How Phishing Attacks on Election Administrators Could Undermine the 2020 Election

It might be good to begin this post by telling the Tale of John Podesta. Once upon a time, there was a Democratic campaign chairman named, John Podesta. John made one big mistake. He had a Gmail address that was easily found online. One day, John received an email from “googlemail.com”. Poor John. He thought this was a real email address. He thought that Google was telling him to reset his password. They told him someone stole his password and that he needed to change it quickly. John panicked. He clicked on the link that was supposed to take him to a site that would let him change his password. This took him to a page that looked just like a Google page. John typed in his old password and his new password and sat back with a sigh of relief. He thought he had stopped the hackers, but John was wrong. He had just given the hackers control of his email and they stole everything they could find. Imagine John’s surprise when he found all of his emails on Wikileaks.

Moral: Look before you leap.

Here is the email that Podesta got. Don’t be surprised if high-ranking government officials and election administrators receive similar emails before the 2020 election. The attackers hope that the old adage is true; that there’s a sucker born every minute. Sadly,  they are usually right.

phish

The Podesta hack was linked to Russia, and Russia is still listed among the three countries accused of trying to influence the 2020 election. On July 24th, William R. Evanina, the director of the National Counterintelligence and Security Center, named China and Iran as the other two, which did not really surprise anyone.

According to Shane Huntley of Google’s Threat Analysis Group, China is targeting the Trump campaign, while, for some reason, Iran is targeting the Biden campaign. And, according to Huntley, they are targeting members of these campaigns with the same sort of attack that succeeded with Podesta. The fact that Google is aware of these attacks indicates that workers within these campaigns are using Gmail accounts that Google, by the terms of its privacy agreement, has access to.

The truth is that these countries are targeting both campaigns. They thrive on making problems for the U.S. and nothing could cause the U.S. more problems than an election outcome that may be questioned due to interference by foreign governments. Simply planting the idea of this possibility may, in fact, be good enough.

But how realistic are the chances that these campaigns can be penetrated by hackers? After all, both campaigns are well-aware of the fact that they are being targeted. Certainly they’ve enacted strategies that will protect them from phishing attacks, right?

Yes and no. I’m quite certain some rudimentary protection is in place. This is confirmed by a study done by cybersecurity firm, Area 1, which found that “53.24 percent of state and local election administrators” have this rudimentary protection. However, this, in fact, is seen as a problem. The researchers do not believe that such basic protection is enough to withstand the full force of a nation-state phishing attack. The following map, modified from the Area 1 report, shows areas that are potentially vulnerable to phishing-based cyberattacks. Generally speaking, any non-green area is vulnerable.

map

Due to the way the U.S. general election is organized, no one believes the overall election results will be targeted. The election outcome, as everyone after the 2016 election is aware, depends on electoral votes. In close elections, the outcome depends on electoral votes from key states, often referred to as ‘swing states’. It is quite clear that these states, and especially key counties and districts within these states, will be the targets for nation-state hackers. With this in mind, here is a map showing key states (in gray) that could be overlain on the map above.

swing

The next step would be for hackers to pinpoint swing counties in these states. Here, for example, is a map showing the swing counties in Pennsylvania, also in gray.

penn

Now, it’s simply a matter for nation-state hackers to identify those swing areas in which election administrators had the poorest phishing security. According to the Area 1 report, about 85% of election officials are vulnerable to phishing attacks.

Below is the report on levels of phishing protection in Pennsylvania. The “personal” category refers to officials who are using their personal email addresses to conduct business and are, therefore, most vulnerable. As the report states, “under no circumstances should elections administrators use personal email for the conduct or administration of elections.”

penn districts

If I wanted to spearphish someone, I would need to find the individual email addresses for election officials in the swing counties. This I could do through the following interactive map.

Berks

I chose to investigate Berks County because it was identified as being a possible swing county. I used the interactive map  to direct me to the Berks county election services website. I could not get there from a foreign location, but, using a VPN masking as a U.S. site, I was allowed access. If this was their first line of defense, it failed miserably.

Once on the website, I could get the election official’s name. I could have directly contacted them through the email address given, but, a short search got me to their LinkedIn account. I think, if I were a hacker, I might use LinkedIn to launch a spearphishing attack.

I now have to be sparse with details because such information could be used to launch a legitimate phishing attack. Suffice it to say that I was able to find a number of contacts for this official that I could have subsequently spearphished to get control of their emails. Then, pretending to be them,  I could spearphish the official. Then what?

If I gained control of the official’s email, social media, or website, I would be in a position to do a number of nefarious things. I could deface the website, send out emails with misinformation, or launch a ransomware attack on the election information website. These might be disturbing and they may tarnish the county’s reputation, but such attacks would not achieve my nation-state goal of actually influencing the outcome of the national election. No, to do this, I would need to alter the election results to favor the candidate of my choice.

To achieve this goal, I would use the election administrator’s special access to data, establish myself within the election result reporting network, and wait. I would do nothing to give away my presence in the network. On election night, I would be in a position to intercept voting tallies that were being sent to the site and alter the totals to make it appear that my candidate won. It can’t be obvious. The final totals should be within the realm of possibility but not so close as to demand a recount, which may find me out. Depending on how many officials I was able to compromise, I would have a reasonable chance to push the entire state one way or another. Since Pennsylvania has a winner-take-all electoral system, all the 20 electoral votes could go to the candidate of my choice. To put this in its most dramatic light, one person can, potentially, decide the outcome of an entire state. The same tactic would be used in other swing states.

Although, in this post, I focused on the county level, I could just as easily, in fact, even more easily, have targeted key swing districts within the county. These are the same districts the main political parties target. If I were to make a prediction on where to look for vote tampering, I would put my money on such districts. My guess is that they have less cybersecurity measures in place and would be easier to infiltrate by nation-states that can simply outgun them with sophisticated attacks and well-designed malware. So is the 2020 U.S. election vulnerable to election fraud? You be the judge.

2 thoughts on “How Phishing Attacks on Election Administrators Could Undermine the 2020 Election

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s