After an Iranian-based adversary gained access to a city’s local infrastructure that would be used to report the results of voting for the 2020 elections, U.S. government agencies worked together to quickly shut down the attackers before they could carry out any further attack.
The attack was launched by a known Iranian actor called Pioneer Kitten, said government officials with the Cyber National Mission Force (CNMF), with the Department of Defense, and Cybersecurity and Infrastructure Security Agency (CISA), with the Department of Homeland Security, at a Monday session at RSA. Pioneer Kitten’s campaign was first detected on the unnamed jurisdiction by CNMF while executing a cyber intelligence, surveillance and reconnaissance mission in foreign space.
“To be clear, this isn’t the infrastructure involved in casting a vote, it isn’t involved in counting a vote, but our concern is always that some type of website defacement or DDoS - something that took the website down or defaced the website, say on the night of the election - could make it look like the vote had been tampered with when that's absolutely not true,” said U.S. Army Maj. Gen. William Hartman, commander with the CNMF, while discussing coordination efforts between U.S. agencies conducting offensive and defensive cyber operations.
Pioneer Kitten, which has been active since at least 2017, has been observed using SSH tunneling and exploits related to VPNs and network appliances in order to access sensitive data. The group has previously targeted North America organizations, including ones in the technology, government, defense, healthcare and manufacturing sectors. In 2020, the group was seen advertising access to compromised networks on an underground forum.
As previous U.S. election cycles have proved, the security challenges facing elections are multi-pronged and include disinformation campaigns aimed at swaying voter opinions, disruptive cybercriminal activity like ransomware or DDoS attacks targeting election-related infrastructure and espionage attacks.
Election security became a national priority when APT28 and APT29 stole data from several targets in the 2016 U.S. presidential election, including the Democratic National Committee, and leaked a large number of related emails online.
Then during the 2020 U.S. presidential election cycle, phishing attacks were detected targeting people and organizations associated with both the Trump and Biden campaigns. The threat actors involved during that election cycle included Strontium, a threat group operating from Russia, Zirconium, operating from China, and Phosphorus, operating from Iran.
After the discovery of the 2020 compromise by Pioneer Kitten, CISA notified the impacted jurisdiction and offered support, while the CNMF carried out cyber operations that ensured the threat actor no longer had access to the network. The main concern was that the impact of a potential cyberattack related to any sort of voting infrastructure could sow doubt over the accuracy of the election, the officials said.
“We were concerned with systems that could weigh on the perception of a potential compromise and that’s why this work was so important, so critical to get ahead of this activity and ensure that the victim’s jurisdiction had all they needed to make sure their systems were safe, secure and resilient well in advance of the election occuring,” said Eric Goldstein, executive assistant director at CISA.
Election security continues to be a concern for private sector and government officials, and during the 2022 November midterm elections, Mandiant said they assessed with “moderate confidence” that cyber threat activity would cause disruptions and divisiveness. Last year, an FBI alert also warned that in 2021 U.S. election officials and other state and local government officials had received invoice-themed phishing emails aiming to steal their credentials in what was described as a “coordinated, ongoing effort to target US election officials.”
Hartman and Goldstein cited several other examples of CNMF and CISA working together to assist in the disruption of large-scale cyber operations by threat actors, including responses to the targeting of three unnamed federal agencies, the SolarWinds attack and the Hafnium threat group exploiting Microsoft Exchange vulnerabilities.
CNMF supports U.S. Cyber Command across various national priorities like election security, ransomware and espionage campaigns. CISA, meanwhile, has offered support, tools and free training for the state and local officials accountable for safeguarding election infrastructure that must work with limited resources and capacity.
This collaboration is important for securing election infrastructure: “We want to make sure we are supporting [state and local] officials, but also working to get ahead of adversaries,” said Goldstein. “Ideally we can get ahead of negative events before they happen.”