Perimeter
4/22/2012
06:38 PM
Tom Parker
Tom Parker
Commentary
Connect Directly
RSS
E-Mail
50%
50%

2012 U.S. Election And Targeted Attack Predictions

How the increased level and sophistication of of targeted attacks since 2008 may impact this year's U.S. Presidential election campaigns

No, I don't mean predictions for the outcome of the 2012 U.S. Presidential election: We'll leave that up to the talking heads. But I wanted to spend a moment to reflect on the past few years of politically motivated advanced threat activities -- specifically those surrounding significant events such as national elections.

As you may recall during the 2008 U.S. elections, the McCain and Obama camps suffered compromises of both email and the theft of sensitive documents from the systems of campaign staffers relating to campaign strategy and the political positions of both respective camps. This was by no means an isolated event in the world of political espionage. A little more recently, in late 2010, computer systems relating to French finance ministry employees charged with organizing the G-20 summit were reported compromised, as were systems relating to the Canadian finance ministry, who hosted the G-20 the year before.

In both the case of the 2008 Presidential election and G-20 incidents, sources familiar with the events have claimed the involvement of foreign intelligence agencies, with some even going as far as implicating China.

Without getting too wound around the axle with regard to who did what, there is a clear strategic advantage to this form of politically motivated espionage, and it's certainly no stretch to conceive seeing many of the same groups who spend much of their time stealing intellectual property for the purposes of increasing their countries industrial competitiveness turning some of their attention toward significant political events. This has, of course, been going on for years, through phone-taps, well-placed insiders, and other means of clandestine information gathering. The adaptation of spear-phishing and other well-tried-and-tested cybertactics for this purpose should really come as no surprise, especially in today's world of the technology-dependent, social media-savvy political campaign.

So what does this mean for the 2012 U.S. Presidential election? Well, the 2008 election was the first time we really saw (publicly, at least), the pervasive use of offensive cybertactics for the targeting of both U.S. Presidential candidates' campaigns for the clear purpose of gathering intelligence on the likely positions of both individuals should they win their respective bid for the Presidency.

This trends almost one-to-one with the significant increase in data theft-oriented targeted attacks we have seen in the past six years against U.S. industry, which in 2008, let alone in 2004 (or two elections ago), was nowhere close to today's observed levels. Since U.S. Presidential elections are only every four years and things have changed a lot in the past four years, we can in all likelihood use the trends in targeted attacks against U.S. industry over the past eight years to project what this year's Presidential campaigns may be facing -- and it doesn't look pretty.

In contrast to 2008, targeted attacks have become far more organized in their execution and sophisticated in their use of technological capabilities.

While many organizations are still falling victim to smash-and-grab style cyberattacks, recent years have shown that many "APT-style" actor groups have demonstrated greater levels of ability to intrude, persist, and exfiltrate in a much more surgical and technically sophisticated manner. And so should our foes on the other side of the monitors see this year's election as being a big enough of a deal -- both the incumbent and the GOP candidate, in particular, may see the targeting of key staff members, with a level of tenacity and precision not previously observed.

All four of this year's GOP candidates have stated strong positions on hot-button foreign affairs issues (a.k.a. China and Iran), two of the nations that are seen by some as being the most active or at least aspiring to be the most active in the cyberrealm. Even before a formal nomination at the RNC this summer, comments made on the campaign trail have likely generated a great deal of interest from both countries (and others) as to what the GOP candidate may do within the first 180 of their presidency should they win. Such an attack against either party's campaign would likely adopt a similar approach to recent attacks against U.S. industry. This would incorporate a significant preparatory intelligence gathering effort, culminating in a spear-phish against individual or small groups of individuals within the candidate’s camp. The phish would likely be from a colleague, campaign donor, or otherwise someone of importance to the recipient on a topic that the target is familiar with, or even a specific communication that the target is expecting to receive.

Technology-wise, my money would be on a file format vulnerability, likely in an MS Office file, PDF, or at least manifested through one of the above (a la RSA). Drive-by downloads or a bad link are a possibility, but not as effective in a more targeted scenario. Infrastructure attacks are unlikely, at least as an initial entry vector due to the sparsely distributed nature of a political camp -- with perhaps the exception of the campaign headquarters.

I would really hope that the U.S. Secret Service, Obam,a and perspective GOP campaigns are looking at the possibility of such an attack as a serious possibility. My nutshell recommendation to both campaigns would be that, in addition to protecting campaign IT assets, campaign staff members should be trained on good security hygiene, including awareness training to reduce the risk that someone may inadvertently click a bad link, open a suspicious file, or use a personal email account or laptop to store, transmit, or receive sensitive campaign materials.

Past public disclosures regarding compromises during the 2008 election revealed the heavy use of personal email accounts for campaign purposes, which of course were outside of the purview of any efforts that campaign management may have been making to shore up official equipment.

Time will tell the specifics of what does and does not happen. However, October 2012 will certainly be an important milestone, not just for U.S. politics, but also in tracking the growing place of cyberespionage, as a political tool in the state-level adversary's tool chest.

Tom Parker is Chief Technology Officer at FusionX.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.