As the U.S. elections near an end, the nature of successful interference is likely to change. Any significant attempt to sway voters now will require a dramatic late game operation that receives significant attention—an operation such as a hack and leak campaign or the use of forged materials. Otherwise, adversaries are likely to focus on operations aimed at outlasting the actual elections and undermining faith in the institution. These operations could unfold at the eleventh hour and even following the final tally of votes.
Late Game Events to Sway Voters
The release of hacked and forged materials, laundered through personas and third parties, and amplified by media and social media is a tactic we have seen repeatedly used by adversaries within the context of elections as well as other events. The hack and leak has been used by Russian, North Korean and other unknown actors as a means to embarrass, misrepresent and successfully cow targeted organizations.
The timing of hack and leak operations varies. Long term preparations may give way to ad hoc necessity. When Guccifer 2.0 suddenly appeared in the wake of revelations about APT28 compromising the DNC, the persona was likely a departure from original plans to release materials through the ElectionLeaks and DCLeaks websites. Timing may also be dictated by the third parties used to launder leaks. Third parties may have designs on the most opportune timing for leaks or the leak may be at the mercy of their ability to act quickly. An editorial process, for instance, could hinder timing. Actors may also wait until the eleventh hour, as was the case with MacronLeaks.
Third parties and personas are an essential feature of these operations. Although they rarely hinder attribution of incidents, they provide a veneer of suitable obfuscation to maintain deniability. The fictitious personas frequently leveraged in these incidents include dubious hacktivist groups without any previous history and confused ideology meant to explain their actions. More and more, actors have leveraged the Anonymous moniker as a versatile persona to hide their actions. AnonymousPoland was used by GRU actors to carry out a protracted attack on Olympics related organizations.
Other third parties leveraged in these events include the media, organizations focused on leaked materials, and fringe political figures. Though mainstream media has become more circumspect, less traditional outlets that enjoy strong social media infiltration are still a means to deliver this information to voters. In previous incidents, political figures with significant social media followings have worked diligently to spread documents they received from Russian military intelligence through social media.
Adversaries are already targeting organizations that could provide leakable materials. Targeting of democratic campaign affiliates and Ukrainian industry with ties to the candidates has been connected to the very same organizations that were involved in the 2016 incidents, as well as hack and leak incidents associated with the Olympics, and French elections, among others. While outstanding work has caught some of this activity, it is possible that intrusion have escaped notice.
Forged materials, such as fabricated documents, may be added to leaks or used alone. Leaked alongside authentic, stolen documents, forged material is difficult to detect. Forged materials have been at the core of operations such as Secondary Infektion and Operation Ghostwriter. In the latter operations, these materials were planted on real media sites in an attempt to encourage rapid propagation.
Undermining the Institution of Elections
Ultimately, almost all information operations undermine society, sowing distrust and attacking preexisting rifts, but operations designed to specifically focus on election legitimacy are well precedented and often misinterpreted. These operations may already be happening and may outlast the election itself. The opportunity and utility of attacking the 2020 election may not fade for some time, especially given this year’s unique circumstances.
The targeting of voting systems has been frequently assessed as attempts to make specific changes to results in an effort to directly change the outcome of the election. However, such a scenario would require an enormous effort across a multitude of systems. A more likely scenario is an incident that draws attention to itself, raising questions about the integrity or availability of systems. In 2014, APT28 gained access to a website belonging to Ukraine's Central Election Commission and falsely reported a candidate had won. The intrusion did not change results, but it was hard to ignore. The targeting of systems such as these is in itself a means of interference as it will necessarily raise questions about unknown actions by the adversary. For instance, though there is no evidence that Sandworm, Unit 74455 of the GRU, did anything to change results when they targeted election systems in 2016, knowledge that these systems were targeted could suffice to undermine confidence.
Ransomware is a means of disruption that could be leveraged to interfere with limited election processes. Fake ransomware, ransomware that is not intended for financial gain, has been used on several occasions by the GRU. The NotPetya incident is one such example. This capability is particularly deniable, especially considering the many incidents state and municipal organizations have already encountered.
Coordinated inauthentic behavior could be leveraged to promote discord over election legitimacy. Before the results were even known in 2016, pro-Kremlin bloggers had prepared the campaign #DemocracyRIP. Any discrepancy or complexity associated with results could be used as a means to denigrate the process.
The circumstances of this election will provide a unique opportunity for interference. Any operation would benefit from the environment of distrust and disagreement of what transpired in 2016. However, information operations no longer enjoy the obscurity they once did, and a clear recognition of their mechanics and their limitations may well inoculate us to their effects.
For More Information
I will be briefing these items and more to attendees of a special Mandiant Executive Intelligence Briefing on Oct. 13. Register for the briefing today, and also remember to visit the FireEye Election Security page for the latest on election security-focused news and analysis from Mandiant.