In the run-up to the U.S. presidential election, federal officials have raised concerns about how a well-timed ransomware attack could disrupt voting or lock up electoral databases.
Allan Liska, a ransomware specialist at Recorded Future who has been analyzing election security threats in recent months, said his research has left him feeling bleak.
“I keep looking for optimism in this. I don’t like to be that guy — I wish I could tell you some happy news,” Liska said. “But spending hasn’t kept pace with the challenges, and the attackers have gotten more advanced. States are trying to fix the wrong problems — they’re focusing on things like phishing attacks, but that’s not necessarily the way ransomware actors are getting into networks right now, which is problematic.”
Although there are several types of cyberattacks that could impact the upcoming election, Liska said a handful of factors makes ransomware a particularly serious threat come November.
Ransomware actors have gotten more sophisticated.
In 2016, ransomware operators were mostly using “spray-and-pray” tactics: They would distribute thousands of infected files in the hope that an individual, small business, or other unsuspecting victim would click on it and have their computer infected. The average ransomware demand at the time was relatively small — around a few hundred dollars, according to cybersecurity experts.
Since the beginning of 2018, however, the number of targeted ransomware attacks has skyrocketed, research from Symantec shows. In these incidents, ransomware operators focus on a particular organization and design their attack to cause maximum damage. Attackers can spend months surveilling a victim’s network, and infect backups and other systems that help organizations recover from the attack without paying a ransom. These attackers often demand significantly higher payments, with some ransoms reaching more than one million dollars.
“Ransomware operators are better funded overall. Because ransomware demands have gotten much higher and more people have paid, they have more money in the bank to launch bigger attacks,” said Liska.
Ransomware gangs have become more organized thanks in part to the large payouts. Many groups have used funds to develop tools and techniques that make attacks harder to detect and easier to carry out.
“We’re dealing with much more sophisticated threat actors than in past elections. They’ve had two to three years of learning their way around networks and are better positioned to gain access,” said Liska, adding that attackers have developed tools that make things like network discovery easier. “They have many more tricks now than they had then, and they have more patience and willingness to sit out in the network for months to find their openings.”
Some attackers focus on destruction.
Another worrying trend for election officials is that the most sophisticated attackers — nation-states and state-sponsored groups — have launched campaigns in recent years that appear to be ransomware attacks but don’t allow victims to recover their data, even if they pay the demand.
In 2018, the U.S. and other governments blamed Russia for the NotPetya attack that disrupted businesses around the world. That attack used wiper malware, which locked up data on compromised devices but did not offer a way for victims to unlock the information.
If a nation-state launched such an attack against a voter registration database, it could sow strife and doubt in the election results, Liska said.
“Ransomware can be used in tandem with other tactics to cause chaos,” he said. “If a Russian [advanced persistent threat] group is able to install a wiper and delete a voter registration database, the following disinformation campaign will take the kernel of truth and turn it into a bigger story until no one trusts the election results.”
Election infrastructure is likely to have vulnerable software.
Voter registration databases are likely at risk of attack because many state and local governments deploy software on these systems that are favorite targets of ransomware groups.
For example, many agencies use Microsoft Remote Desktop Protocol and Citrix so third parties can maintain their systems. However, these are prominent attack points for ransomware actors, Liska said.
“We know several states are using RDP and Citrix to administer their infrastructure, and we know ransomware actors are going after that. Those vulnerabilities exist everywhere because so many people use [these tools], but the fact that attackers are already targeting election systems means that their job is made easier by these vulnerabilities.”
Additionally, many devices incorporated into election infrastructure run on outdated operating systems that are no longer supported by their developers, like Windows 7, Liska said.
Credential leaks make state and local governments an easy target.
During the month of July, about 30,000 state and local government usernames and passwords appeared for sale in underground forums, according to data collected by Recorded Future. Due to widespread password reuse, these exposed credentials could make it easier for attackers to gain access to election infrastructure and obtain administrative privileges once they’re inside the network, according to Liska.
Many states have focused on detecting and preventing phishing attacks since the 2016 election, Liska said, but exposed credentials can be an easier point of access for attackers, especially if they’re trying to compromise under-resourced local agencies.
“You’re walking right in the front door — you don’t have to hack anything or phish anyone,” he said.
COVID-19 presents new election challenges.
The coronavirus outbreak will have a broad impact on the upcoming election — many states have moved to expand mail-in and absentee voting, and election officials have warned that it might take days or weeks to determine a winner.
But COVID-19 will also make it more difficult for state and local officials to defend against ransomware attacks, Liska said.
“Not only do we have election officials working remotely, but we have reduced staff because so many states have had to furlough employees,” he said.
States, counties, and cities have cut back services and slashed budgets in recent months due to the coronavirus outbreak and its impact on local economies. Although the extent to which cybersecurity and election operations have been affected by this is unclear, it will likely make it harder for officials to defend vulnerable systems.
“You have to assume there’s some reduction in staff when it comes to protecting election infrastructure,” Liska said.