A flurry of alerts from the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) this week heightened the already pervasive concerns around influence campaigns and cyber threats to US election systems from foreign actors.
In an unusual and brief press conference late Wednesday, Director of National Intelligence John Ratcliffe along with FBI Director Christopher Wray warned Americans about Iranian actors sending spoofed emails to voters in some states in an apparent attempt to intimidate them. Ratcliffe said the Iranian actors had managed to obtain some voter registration data, which they were using to "cause confusion, sow chaos, and undermine your confidence in American democracy."
He also described them as distributing a video and other content online for the same purpose. Certain Russian-based actors, too, have separately obtained some US voter registration data, but so far, they don't appear to have used it the same way that the Iranian groups have, Ratcliffe said.
On Thursday, CISA updated an earlier advisory warning about a Russia-backed threat group called Energetic Bear — and several other names including Berserk Bear and Dragonfly — that has targeted dozens of US state, local, territorial, and tribal government networks since September 2020. As of October 1, the group has managed to exfiltrate data from at least two servers, CISA said. Evidence suggests that the threat group is trying to collect data to conduct future influence operations. Though it poses some risk to US election systems, there is nothing to suggest that election data has been compromised, CISA said.
Researchers from FireEye's Mandiant threat intelligence group this week described the Russian threat actor — tracked by the firm as TEMP.Isotope — as having successfully breached systems at energy providers, water infrastructure companies, and airports in the US and EU. So far, the group has done little damage with its access and is likely compromising these systems for potential future attacks or as a warning, according to Mandiant.
"We believe they are acting in support of Russian interests and while we cannot confirm them, media reporting that they are a Russian intelligence agency is consistent with the operations we have uncovered," says Ben Read, senior manager of analysis at Mandiant.
Read says Mandiant has observed Russian groups compromise multiple state and local government systems, some of which have contained some election-related data. "In the specific situations where Mandiant has uncovered activity, we do not believe the actor still has access," he says.
"However, in a general sense, once a malicious actor has access to a system," he adds, "they can install whatever malware they wish, and similarly, once information is taken from a network, it can be used for private information or publicized."
Meanwhile, another CISA advisory, also on Thursday, warned about Iran-sponsored advanced persistent threat groups breaking into a significant number of US-based networks by exploiting multiple vulnerabilities — most notably, one in products from F5 Networks (CVE-2020-5902) and another in web applications using Telerik UI (CVE-2017-9248). "Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns," CISA said.
While such attacks could potentially render election systems temporarily unavailable to election officials and voters, it would not prevent voting or the reporting of results, CISA noted.
The alerts, just days before what is shaping up to be the most closely watched general election in recent history, are sure to add to concerns over interference and threats to election integrity from foreign actors.
Since the last presidential election in 2016, election officials have put considerable effort into securing election systems and processes. DHS, through the CISA, has made numerous resources available to help state and local election officials secure election systems. Its services include those designed to help election officials conduct cybersecurity assessments, identify and mitigate potential threats, and implement an incident response capability. In recent weeks, the US government has also handed down multiple indictments against individuals and threat groups — from Iran and Russia, in particular — that have had a nexus to election-meddling efforts.
Even so, security experts and watchdog groups have warned about continuing vulnerabilities in US election infrastructure and voting systems — especially voter registration databases and election management systems. A recent ransomware attack against systems belonging to the Hall County government in Georgia that also affected a voter registration database is one example of why such concerns exist.
There's concern also that influence operations and attacks on election systems by foreign actors — whether successful or not — will seriously undermine voter confidence and trust in the integrity of the results.