threatening emails to Florida voters.

“That was a scenario not many people had thought through,” said Luke McNamara, principal analyst with Mandiant. “We’re trying to help network defenders and customers prioritize where we think the most likely threats might occur, but this is an area where we should expect a lot of fluidity in terms of the threat actors.”

The Evolution of Election Security

Election security was thrust into the spotlight when APT28 and APT29 stole data from several targets in the 2016 U.S. presidential election, including the Democratic National Committee, and leaked a large number of related emails online. These attacks led to a higher prioritization of security in the 2020 U.S. presidential election, but phishing attacks were still detected targeting people and organizations associated with both the Trump and Biden campaigns. The threat actors involved during that election cycle included Strontium, a threat group operating from Russia, Zirconium, operating from China, and Phosphorus, operating from Iran.

One aspect of election security that makes it difficult to assess is that elections occur infrequently and have drastically different impacts. The priority of a threat group targeting one election might vary widely in how it is tied into Chinese or Russian interests, for instance, or a midterm election might be different than a general election, said McNamara.

The ecosystem that underpins the election process is also widespread, and each entity comes with its own set of security challenges. Beyond the voting machines and election management systems where votes themselves are processed, election administrators (including state and local officials, electoral registers and election commissions) add another layer to the threat landscape, as attackers can target election commission websites or steal data from electronic voter databases. At a broader level, election campaigns themselves have also been targeted, including PACs and donor organizations and political parties. Disinformation campaigns continue to pose a constant threat that social media platforms grapple with.

While this ecosystem translates to an extensive threat surface, Nick Biasini, head of Outreach with Cisco Talos, said that diverse local voting processes across the country - including the experience of voting, the equipment used and the way votes are tabulated - complicate a widespread, all-encompassing attack.

“The thing that makes elections unique in the U.S. is that if you’ve affected one election in one district, you’ve just affected one election in one district,” said Biasini. “That’s one of the advantages to the way we run our elections: It’s very difficult to compromise elections at a very large scale, you need to do it in each district individually as opposed to a large manner.”

The Upcoming U.S. Midterm Elections

In the coming November midterm elections, Mandiant said they assess with “moderate confidence” that cyber threat activity will cause disruptions and divisiveness - however, they assess that the actual compromise of voting devices or other activity that impacts the integrity of votes “is unlikely.”

Espionage campaigns are a significant threat, and researchers have pinpointed threat groups that are likely to target U.S. government and election-related organizations, including APT31 and APT41 (linked to China), APT29 (linked to Russia) and APT42 (linked to Iran). APT31 (also known as Zirconium), which targeted Biden’s campaign staff in June 2020 with phishing attempts, was uncovered in February by Google launching a phishing campaign that targeted “high profile Gmail users affiliated with the U.S. government,” for instance. Meanwhile, Mandiant said it continues to detect phishing campaigns from APT29, one of the groups behind the 2016 U.S. election DNC hack. And in March, the FBI warned that threat actors were targeting U.S. election officials in at least nine states with invoice-themed phishing emails in order to steal their login credentials.

Disinformation activity is another area that may ramp up in the weeks leading up to the elections, and researchers said to expect threat actors linked to Russia, Iran and China to focus on relevant political issues in order to create division. During previous midterm elections, Mandiant researchers found a pro-Iran influence campaign that used inauthentic accounts to mimic U.S. candidates that were running for office during the U.S. 2018 midterm elections to promote views in line with Iranian interests. And during the months leading up to these upcoming midterms, Mandiant researchers observed activity from two fake accounts that were claiming to be editors at a known inauthentic (now inaccessible) website called Newsroom for American and European Based Citizens (NAEBC), which was promoting narratives related to various U.S. political topics and was run by individuals associated with the Russian Internet Research Agency (IRA).

“One of the things I think will be interesting to look at in the midterm elections is how misinformation and disinformation is spread organically in the landscape,” said Biasini. “I think that organizations and social media companies have done a decent job at curtailing more organized misinformation campaigns, but you have a situation where it’s possible that misinformation can be organically spread just from users sharing it amongst themselves as opposed to a more coordinated effort. I really think that misinformation and impacting voters’ choices will be one of the bigger challenges that we face.”

Beyond these threats, other potential risks for election security include hacktivism, insider threats and cybercrime like ransomware and DDoS attacks. It’s also important to note the increasing trend of state-sponsored threat actors using financially motivated cyberattacks, like ransomware, as a disguise to cloak their true purposes, whether that is for espionage or otherwise, researchers said.

Increasing Cybersecurity Awareness

Though numerous security threats exist, awareness of these challenges has also skyrocketed since 2016, led in part by efforts from the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA) as part of ongoing efforts to secure critical infrastructure.

“When it comes to the defender side of things, I think there is certainly more awareness around this in general, certainly at a federal level, and I think there is more willingness and awareness to address this at the state and local level, which in our democratic process is where the rubber meets the road," McNamara said. "These are the entities in charge of putting these elections on and making sure they run their course and they’re resourced."

McNamara said that one challenge at the state and local level is the high turnover rate of election administrators, staff and personnel. In the midst of this shuffle, security needs to continuously be prioritized, he said. However, while smaller or more rural counties are not as well resourced, CISA has made several efforts to make free tools and training available across the board. In August, CISA and the Joint Cyber Defense Collaborative (JCDC) worked with the open-source community and private and public sector organizations, for instance, to develop a catalog of free services and tools for state and local election officials. One of these services includes free training from CISA to bolster the security of election infrastructure. The Help America Vote Act (HAVA), which was signed into law in 2002, also includes funds for improving technology used in election systems and bolstering election security.

“From an election security tabulating votes perspective, the organizations and the secretaries of states and the various districts are continuing to make improvements in that space,” said Biasini. “There is continuing to be significant federal funding available for those groups to be able to improve, and there’s also a lot of information sharing from organizations like DHS and other groups that are really helping to bring along the security of the votes.”

Jonathan Reiber, vice president of Cybersecurity Strategy and Policy at AttackIQ, said that both campaign organizations and election administrators should go through at least one exercise before the midterms focused on handling disinformation and the potential for cybersecurity incidents on their infrastructure. It’s also critical for organizations to look at known tactics used by adversaries and prepare for defending against these measures, he noted.

“I think the message that I would relay to the public is, defend your most high value data," he said. "If you're a state, make sure that the most important data that you have for the election is as secure as possible. If you’re a campaign, make sure that your campaign surrogates’ data is as secure as possible.”