Perimeter
4/22/2012
06:38 PM
Tom Parker
Tom Parker
Commentary
Connect Directly
RSS
E-Mail
50%
50%

2012 U.S. Election And Targeted Attack Predictions

How the increased level and sophistication of of targeted attacks since 2008 may impact this year's U.S. Presidential election campaigns

No, I don't mean predictions for the outcome of the 2012 U.S. Presidential election: We'll leave that up to the talking heads. But I wanted to spend a moment to reflect on the past few years of politically motivated advanced threat activities -- specifically those surrounding significant events such as national elections.

As you may recall during the 2008 U.S. elections, the McCain and Obama camps suffered compromises of both email and the theft of sensitive documents from the systems of campaign staffers relating to campaign strategy and the political positions of both respective camps. This was by no means an isolated event in the world of political espionage. A little more recently, in late 2010, computer systems relating to French finance ministry employees charged with organizing the G-20 summit were reported compromised, as were systems relating to the Canadian finance ministry, who hosted the G-20 the year before.

In both the case of the 2008 Presidential election and G-20 incidents, sources familiar with the events have claimed the involvement of foreign intelligence agencies, with some even going as far as implicating China.

Without getting too wound around the axle with regard to who did what, there is a clear strategic advantage to this form of politically motivated espionage, and it's certainly no stretch to conceive seeing many of the same groups who spend much of their time stealing intellectual property for the purposes of increasing their countries industrial competitiveness turning some of their attention toward significant political events. This has, of course, been going on for years, through phone-taps, well-placed insiders, and other means of clandestine information gathering. The adaptation of spear-phishing and other well-tried-and-tested cybertactics for this purpose should really come as no surprise, especially in today's world of the technology-dependent, social media-savvy political campaign.

So what does this mean for the 2012 U.S. Presidential election? Well, the 2008 election was the first time we really saw (publicly, at least), the pervasive use of offensive cybertactics for the targeting of both U.S. Presidential candidates' campaigns for the clear purpose of gathering intelligence on the likely positions of both individuals should they win their respective bid for the Presidency.

This trends almost one-to-one with the significant increase in data theft-oriented targeted attacks we have seen in the past six years against U.S. industry, which in 2008, let alone in 2004 (or two elections ago), was nowhere close to today's observed levels. Since U.S. Presidential elections are only every four years and things have changed a lot in the past four years, we can in all likelihood use the trends in targeted attacks against U.S. industry over the past eight years to project what this year's Presidential campaigns may be facing -- and it doesn't look pretty.

In contrast to 2008, targeted attacks have become far more organized in their execution and sophisticated in their use of technological capabilities.

While many organizations are still falling victim to smash-and-grab style cyberattacks, recent years have shown that many "APT-style" actor groups have demonstrated greater levels of ability to intrude, persist, and exfiltrate in a much more surgical and technically sophisticated manner. And so should our foes on the other side of the monitors see this year's election as being a big enough of a deal -- both the incumbent and the GOP candidate, in particular, may see the targeting of key staff members, with a level of tenacity and precision not previously observed.

All four of this year's GOP candidates have stated strong positions on hot-button foreign affairs issues (a.k.a. China and Iran), two of the nations that are seen by some as being the most active or at least aspiring to be the most active in the cyberrealm. Even before a formal nomination at the RNC this summer, comments made on the campaign trail have likely generated a great deal of interest from both countries (and others) as to what the GOP candidate may do within the first 180 of their presidency should they win. Such an attack against either party's campaign would likely adopt a similar approach to recent attacks against U.S. industry. This would incorporate a significant preparatory intelligence gathering effort, culminating in a spear-phish against individual or small groups of individuals within the candidate’s camp. The phish would likely be from a colleague, campaign donor, or otherwise someone of importance to the recipient on a topic that the target is familiar with, or even a specific communication that the target is expecting to receive.

Technology-wise, my money would be on a file format vulnerability, likely in an MS Office file, PDF, or at least manifested through one of the above (a la RSA). Drive-by downloads or a bad link are a possibility, but not as effective in a more targeted scenario. Infrastructure attacks are unlikely, at least as an initial entry vector due to the sparsely distributed nature of a political camp -- with perhaps the exception of the campaign headquarters.

I would really hope that the U.S. Secret Service, Obam,a and perspective GOP campaigns are looking at the possibility of such an attack as a serious possibility. My nutshell recommendation to both campaigns would be that, in addition to protecting campaign IT assets, campaign staff members should be trained on good security hygiene, including awareness training to reduce the risk that someone may inadvertently click a bad link, open a suspicious file, or use a personal email account or laptop to store, transmit, or receive sensitive campaign materials.

Past public disclosures regarding compromises during the 2008 election revealed the heavy use of personal email accounts for campaign purposes, which of course were outside of the purview of any efforts that campaign management may have been making to shore up official equipment.

Time will tell the specifics of what does and does not happen. However, October 2012 will certainly be an important milestone, not just for U.S. politics, but also in tracking the growing place of cyberespionage, as a political tool in the state-level adversary's tool chest.

Tom Parker is Chief Technology Officer at FusionX.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4907
Published: 2014-07-11
Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message.

CVE-2014-4908
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper hand...

CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.