Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:30 PM
Connect Directly

Flurry of Warnings Highlight Cyber Threats to US Elections

FBI and intelligence officials issue fresh warnings about election interference attempts by Iranian and Russian threat actors.

A flurry of alerts from the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) this week heightened the already pervasive concerns around influence campaigns and cyber threats to US election systems from foreign actors.

In an unusual and brief press conference late Wednesday, Director of National Intelligence John Ratcliffe along with FBI Director Christopher Wray warned Americans about Iranian actors sending spoofed emails to voters in some states in an apparent attempt to intimidate them. Ratcliffe said the Iranian actors had managed to obtain some voter registration data, which they were using to "cause confusion, sow chaos, and undermine your confidence in American democracy."

Related Content:

A Mix of Optimism and Pessimism for Security of the 2020 Election

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: 8 New and Hot Cybersecurity Certifications for 2020

He also described them as distributing a video and other content online for the same purpose. Certain Russian-based actors, too, have separately obtained some US voter registration data, but so far, they don't appear to have used it the same way that the Iranian groups have, Ratcliffe said.

On Thursday, CISA updated an earlier advisory warning about a Russia-backed threat group called Energetic Bear — and several other names including Berserk Bear and Dragonfly — that has targeted dozens of US state, local, territorial, and tribal government networks since September 2020. As of October 1, the group has managed to exfiltrate data from at least two servers, CISA said. Evidence suggests that the threat group is trying to collect data to conduct future influence operations. Though it poses some risk to US election systems, there is nothing to suggest that election data has been compromised, CISA said.

Researchers from FireEye's Mandiant threat intelligence group this week described the Russian threat actor — tracked by the firm as TEMP.Isotope — as having successfully breached systems at energy providers, water infrastructure companies, and airports in the US and EU. So far, the group has done little damage with its access and is likely compromising these systems for potential future attacks or as a warning, according to Mandiant.

"We believe they are acting in support of Russian interests and while we cannot confirm them, media reporting that they are a Russian intelligence agency is consistent with the operations we have uncovered," says Ben Read, senior manager of analysis at Mandiant.

Read says Mandiant has observed Russian groups compromise multiple state and local government systems, some of which have contained some election-related data. "In the specific situations where Mandiant has uncovered activity, we do not believe the actor still has access," he says.

"However, in a general sense, once a malicious actor has access to a system," he adds, "they can install whatever malware they wish, and similarly, once information is taken from a network, it can be used for private information or publicized."

Iranian Activity
Meanwhile, another CISA advisory, also on Thursday, warned about Iran-sponsored advanced persistent threat groups breaking into a significant number of US-based networks by exploiting multiple vulnerabilities — most notably, one in products from F5 Networks (CVE-2020-5902) and another in web applications using Telerik UI (CVE-2017-9248). "Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns," CISA said.

While such attacks could potentially render election systems temporarily unavailable to election officials and voters, it would not prevent voting or the reporting of results, CISA noted.

The alerts, just days before what is shaping up to be the most closely watched general election in recent history, are sure to add to concerns over interference and threats to election integrity from foreign actors.

Since the last presidential election in 2016, election officials have put considerable effort into securing election systems and processes. DHS, through the CISA, has made numerous resources available to help state and local election officials secure election systems. Its services include those designed to help election officials conduct cybersecurity assessments, identify and mitigate potential threats, and implement an incident response capability. In recent weeks, the US government has also handed down multiple indictments against individuals and threat groups — from Iran and Russia, in particular — that have had a nexus to election-meddling efforts.

Even so, security experts and watchdog groups have warned about continuing vulnerabilities in US election infrastructure and voting systems — especially voter registration databases and election management systems. A recent ransomware attack against systems belonging to the Hall County government in Georgia that also affected a voter registration database is one example of why such concerns exist.

There's concern also that influence operations and attacks on election systems by foreign actors — whether successful or not — will seriously undermine voter confidence and trust in the integrity of the results.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.