Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/23/2020
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Flurry of Warnings Highlight Cyber Threats to US Elections

FBI and intelligence officials issue fresh warnings about election interference attempts by Iranian and Russian threat actors.

A flurry of alerts from the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) this week heightened the already pervasive concerns around influence campaigns and cyber threats to US election systems from foreign actors.

In an unusual and brief press conference late Wednesday, Director of National Intelligence John Ratcliffe along with FBI Director Christopher Wray warned Americans about Iranian actors sending spoofed emails to voters in some states in an apparent attempt to intimidate them. Ratcliffe said the Iranian actors had managed to obtain some voter registration data, which they were using to "cause confusion, sow chaos, and undermine your confidence in American democracy."

Related Content:

A Mix of Optimism and Pessimism for Security of the 2020 Election

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: 8 New and Hot Cybersecurity Certifications for 2020

He also described them as distributing a video and other content online for the same purpose. Certain Russian-based actors, too, have separately obtained some US voter registration data, but so far, they don't appear to have used it the same way that the Iranian groups have, Ratcliffe said.

On Thursday, CISA updated an earlier advisory warning about a Russia-backed threat group called Energetic Bear — and several other names including Berserk Bear and Dragonfly — that has targeted dozens of US state, local, territorial, and tribal government networks since September 2020. As of October 1, the group has managed to exfiltrate data from at least two servers, CISA said. Evidence suggests that the threat group is trying to collect data to conduct future influence operations. Though it poses some risk to US election systems, there is nothing to suggest that election data has been compromised, CISA said.

Researchers from FireEye's Mandiant threat intelligence group this week described the Russian threat actor — tracked by the firm as TEMP.Isotope — as having successfully breached systems at energy providers, water infrastructure companies, and airports in the US and EU. So far, the group has done little damage with its access and is likely compromising these systems for potential future attacks or as a warning, according to Mandiant.

"We believe they are acting in support of Russian interests and while we cannot confirm them, media reporting that they are a Russian intelligence agency is consistent with the operations we have uncovered," says Ben Read, senior manager of analysis at Mandiant.

Read says Mandiant has observed Russian groups compromise multiple state and local government systems, some of which have contained some election-related data. "In the specific situations where Mandiant has uncovered activity, we do not believe the actor still has access," he says.

"However, in a general sense, once a malicious actor has access to a system," he adds, "they can install whatever malware they wish, and similarly, once information is taken from a network, it can be used for private information or publicized."

Iranian Activity
Meanwhile, another CISA advisory, also on Thursday, warned about Iran-sponsored advanced persistent threat groups breaking into a significant number of US-based networks by exploiting multiple vulnerabilities — most notably, one in products from F5 Networks (CVE-2020-5902) and another in web applications using Telerik UI (CVE-2017-9248). "Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns," CISA said.

While such attacks could potentially render election systems temporarily unavailable to election officials and voters, it would not prevent voting or the reporting of results, CISA noted.

The alerts, just days before what is shaping up to be the most closely watched general election in recent history, are sure to add to concerns over interference and threats to election integrity from foreign actors.

Since the last presidential election in 2016, election officials have put considerable effort into securing election systems and processes. DHS, through the CISA, has made numerous resources available to help state and local election officials secure election systems. Its services include those designed to help election officials conduct cybersecurity assessments, identify and mitigate potential threats, and implement an incident response capability. In recent weeks, the US government has also handed down multiple indictments against individuals and threat groups — from Iran and Russia, in particular — that have had a nexus to election-meddling efforts.

Even so, security experts and watchdog groups have warned about continuing vulnerabilities in US election infrastructure and voting systems — especially voter registration databases and election management systems. A recent ransomware attack against systems belonging to the Hall County government in Georgia that also affected a voter registration database is one example of why such concerns exist.

There's concern also that influence operations and attacks on election systems by foreign actors — whether successful or not — will seriously undermine voter confidence and trust in the integrity of the results.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29458
PUBLISHED: 2020-12-02
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
CVE-2020-29456
PUBLISHED: 2020-12-02
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in ...
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...