A recently detected Iranian cyberattack targeting a US presidential campaign may well be a harbinger of what's in store for political parties and election systems in the run-up to next year's general elections.
Last Friday Microsoft disclosed it had observed significant threat activity over the past two months by Phosphorus, a threat group believed linked to the Iranian government. Phosphorus, which is also known as APT25 and Charming Kitten, made over 2,700 attempts to break into specific email accounts belonging to Microsoft customers. In many cases, Phosphorus used information about the targets — including phone numbers and secondary email addresses — to try and infiltrate their email accounts.
In the end, Phosphorus attacked 241 targeted email accounts and eventually managed to compromise four of them.
In a blog Friday, Microsoft corporate vice president Tom Burt described the targeted accounts as being associated with a US presidential campaign, current and former US government officials, journalists covering politics, and Iranian nationals residing outside the country. The four accounts that were actually breached, however, were not connected to the presidential campaign or to the government officials.
Bart did not offer any insight on possible motives for the attacks. But he said Microsoft was releasing the information as part of its effort to be transparent about nation-state sponsored cyberattacks aimed at disrupting democratic processes.
Concerns over such attacks have been rampant since 2016, when news emerged of Russian hackers breaking into a system belonging to the Democratic National Committee as well as their attacks on state election infrastructure around the country.
In a heavily redacted report published in July, the Senate Intelligence Committee concluded that Russian hackers in 2015 and 2016 likely tried to break into election systems in all 50 states. The committee said Russian government-affiliated cyber actors "conducted an unprecedented level of activity against state election infrastructure in the run up to the 2016 U.S. election."
The attacks exposed critical vulnerabilities in election infrastructure at the state and local level, including insecure voter registration databases and aging voting machines that were susceptible to exploitation. News of the attacks have also promoted the impression that US voting systems are insecure, which is what Moscow might have wanted to achieve in the first place, the report said.
More Attacks on the Way
Many of the vulnerabilities from 2016 still exist and will likely be targeted in coming months by cybergroups based in nations that are hostile to US interests, security researchers say.
"We should expect to see attacks against election systems, elected officials, and candidates to only increase as the 2020 elections get closer," says John Pescatore, director of emerging security trends at the SANS Institute.
The US, UK, France, China, Russia, Iran, and North Korea all have very active espionage programs against each other and other targets, says Pescatore, a former NSA analyst. In recent years, election and census systems have become part of the espionage mission for these programs, he says. "Such attacks are just a normal part of espionage these days [for them]," Pescatore notes.
The good news is that despite relative inaction at the federal level, many states are taking positive steps to address gaps in their election infrastructure with help from members of the IT vendor and security community. "While the presidential election is for a national candidate, it is really run like 50-plus state elections that get added together at the end," Pescatore says. "[So] the local efforts are really the most important."
Joseph Carson, chief security scientist at Thycotic, views the recent Iranian cyberattacks as a response to US sanctions and other actions against the government in that country. "Moving forward, I believe that cyberattacks are going to get more aggressive in the lead-up to the US presidential election," Carson says.
The attacks are more likely to target President Trump due to his political stance and recent sanctions against Iran. "Like most cyberattacks, attribution is going to be difficult, and many of these cyberattacks will appear to come from other countries, or even from within the US, occurring from compromised, poorly protected systems," he predicts.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Active Directory Security Tips for Your Poor, Neglected AD."