Priorities and Threats by Cyber Criminals and Nation-State Adversaries in an Election
Ransomware attacks have been placed on the U.S. Government’s list of top threats to the U.S. Presidential Election. At Kivu, alongside our Incident Response and Threat Intelligence industry peers, we hold a responsibility to elaborate on the attacker’s motivations, methods, and attack landscape. Less than 24 hours before an election, we will try to bring into focus the issues brought by the threat of ransomware to the 2020 elections. Ransomware operators are known to be primarily motivated by financial gain; thus, they seek to exploit a business’s needs for continuity in exchange for money rather than seeding a people’s distrust in its government. Cybersecurity is built upon the tenets of confidentiality, availability, and integrity.
Ransomware operators seek to impact the confidentiality and availability in a business’ continuity for financial gain, however, does not necessarily seek to impact data integrity in their attacks. In cybersecurity, integrity may be defined as the assurance that data is protected from unauthorized changes to maintain reliability and validity, which is not necessarily a concept that furthers their endgame.
Conversely, foreign election interference whether by nation-state actors or cybercriminals seeks to disrupt and impact the public’s integrity (for example the right to vote and without swaying public trust) in holding free and fair elections. In 2020, cybersecurity is a merged threat, by both nation-state actors and cybercriminals, to our election’s integrity. The question is whether ransomware cybercriminals are participating in undermining American confidence in the integrity of the election process.
There are two publicly known ransomware attacks that have directly and indirectly impacted American elections. The first attack, in mid-September, indirectly impacted the election supply chain by encrypting a government software and technology provider by the group known as RansomExx. This ransomware group is not known to serve at the direction of a nation-state. The second attack was carried out by the group known as DoppelPaymer on Hall County, Georgia. This attack directly disabled an election database used to verify voter signatures in the authentication of absentee ballots. DoppelPaymer, while known for its former affiliation to Evil Corp and sold off to cybercriminals, is also not known for taking direction under a nation-state. Evil Corp is a Russia-based cybercriminal organization responsible for the development, distribution of the Dridex malware, and a sanctioned entity by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
The motivations behind the two election-oriented attacks appear to be driven by a monetary gain in that devices are encrypted, and a ransom is leveraged. However, attacks can and do impact elections in methods unseen by cybercriminals before resulting in impacts to election integrity and erosion of public trust in the security of the government network as well as potentially blocking voting and causing disruption to a pivotal part of the American political process, for example, blocking access and availability to voting sites. What appears on the surface to be an opportunistic attack for money, also can have a collateral effect of erosion of the public trust in government security and institutions.
Cyber Criminals Respond to the Indictment of 6 GRU Officers
On October 19th, 2020, the Department of Justice (DOJ) indicted six intelligence officers in the Russian Main Intelligence Directorate (also known as the GRU). The intelligence officers are responsible for well-known attacks around the world, including NotPetya, interference in the 2017 French elections, orchestrating spear phishing campaigns against the investigators handling the Novichok poisoning, as well as, targeting Ukrainian government agencies and causing a network outage to their power grid between December 2015 and December 2016.
Following the Cold War, the GRU has sought to advance Russia’s ideology in information confrontation over opposing beliefs, ideologies, and sentiments that are viewed as impediments to the country’s progression or securing its strategic interests. In order to accomplish said Russian policy through GRU operations, it is carried out so through asymmetrical cyber warfare to influence targeted populations.
Cybercriminals based in Russia (and within CIS countries) operate with impunity as the Russian authorities turn a blind eye to their activities provided criminals only target the businesses of Russia’s perceived enemies. Whether Russian cybercriminals are required or expected to take direction on attacking more strategic targets, and whether they can be used as needed by Russian authorities to supplement Russia’s official cyber warfare capabilities are questions open for interpretation. When Russia allows cybercriminals to enrich themselves through ransomware, is the Russian government then not entitled to call upon them in attacking strategic American targets (such as election infrastructure) on a pro-bono basis?
Kivu’s Threat Intelligence team has observed alerting sentiments shared among cybercriminals in the dark web forums relating to the connection between ransomware cybercriminals and Russian government-related attacks. Following the DOJ indictment, the response in forum members’ expressed concern to where cybercriminals and or ransomware operators fall within nation-state foreign and domestic priorities. One forum member went as far as sharing cybercriminals’ support for the GRU’s mission abroad… ”In each of our Russian souls lives a GRU servant, and all of us wrote NotPetya…The only thing missing are the Russian cybercriminals from this story [indictment.]”
Ransomware criminals were not as common organized nor well-funded in 2016 as are they are in 2020, which is why we believe they are a real threat to the 2020 elections. In 2016, the United States faced election interference by the GRU against voter databases and the Democratic National Convention’s internal information. In 2016, however, cybercriminals were not knowingly present on the threat actor landscape as far as impacting the election. With the tremendous rise in ransomware and political tensions since 2016, we believe the 2020 election is different.
Disruption of Cyber Criminal Infrastructure Prior to U.S. Election
In early October, Microsoft and U.S. government agencies, coordinated legal and technical efforts to disrupt one of the largest cybercriminal botnets preceding ransomware attacks – TrickBot. Microsoft spent months collecting malware samples, mapping out the botnet’s infrastructures, and compiling an asset inventory of the botnet. Once compiled, the United States’ District Court for the Eastern District of Virginia granted the request to seize and disrupt TrickBot’s operations. The company’s court approval allowed the teardown of IP addresses for TrickBot’s command-and-control servers, suspend services to the operators, make server content inaccessible, and discourage the cybercriminal operators from provisioning further weaponized servers.
Microsoft was primarily concerned TrickBot’s operators would use the botnet to disrupt the imminent US election through ransomware. Attackers could lock down systems maintaining voter rolls or reporting on election night results, the company said. The disruption could also help thwart attempts to hijack bank accounts and threaten critical institutions using ransomware like Ryuk, which has been linked to numerous attacks on health care institutions.
By extinguishing cybercriminal’s infrastructure, the ability to carry out certain ransomware attacks was (briefly) disrupted. Microsoft states, “Anytime a botnet’s server infrastructure is eliminated, the attempt to rebuild is not as simple as setting up new servers. New servers need to be provisioned to begin talking with the botnet’s infected devices and issuing commands, all of which takes time.” In other words, Microsoft made it more challenging for cybercriminals to continue their malicious operations was the primary purpose. While other vectors for infiltration exist for ransomware operators (such as exploits and compromised remote services), disrupting a botnet extends an operator’s attack path timeline by forcing more manual work to infect.
However, on October 28th, 2020, five days before the election, the FBI, CISA, and the Dept of HHS issued a joint alert of imminent attacks on healthcare and public health sectors across the United States, with evidence rising of targeting hospitals in Canada as well. The credible threat actor group was attributed to Ryuk, notoriously known for wreaking enterprise havoc and infiltrating through the use of TrickBot to carry out ransomware attack. Most notably, from the first point of infiltration by TrickBot to Ryuk ransomware attacks, the timeline is a matter of hours before it is lights out. Amidst a pandemic and in the heat of an election, TrickBot backlashed on the disruption campaign by Microsoft and U.S. Government.
The threat of ransomware continues to be a credible and scalable cyber risk to the US elections. While the intentions may differ between nation-states and those of cybercriminals, both now hold the ability to impact elections either, directly by disabling critical services, or indirectly by disrupting the election supply chain and public confidence in national election security.