The U.S. Government’s Response to Election-Related Cyber Threats
The presidential election in the United States is unofficially over, with the race being called by every major news outlet in favor of Joe Biden. The United States, as many predicted, did not converge on an instant or an uncontested result during the voting process, leaving many to cast doubts about the legitimacy of the election. The current president of the United States is currently refusing to concede. Instead, he and his administration have opted to legally challenge the election results, leaving the United States open and vulnerable to misinformation campaigns designed to cause chaos and division amongst citizens.
Even with the legal challenges still ongoing, I think at this point it’s reasonable that we begin to cover some of the other events that took place during the election process in the United States in hopes we can learn from them.
In September, the FBI and CISA issued several publications related to threats aimed at the approaching election. These threats included Distributed Denial of Service attacks directed at state-level voter information websites, the spread of disinformation regarding the 2020 Election results, and the intent to cast doubt on the legitimacy of the election.
To be fair, I think many of us in the security industry, including myself, expected to see large scale Denial of Service attacks during the election process. Not only did several countries in the first half of 2020 experience service degradation caused by Denial of Service attacks during their election processes, Google even publicly disclosed a 2.54Tbps DDoS attack that happened back in September 2017, now the current largest DDoS attack on record, in an attempt to highlight the growing trend of nation-state hackers using DDoS attacks as a form of disruption before the election started in the United States.
Surprisingly, in the end, there was no major Denial of Service-related events during the election. Only a few website outages and IT-related issues before the vote.
One of the main issues during the U.S. election has been related to the spread of misinformation/disinformation and the attempt to cast doubt on the legitimacy of the election.
In my previous blog, Be on Alert During Election Season, I mentioned that I was growing concerned about Information Operation becoming more localized and leveraged by savvy voters vs. nation state hackers. A vast majority of the accounts flagged for posting misinformation/disinformation on social media platforms during the election process came from domestic accounts. Meaning, United States citizens leveraged the same nation-state Tactics, Techniques, and Procedures (TTP) used to interfere and rig elections — against themselves.
U.S. Cyber Command
It’s not often we, as security professionals, see nearly instant, high confidence, attribution coming from our local governments, but during the 2020 Presidential Election, the U.S. Cyber Command took unprecedented actions against Iranian hackers and the operators behind TrickBot.
Shortly after Iranian hackers, working for the Islamic Revolutionary Guard Corps, were identified as the threat actors behind the string of Proud Boy emails threatening U.S. voters, the U.S. Cyber Command and the National Security Agency immediately begin military cyber operations against Iran to ensure foreign actors did not interfere with the presidential election in the United States.
These actions by the U.S. Cyber Command and the NSA followed a month after the DOJ, FBI, DHS, and the Department of Treasury conducted coordinated actions to disrupt and deter Iranian aggression.
In addition to these military cyber operations, back in October, the U.S. Cyber Command (independently but likely working with inside information from court documents), launched an offensive attack against TrickBot at the same time that the alliance of tech companies moved to legally disrupt its infrastructure.
While companies and organizations around the world leveraged a legal court order to disrupt Trickbot’s infrastructure, the U.S. Cyber Command leveraged a vulnerability that allowed Nation-State hackers in the United States to push a new configuration file to infected Windows devices that were currently infected with TrickBot.
As a result, this configuration file informed all systems infected with Trickbot’s that the new Command and Control servers address was localhost, 127.0.0.1. Unfortunately, the same issues persist in the disruption effort for the U.S. Cyber Command. Due to a globally diverse infrastructure, not every infected device was online or impacted by the operations, meaning TrickBot lived on, but at a financial loss for the operators.