The Day After the Elections:
The Attack Surface That Could Undermine Our Trust in the Elections
Opportunity for Election Disruption
As we venture into the final lap of the 2020 election season, it is clear we are perhaps more on the edge than we ever have been in modern political history. Of course, if you are an adversary, this is the perfect opportunity to disrupt key institutions, sow seeds of discord and disseminate information that furthers the divisions. Much of the focus on election security has been on two aspects leading up to election day, November 3rd: disinformation and security of the voting process itself. However, we believe, there is a third aspect that perhaps has not received the attention it deserves–it is what happens on November 4th and the days and weeks beyond. Americans have all heard the chatter about a potentially disputed election, delayed results and the resulting court battles. This creates the opportunity for nation state attackers or even just the proverbial “individual sitting in a basement” to feed the chaos by disrupting the infrastructure that comes to the fore post-election day.
Download the Report
Join the Webinar
Understanding the Attackable Surface of U.S. Elections
The researchers at Awake Security set out to do an analysis of the attack surface available to an attacker looking to fulfill this objective. As most people know, federal elections are run at the local county and state level. So, an attacker looking to slow down or disrupt the timely counting of votes and declaration of results, could target these states and counties. Attacks such as ransomware or destructive malware are likely to have the biggest impact, both because of their news worthiness and because they seem to result in the most “deer in the headlights” impact for defenders. And the reality is, an attacker does not need to achieve wide-scale compromise, they simply need to cause enough fear, uncertainty and doubt to undermine faith in the integrity of the elections on all sides of the political aisle.
It is also important to note that this is not a set of worst-case scenarios for planning purposes only. We have in fact seen this playbook before. For instance, NotPetya was a highly destructive attack targeting Ukraine infrastructure, launched by attackers believed to be linked to the Russian military. Clearly, that attack got a lot further than Ukraine. We have also seen attempts to fake computer vote totals and “declare fake winners” in past elections across the globe. More recently, an organization in Texas that provides software used by many towns and cities to report election results was hit by ransomware. One can only help but wonder if there was more to this attack and if the attackers are still in the environment and if the ransomware was simply a distraction from more nefarious objectives. Even closer to the 2020 elections, US intelligence agencies disclosed attempts attributed to Iran and Russia to use publicly available data such as voter rolls and marketing databases to cause what are termed “perception hacks”. To quote The New York Times:
“…Officials have been warning for months about the risk of what are known as perception hacks: efforts to use a mix of easily accessible data to create the impression among voters that foreign powers are actually inside voting infrastructure. That perception alone, officials said, could shake confidence in the integrity of the vote — exactly what Russia has been seeking to do since its interference in 2016 …“
The situation we find ourselves in is exacerbated by the fact that given the pandemic and the large number of mail-in ballots expected, it is quite likely typical election night “calls” of years past may not happen. This increases the window for an attacker to further fuel the apprehension. In fact, the same New York Times article we referenced earlier, goes on to say,
“…But there is no evidence that the hackers have directly attacked any election infrastructure. The fear among cybersecurity experts is that once inside local government networks, they could try to move laterally, into voter registration databases. “
It is this aspect of election security, the Awake Threat Research Team focused on.
Our Approach – Threat Model the System
The Awake research replicated some of what we do with organizations across the globe, including government entities: constantly identify and monitor the true attack surface these organizations present to threat actors. This includes the infrastructure that is managed and known, as well as the unknown attack surface, which includes, shadow IT, IoT, cloud and other infrastructure that many unknowingly present backdoors to attackers.
The threat model we examined focused on identifying the external facing infrastructure that could be targeted and infiltrated by an outside attacker to gain a foot hold, spread laterally, launch their attacks and cause disruption or even to potentially establish a path to the election infrastructure crown jewels.
It is worth mentioning that our analysis is something that any attacker, even without tremendous sophistication, can and likely is employing. In fact, the research we document in this paper was performed without sending a single network packet to any of this infrastructure. We simply used public and easily accessible databases that store and index this information, something any adversary can, and in fact, is doing based on recent news reports. For instance, a little over a week before the 2020 general election, the Cybersecurity and Infrastructure Security Agency (CISA) disclosed that a Russian state-sponsored threat actor had breached and stolen data from US state, local, territorial, and tribal (SLTT) government networks as well as aviation-related organizations. This is a clear indicator that the risks we lay out in this paper are very real.
Our approach to understand the potential risk was simple:
- Identify networks owned by state and county government institutions.
- Identify devices that are internet-accessible within those networks and the applications and services they expose.
- Identify vulnerabilities in this infrastructure that an attacker could leverage to get a foothold into these environments.
We do recognize that it is quite possible that this internet-accessible attack surface is far enough removed / segmented off from anything sensitive. Unfortunately, being security professionals, all too often we find network segmentation does not adhere to best practices and an attacker can get from the external perimeter to sensitive internal systems with relative ease. But even if we assume the segmentation strategy was implemented effectively, an attacker may not even need to actually get to anything election related to achieve the desired effect of public mistrust in the system. Furthermore, given how elections in this country come down to a few states and counties, the so-called “swing or battleground states”, the barrier for an attack is unfortunately not too high.
What We Found – Potential Risks to Election Integrity
Before we dive into more details on our findings, we would like to state that this analysis was not done with a partisan view of the country. As the results show, the challenges are not unique to blue states or red states.
In fact, across pretty much all the states, we found thousands of internet-facing applications, many of which appear to be running vulnerable and, in some cases, decades old software. We discovered states and counties exposing services like Kerberos that have been previously exploited in attacks such as WannaCry and ZeroLogon. Our research also uncovered common vectors for ransomware and other destructive attacks within the state and county infrastructure.
We also looked at the data through a different lens: which states presented the largest attack surface based on the services and vulnerabilities exposed. As you can tell from the tables below, there is a fair amount of potential risk out there, especially in the swing states of Florida, Minnesota and Pennsylvania as well as others like Colorado, New York and North Dakota.
We recognize that given the sprawl of technology that is the typical state or local government today, the problems we detail in this report may not be easily solvable. These entities are also seeing historical budget cuts as governments struggle with pandemic response and the economic uncertainty, we find ourselves in. But the first step in solving the challenge is under- standing the problem and so in the rest of this paper we dive into the details of our approach, what we uncovered and deeper analysis of why we believe these findings are relevant.
Download the Report
Join the Webinar
If you liked what you just read, subscribe to hear about our threat research and security analysis.
VP, Threat Research
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…