Election Hacking Gets Real with Mueller Indictment

The ongoing investigation and resulting indictment by special counsel Robert Mueller brought new information to light about the techniques and tactics that Russian military intelligence officers (GRU) used to disrupt the 2016 U.S. elections. The indictment from the Mueller investigation lays bare a coordinated campaign to compromise political campaigns and election infrastructure. Weak operational security (or opsec, as it’s known in the industry) of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) was exploited in a spectacular fashion. They fell victim to a successful spearphishing campaign that led to the compromising of multiple users accounts and computers, and the subsequent release of more than 50,000 stolen documents. Several state and local websites and their election officials were targeted using similar attacks. This type of multi-level attack strategy should concern all election officials because those officials play a critical role in election administration and are likely being targeted by adversaries that wish to disrupt or stoke distrust in the electoral process.

State and local election officials should remain concerned about being targeted by malicious actors.

Russia’s escalating efforts to undermine and interfere in U.S. domestic affairs is well-known, well-documented, and well-repeated. What the indictment offers is insight into the technical aspects of the hack of the DCCC and DNC systems, as well as specific information about the targeting of state and local election systems. The 12 GRU officers named in the indictment followed a straightforward game plan:

1. Acquire user credentials to access systems,
2. Find information of interest stored on those systems,
3. Remove that data so that it can be weaponized through separate information campaigns.

There are interesting technical details that we can glean by working through each of these steps. Over 300 individuals affiliated with the Democratic party or campaign were targeted in a spearphishing campaign – including Clinton campaign chairman John Podesta. Podesta received and clicked on one of these authentic-looking but fraudulent email messages that prompted him to enter his Google credentials into a site created by the GRU. This attack was successful despite assurance from his staff that the email was legitimate. Other campaign employees and volunteers were also successfully tricked into revealing their credentials. Using the stolen credentials, the GRU installed the Russian-developed “X-Agent malware” to log the keystrokes and record the screens of campaign staff in order to explore the network and eventually find interesting information stored on about 33 DNC computers. Remote servers located in Arizona and Illinois were leased using Bitcoin and controlled by the GRU in order to try to hide their tracks while copying several gigabytes of stolen data out of the DNC network. The information was later provided to media outlets and even a Congressional candidate as part of a larger disinformation campaign.

State and local election officials should remain concerned about being targeted by malicious actors that could include foreign and domestic adversaries. At the same time as the DCCC and DNC were being infiltrated, the GRU successfully hacked an election systems vendor and targeted state and local election officials in five states through spearphishing campaigns and website vulnerabilities. The most significant hack occurred when a vulnerability was exploited on the Illinois State Board of Elections website. The GRU had access to the personal information of over 500,00 voters including their names, addresses, and partial Social Security numbers (The number of compromised records varies according to a statement by the Illinois State Board of Elections). Election officials are a gateway to potentially millions of voter records and, more importantly, cast votes. Increasing their resistance to attacks like those used by the GRU are critical to securing our elections.

The cyber attacks on democratic elections worldwide are unfortunately likely to accelerate.

There is a lot to learn, and a lot we can do right now to better protect campaigns and elections from compromise. For example, people are often the weakest link, so it’s essential that we move to reduce the potential for human error, including unphishable forms of two-factor (or “two-step”) login. CDT is working to get actionable advice and tools directly into the hands of local election officials, so pay attention to this space in coming weeks and months. We have cybersecurity 101 courses we are running with our partners at the Center for Technology & Civic Life, as well as a series of short field guides to important cybersecurity issues based off of the wonderful work from Harvard’s Defending Digital Democracy Project and the Center for Information Security. We’re also working on cybersecurity capacity building for local election officials by identifying potential technical volunteers from sources like the National Guard, cybersecurity programs at community colleges, as well as hackers and cybersecurity professionals that may be able to lend a helping hand in terms of shoring up our defenses.

The cyber attacks on democratic elections worldwide are unfortunately likely to accelerate. As the Mueller indictment lays out, the modes of attack are not new nor unexpected, but they are becoming increasingly sophisticated. CDT is committed to helping election officials and political campaigns address these challenges and build strong cybersecurity practices into their core operations.