US Midterm Elections 2018 - Situational Awareness

By Aaron Roberts, Threat Intelligence Analyst 

The Midterm Elections in the US are due to take place on 6th November 2018. In light of allegations of interference in previous campaigns, this post will focus on risks and identified activity that may be occurring to influence the result of the elections.

There has been a significant amount of coverage into election interference since the 2016 US Presidential Election. The ongoing investigation into alleged Russian involvement and collusion from members of the President's campaign is still major news two years after the fact. The US is due to head to the polls again on 6th November and a number of stories have made headlines in 2018 so far, stemming back to February 2018 .

More recently, in July 2018, an article on Business Insider discussed the potential of Russian bots and trolls testing the water ahead of the Midterms. A few days later, Microsoft announced they had prevented three separate spear-phishing attempts against Congressional candidates.

In August, news stories from Florida Senator Bill Nelson indicated that likely-Russian operators had compromised parts of Florida's election systems ahead of Novembers election .

Ongoing Campaigns

The nature of election interference and the clear affect it can have on national security means that particular details of ongoing campaigns remain difficult to identify. Government officials are reluctant to reveal too much information on ongoing investigations, whilst social networking sites such as Facebook and Twitter appear to ban accounts as and when they are identified on the platforms. The Bloomberg article referenced above includes claims that the operators of allegedly fake pages adapted their approach to advertising, paying in US and Canadian dollars instead of Roubles for example.

Whilst it seems any involvement of the Russian state in previous campaigns was much more about influencing the electorate to vote a specific way, the breach in Florida suggests that tampering of results or attempting to adjust figures could be a potential target for anyone who would wish to interfere with the democratic process.

An allegedly leaked report from the NSA identified there was a GRU Campaign Targeting US Local Election Officials between August and November 2016. The vector for attack was through third-party providers rather than the election officials themselves, and focused on voter registration. The report unfortunately does not identify the intention of the attack or the level of success of the attackers. It is however possible similar activity is currently ongoing.

Away from the Russian-based threat (or indeed, perceived threat), FireEye identified in July a Compromise of Cambodia's National Election Commission , Fusion Center covered this story in the report Leviathan Targets Cambodia Ahead of July 2018 Elections . This incident itself showing that the threat to election campaigns doesn't necessarily have to originate from Russia, and that it's likely a number of nations are performing similar activity.

Another potential avenue that may be exploited and saw attention in 2016 is the use of non-mainstream media. Sites like Breitbart and Politico were allegedly used by Russian operatives to spread messages to encourage people to support the Trump campaign and denounce his opponent Hilary Clinton, and since election these types of sites have received more attention (including conspiracy-site InfoWars). Whilst these sites are not 'mass-media', similar to social sites such as Facebook and Twitter, the echo chamber effect of repeatedly spreading messages to the same audience can work to change perceptions over time. At time of writing Fusion Center analysts were not able to identify sockpuppet accounts looking to spread these kinds of messages, however investigations are ongoing.

Recommendations

Whilst Fusion Center will continue to monitor for signs of alleged interference in the upcoming elections, as always the main things users should consider for the likelihood of an attack are likely the following Attack Patterns:

• Technique/T1192: Spearphishing Link - This is one of the obvious and easiest approaches for an attacker to compromise an organisation. It's likely that anyone trying to influence elections may look to Spearphishing in order to either undermine, embarrass or destroy information of a candidate in favour of another.
• Technique/T1193: Spearphishing Attachment - As above, the difference of an attachment to link could mean the attack is slightly more crafted to an individual, users should always be aware of email attachments and be sure they're genuine before opening. This is doubly true when an email contains an attachment that includes Macros.
• Technique/T1195: Supply Chain Compromise - It's possible that an attacker would look to infect a supplier of a political party to achieve their aims (as per this report mentioned above). If a partnership or donor is particularly high-profile, this could lead to attacks that act as the initial vector for entry. By compromising a supplier an attacker can leverage genuine email accounts for spearphishing, or may be able to connect directly to a network that may contain sensitive information to achieve their aims.
• Technique/T1189: Drive-by Compromise - It's possible attackers may consider injecting malicious advertising into websites known to be used by their targets. This approach is possibly less likely as it would require a degree of luck to be successful but is a possible avenue that users should consider if they start seeing any unusual behavior from sites they visit.
• Technique/PRE-T1118: Build social network persona - This was seen in 2016 with the alleged Russian interference, and is ongoing according to reports. As this report mentions, comments sections and social media have seen a large amount of bot and troll activity to deliver particular messaging to specific audiences, this has been seen through sockpuppet accounts, groups and pages on Facebook, and mostly sockpuppet accounts on Twitter.
• Technique/PRE-T1119: Develop social network persona digital footprint - As above, given the public attention on the 2016 activity, we may see any threat actors involved developing more of a digital footprint for their activity away from basic sockpuppet accounts. The major social networks have made a statement on their attempts to remove obvious troll and bot accounts, whilst this will be harder to do if accounts appear to be significantly more real by having a larger footprint. Users should always be wary of unsolicited approaches or conversations stemming from social media.
• Technique/PRE-T1132: Create infected removable media - Another potential avenue actors may use, particularly against non-tech savvy targets is through infected removable media, maybe USB sticks in a car park or posting to an individual within a company. Whilst the likelihood of success from this kind of attack should be low, mistakes still happen and users should always be wary of receiving unsolicited removable media. If they do receive this kind of material, they should be sure to insert it into a machine that does not connect to a corporate network or out to the internet, and of course should ensure their security software is up to date.