Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/23/2020
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Flurry of Warnings Highlight Cyber Threats to US Elections

FBI and intelligence officials issue fresh warnings about election interference attempts by Iranian and Russian threat actors.

A flurry of alerts from the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) this week heightened the already pervasive concerns around influence campaigns and cyber threats to US election systems from foreign actors.

In an unusual and brief press conference late Wednesday, Director of National Intelligence John Ratcliffe along with FBI Director Christopher Wray warned Americans about Iranian actors sending spoofed emails to voters in some states in an apparent attempt to intimidate them. Ratcliffe said the Iranian actors had managed to obtain some voter registration data, which they were using to "cause confusion, sow chaos, and undermine your confidence in American democracy."

Related Content:

A Mix of Optimism and Pessimism for Security of the 2020 Election

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: 8 New and Hot Cybersecurity Certifications for 2020

He also described them as distributing a video and other content online for the same purpose. Certain Russian-based actors, too, have separately obtained some US voter registration data, but so far, they don't appear to have used it the same way that the Iranian groups have, Ratcliffe said.

On Thursday, CISA updated an earlier advisory warning about a Russia-backed threat group called Energetic Bear — and several other names including Berserk Bear and Dragonfly — that has targeted dozens of US state, local, territorial, and tribal government networks since September 2020. As of October 1, the group has managed to exfiltrate data from at least two servers, CISA said. Evidence suggests that the threat group is trying to collect data to conduct future influence operations. Though it poses some risk to US election systems, there is nothing to suggest that election data has been compromised, CISA said.

Researchers from FireEye's Mandiant threat intelligence group this week described the Russian threat actor — tracked by the firm as TEMP.Isotope — as having successfully breached systems at energy providers, water infrastructure companies, and airports in the US and EU. So far, the group has done little damage with its access and is likely compromising these systems for potential future attacks or as a warning, according to Mandiant.

"We believe they are acting in support of Russian interests and while we cannot confirm them, media reporting that they are a Russian intelligence agency is consistent with the operations we have uncovered," says Ben Read, senior manager of analysis at Mandiant.

Read says Mandiant has observed Russian groups compromise multiple state and local government systems, some of which have contained some election-related data. "In the specific situations where Mandiant has uncovered activity, we do not believe the actor still has access," he says.

"However, in a general sense, once a malicious actor has access to a system," he adds, "they can install whatever malware they wish, and similarly, once information is taken from a network, it can be used for private information or publicized."

Iranian Activity
Meanwhile, another CISA advisory, also on Thursday, warned about Iran-sponsored advanced persistent threat groups breaking into a significant number of US-based networks by exploiting multiple vulnerabilities — most notably, one in products from F5 Networks (CVE-2020-5902) and another in web applications using Telerik UI (CVE-2017-9248). "Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns," CISA said.

While such attacks could potentially render election systems temporarily unavailable to election officials and voters, it would not prevent voting or the reporting of results, CISA noted.

The alerts, just days before what is shaping up to be the most closely watched general election in recent history, are sure to add to concerns over interference and threats to election integrity from foreign actors.

Since the last presidential election in 2016, election officials have put considerable effort into securing election systems and processes. DHS, through the CISA, has made numerous resources available to help state and local election officials secure election systems. Its services include those designed to help election officials conduct cybersecurity assessments, identify and mitigate potential threats, and implement an incident response capability. In recent weeks, the US government has also handed down multiple indictments against individuals and threat groups — from Iran and Russia, in particular — that have had a nexus to election-meddling efforts.

Even so, security experts and watchdog groups have warned about continuing vulnerabilities in US election infrastructure and voting systems — especially voter registration databases and election management systems. A recent ransomware attack against systems belonging to the Hall County government in Georgia that also affected a voter registration database is one example of why such concerns exist.

There's concern also that influence operations and attacks on election systems by foreign actors — whether successful or not — will seriously undermine voter confidence and trust in the integrity of the results.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.