While traditional cyberattack operations against US government organizations have remained fairly consistent, influence- and disinformation attacks by foreign nations have increased in the run-up to the US midterm elections.
On the cyberattack front, the China-linked hacking group Budworm has targeted several government agencies, including the legislature for a US state, over the past six months, according to Symantec, part of Broadcom Software. The attack on a US government organization is the second recent incident — after a hiatus of more than six years — where the group has targeted a US private-sector agency, the company’s researchers stated in an advisory.
The attack is a departure from the group’s more recent strategy of targeting Southeast Asia, and could mark a shift in strategy, says Dick O’Brien, principal intelligence analyst for the Symantec Threat Hunter team.
The group “has been mounting espionage attacks in other regions, mostly Asia and the Middle East, [and] earlier this year German intelligence warned of attacks on organizations in that country,” he says. “We consider Budworm to be one of the more capable APT outfits, and the return to the US could signal a change in strategic priorities.”
However, security experts expect mostly a variety of influence attacks to ramp up against US government agencies and the campaigns of political candidates as the country’s midterm elections approach.
Cyber-intelligence firm Recorded Future pointed to the US intelligence community’s assessment of foreign threats to the 2020 election and concluded that the country should expect more of the same in 2022.
“[I]n 2022, such behavior [attempting to influence politics] has likely only intensified against the backdrop of conventional and hybrid warfare in Ukraine, broad international ramifications of said conflict, lingering effects of a global pandemic, and a broadening distrust in traditional democratic institutions,” Recorded Future stated in its report, adding: “The key motivations for influencing US elections are typically centered around adversaries’ long-term geopolitical interests and furthering their own domestic goals.”
Russia is focused on “sowing discord with regard to US political and societal affairs,” with a focus on hindering concerted opposition to its invasion of Ukraine, while China conducts both public and private campaigns against its detractors, and Iranian actors aim to create support for a nuclear deal. Domestic extremists have become a significant disinformation threat over the past half decade, the company concluded.
Not Just Russia
Foreign countries continue to level a variety of attacks against public and private US organizations. In addition to Budworm, aka Aquatic Panda, cybersecurity services firm CrowdStrike has encountered North Korean hacking groups such as Stardust Chollima attacking financial organizations and stealing cryptocurrency and Iranian groups such as Charming Kitten targeting US government officials.
Yet, such disruptive attacks and financial hacking are a constant presence and unrelated to the election cycle, says Adam Meyers, vice president of threat intelligence for CrowdStrike.
“There is constantly espionage operations targeting the US — you know, constant, we are tracking it every single day,” he says.
With the US midterm elections less than a month away, much of the disinformation has focused on attempting to change attitudes of undecided voters and energizing supporters to get out and vote.
In addition, some threat actors have targeted election officials with online attacks. County-level election workers are being targeted with phishing attacks, with Arizona, for example, seeing a doubling of attacks between the second and third quarters, according to endpoint detection and response (EDR) firm Trellix. Another battleground state, Pennsylvania, also saw an dramatic increase of nearly 70% in malicious e-mail messages, the company said in an Oct. 12 blog post.
The surge in e-mail messages is a reminder that election security issues affect smaller government agencies, which do not have the deep pockets of larger companies, Trellix researchers stated in the post.
“[S]tates and localities do not operate on an equal cybersecurity footing” as the federal government, they said. “Some will be more susceptible to attacks than others and many will continue to require the help of the federal government to not only harden themselves to these and other attacks, but also educate local election employees in cyber hygiene to thwart them at their point of attack.”
CISA, FBI: No ‘Successful Attack’ on Election Systems
To reassure US citizens that their votes will count, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) published an announcement on Oct. 4, emphasizing that the agencies have not yet seen any significant, nor successful, attack on election systems.
“As of the date of this report, the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information,” the agencies stated. “Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes.”
Former president Donald Trump and his supporters have pushed dispelled theories of election fraud both prior to and following the 2020 presidential election. In the Republican primaries, many Trump supporters also made claims, without evidence, of election fraud, prior to the final tally, even when they won the primary.
CISA and the FBI did not address any specific claims, but warned voters to be critical of such news.
“Be wary of emails or phone calls from unfamiliar email addresses or phone numbers that make suspicious claims about the elections process or of social media posts that appear to spread inconsistent information about election-related incidents or results,” the agencies stated.