With the election only a week away, the discussion about how the upcoming U.S. presidential election may or may not be “rigged” is being closely watched. ‘Election hacking’ reports from CNN, the Washington Post, and even the candidates themselves provide yet another debate platform regarding the possibility of corrupted election results. For the purpose of this blog let’s set aside the fact about our national election system is far too distributed for any widespread national vote theft to occur and explore the more likely technological aspects of “hacking an election” through swing states...and what we know through Seculert Labs analysis.
To tamper with the outcome of a presidential election today you have to ignore 80% of the states because our national elections are actually determined by the results of a small number of “swing states”. According to Politico, the swing states this year are Colorado, Iowa, Michigan, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Virginia, Wisconsin, and as always, Florida.
Homer Simpson's view of the importance of "swing states".
Based on current polling figures, you might have to hack into nearly all of this year’s swing states to truly impact the outcome of the 2016 election. But consider a closer election such as Bush v. Gore in 2000 and Florida’s “hanging chad” debacle. In this scenario hacking a single state’s election system could materially affect the outcome. Let’s examine a couple different ways a motivated miscreant could do that.
From a purely technological standpoint, an election is a rather simple data collection, tabulation, and reporting system. As such it contains the same vulnerabilities as any other commercial IT operation: ‘data at rest’, ‘data in motion’, and the other risks inherent in these statuses. So without knowing which ‘swing state’ holds the most value in an upcoming election, how might a nefarious actor hack election IT system data stores ‘at rest’ in a county or state election data repository?
The best way to determine this is to look at how commercial IT systems are breached every day and attempt to manage their defenses. We at Seculert have many tools, including an “attack simulator” (ref., Seculert Javelin Gateway Attack Simulator), to observe and identify the most common and dangerous attackers now circulating on the internet. Fully three quarters of these attacks are classified as “information stealers”. The current Top 10 list also includes one of the most malicious and threatening ransomware attacks, Torrent Locker capable of encrypting the data found on file share servers.
Understanding this, there are basically two ways we see how these bad actors might attack the election process: 1) altering the vote counts in the election system in between the time actual ballots are cast and the numbers being reported, and 2) by stealing and/or corrupting the data with or without actually altering it. Altering election results would be pretty hard in most counties and states because you’d need to obtain authentication credentials, get access to the systems, and determine exactly how and when to alter the data for maximum effect. Achieving all of this without being detected would be hard, but not impossible, particularly if one started work months in advance to penetrate the election system networks, having chosen the right swing states in which to do so.
For example -- if Russian hackers, or even a local criminal gang wanted to change the results or prevent precincts from reporting vote counts on time, they could likely start with one of the information stealers like Ursnif or Nymaim that are capable of identifying and stealing authentication credentials. Assuming they could succeed in getting access to the databases and files in which votes are tabulated, there is almost no end to the mischief they might perpetrate.
You may ask, “how would they know whose credentials to steal?” This is where hacking an election becomes much easier than hacking a corporation. Election official identities are almost always in the public record, so by spearphishing the official’s login credentials you can pretty much steal whatever you want, barring some sort of really adept DLP system performing as it should. A sophisticated election hacker targeting Florida, for example, would target a list of election officials in Miami-Dade, Broward, Orange and the other counties that comprise the state’s major electoral districts - back in April - to impact the November election. This 6 to 9 month timeframe is based on research from Seculert Labs, and our awareness of how long an attacker usually lays in wait to perform their hack.
Even if a hacker weren’t able to directly alter election results, they could toss the election reporting of a swing state into chaos by using one of the information stealers like Vawtrak or Matsnu, capable of accessing and collecting data on file shares, regardless of the file or database structure. When combined with known ransomware attacks, hackers could completely disrupt election reporting by encrypting the files containing the vote counts in demand of payment or some other remuneration to release them. And sure, a state or county could pay the ransom, but may never be able to validate if the subsequently released data was unaltered from the original votes.
Can you imagine Presidential candidates Donald Trump, Hillary Clinton, or anyone frankly, accepting a swing state’s election results if a hack were discovered?