Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/23/2020
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Flurry of Warnings Highlight Cyber Threats to US Elections

FBI and intelligence officials issue fresh warnings about election interference attempts by Iranian and Russian threat actors.

A flurry of alerts from the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) this week heightened the already pervasive concerns around influence campaigns and cyber threats to US election systems from foreign actors.

In an unusual and brief press conference late Wednesday, Director of National Intelligence John Ratcliffe along with FBI Director Christopher Wray warned Americans about Iranian actors sending spoofed emails to voters in some states in an apparent attempt to intimidate them. Ratcliffe said the Iranian actors had managed to obtain some voter registration data, which they were using to "cause confusion, sow chaos, and undermine your confidence in American democracy."

Related Content:

A Mix of Optimism and Pessimism for Security of the 2020 Election

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: 8 New and Hot Cybersecurity Certifications for 2020

He also described them as distributing a video and other content online for the same purpose. Certain Russian-based actors, too, have separately obtained some US voter registration data, but so far, they don't appear to have used it the same way that the Iranian groups have, Ratcliffe said.

On Thursday, CISA updated an earlier advisory warning about a Russia-backed threat group called Energetic Bear — and several other names including Berserk Bear and Dragonfly — that has targeted dozens of US state, local, territorial, and tribal government networks since September 2020. As of October 1, the group has managed to exfiltrate data from at least two servers, CISA said. Evidence suggests that the threat group is trying to collect data to conduct future influence operations. Though it poses some risk to US election systems, there is nothing to suggest that election data has been compromised, CISA said.

Researchers from FireEye's Mandiant threat intelligence group this week described the Russian threat actor — tracked by the firm as TEMP.Isotope — as having successfully breached systems at energy providers, water infrastructure companies, and airports in the US and EU. So far, the group has done little damage with its access and is likely compromising these systems for potential future attacks or as a warning, according to Mandiant.

"We believe they are acting in support of Russian interests and while we cannot confirm them, media reporting that they are a Russian intelligence agency is consistent with the operations we have uncovered," says Ben Read, senior manager of analysis at Mandiant.

Read says Mandiant has observed Russian groups compromise multiple state and local government systems, some of which have contained some election-related data. "In the specific situations where Mandiant has uncovered activity, we do not believe the actor still has access," he says.

"However, in a general sense, once a malicious actor has access to a system," he adds, "they can install whatever malware they wish, and similarly, once information is taken from a network, it can be used for private information or publicized."

Iranian Activity
Meanwhile, another CISA advisory, also on Thursday, warned about Iran-sponsored advanced persistent threat groups breaking into a significant number of US-based networks by exploiting multiple vulnerabilities — most notably, one in products from F5 Networks (CVE-2020-5902) and another in web applications using Telerik UI (CVE-2017-9248). "Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns," CISA said.

While such attacks could potentially render election systems temporarily unavailable to election officials and voters, it would not prevent voting or the reporting of results, CISA noted.

The alerts, just days before what is shaping up to be the most closely watched general election in recent history, are sure to add to concerns over interference and threats to election integrity from foreign actors.

Since the last presidential election in 2016, election officials have put considerable effort into securing election systems and processes. DHS, through the CISA, has made numerous resources available to help state and local election officials secure election systems. Its services include those designed to help election officials conduct cybersecurity assessments, identify and mitigate potential threats, and implement an incident response capability. In recent weeks, the US government has also handed down multiple indictments against individuals and threat groups — from Iran and Russia, in particular — that have had a nexus to election-meddling efforts.

Even so, security experts and watchdog groups have warned about continuing vulnerabilities in US election infrastructure and voting systems — especially voter registration databases and election management systems. A recent ransomware attack against systems belonging to the Hall County government in Georgia that also affected a voter registration database is one example of why such concerns exist.

There's concern also that influence operations and attacks on election systems by foreign actors — whether successful or not — will seriously undermine voter confidence and trust in the integrity of the results.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.