Perimeter
4/22/2012
06:38 PM
Tom Parker
Tom Parker
Commentary
50%
50%

2012 U.S. Election And Targeted Attack Predictions

How the increased level and sophistication of of targeted attacks since 2008 may impact this year's U.S. Presidential election campaigns

No, I don't mean predictions for the outcome of the 2012 U.S. Presidential election: We'll leave that up to the talking heads. But I wanted to spend a moment to reflect on the past few years of politically motivated advanced threat activities -- specifically those surrounding significant events such as national elections.

As you may recall during the 2008 U.S. elections, the McCain and Obama camps suffered compromises of both email and the theft of sensitive documents from the systems of campaign staffers relating to campaign strategy and the political positions of both respective camps. This was by no means an isolated event in the world of political espionage. A little more recently, in late 2010, computer systems relating to French finance ministry employees charged with organizing the G-20 summit were reported compromised, as were systems relating to the Canadian finance ministry, who hosted the G-20 the year before.

In both the case of the 2008 Presidential election and G-20 incidents, sources familiar with the events have claimed the involvement of foreign intelligence agencies, with some even going as far as implicating China.

Without getting too wound around the axle with regard to who did what, there is a clear strategic advantage to this form of politically motivated espionage, and it's certainly no stretch to conceive seeing many of the same groups who spend much of their time stealing intellectual property for the purposes of increasing their countries industrial competitiveness turning some of their attention toward significant political events. This has, of course, been going on for years, through phone-taps, well-placed insiders, and other means of clandestine information gathering. The adaptation of spear-phishing and other well-tried-and-tested cybertactics for this purpose should really come as no surprise, especially in today's world of the technology-dependent, social media-savvy political campaign.

So what does this mean for the 2012 U.S. Presidential election? Well, the 2008 election was the first time we really saw (publicly, at least), the pervasive use of offensive cybertactics for the targeting of both U.S. Presidential candidates' campaigns for the clear purpose of gathering intelligence on the likely positions of both individuals should they win their respective bid for the Presidency.

This trends almost one-to-one with the significant increase in data theft-oriented targeted attacks we have seen in the past six years against U.S. industry, which in 2008, let alone in 2004 (or two elections ago), was nowhere close to today's observed levels. Since U.S. Presidential elections are only every four years and things have changed a lot in the past four years, we can in all likelihood use the trends in targeted attacks against U.S. industry over the past eight years to project what this year's Presidential campaigns may be facing -- and it doesn't look pretty.

In contrast to 2008, targeted attacks have become far more organized in their execution and sophisticated in their use of technological capabilities.

While many organizations are still falling victim to smash-and-grab style cyberattacks, recent years have shown that many "APT-style" actor groups have demonstrated greater levels of ability to intrude, persist, and exfiltrate in a much more surgical and technically sophisticated manner. And so should our foes on the other side of the monitors see this year's election as being a big enough of a deal -- both the incumbent and the GOP candidate, in particular, may see the targeting of key staff members, with a level of tenacity and precision not previously observed.

All four of this year's GOP candidates have stated strong positions on hot-button foreign affairs issues (a.k.a. China and Iran), two of the nations that are seen by some as being the most active or at least aspiring to be the most active in the cyberrealm. Even before a formal nomination at the RNC this summer, comments made on the campaign trail have likely generated a great deal of interest from both countries (and others) as to what the GOP candidate may do within the first 180 of their presidency should they win. Such an attack against either party's campaign would likely adopt a similar approach to recent attacks against U.S. industry. This would incorporate a significant preparatory intelligence gathering effort, culminating in a spear-phish against individual or small groups of individuals within the candidate’s camp. The phish would likely be from a colleague, campaign donor, or otherwise someone of importance to the recipient on a topic that the target is familiar with, or even a specific communication that the target is expecting to receive.

Technology-wise, my money would be on a file format vulnerability, likely in an MS Office file, PDF, or at least manifested through one of the above (a la RSA). Drive-by downloads or a bad link are a possibility, but not as effective in a more targeted scenario. Infrastructure attacks are unlikely, at least as an initial entry vector due to the sparsely distributed nature of a political camp -- with perhaps the exception of the campaign headquarters.

I would really hope that the U.S. Secret Service, Obam,a and perspective GOP campaigns are looking at the possibility of such an attack as a serious possibility. My nutshell recommendation to both campaigns would be that, in addition to protecting campaign IT assets, campaign staff members should be trained on good security hygiene, including awareness training to reduce the risk that someone may inadvertently click a bad link, open a suspicious file, or use a personal email account or laptop to store, transmit, or receive sensitive campaign materials.

Past public disclosures regarding compromises during the 2008 election revealed the heavy use of personal email accounts for campaign purposes, which of course were outside of the purview of any efforts that campaign management may have been making to shore up official equipment.

Time will tell the specifics of what does and does not happen. However, October 2012 will certainly be an important milestone, not just for U.S. politics, but also in tracking the growing place of cyberespionage, as a political tool in the state-level adversary's tool chest.

Tom Parker is Chief Technology Officer at FusionX.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report