Every election process, going back for ages, has faced the threat of possible election interference in one form or another. The only thing that has changed in terms of foreign election intervention today is the way current operations are conducted in the digital era. Now, there are a few fundamental ways an adversary could digitally interfere with an election process. These mainly take the form of information-based operations or disruptive-based attacks designed to manipulate voter turnout and opinion.
So, was the 2020 Presidential election in the United States interfered with on a Nation-State level? Of course, though I think the real questions are:
- Did it have any meaningful impact?
- No. While everyone prepared for external information campaigns and attacks, the real threats came from within the country this time.
- What was the United States able to mitigate?
- The U.S. Cyber Command took more of a defensive forward strategy during this election and carried out several preemptive operations designed to help deter a major attack on our election infrastructure.
Once considered a low-level APT threat, Iran became noteworthy in 2020. During the run-up to the presidential elections in the United States, Iran’s activity began to take center stage. In early September, the United States Department of Justice indicted two Iranian hackers for defacing websites following the assassination of Qasem Soleimani, as well as three State-Sponsored Iranian hackers for stealing critical information related to U.S. aerospace and satellite technology.
Then on September 17th, the Department of Justice announced that the DOJ, FBI, DHS, and the Department of Treasury had all engaged in a coordinated effort to disrupt and deter malicious cyber activities by actors associated with the Islamic Republic of Iran’s Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC). A few days later, on September 30th, Twitter announced that (based on Intelligence provided by the FBI) it had removed approximately 130 accounts that appeared to have originated in Iran and were attempting to disrupt the public conversation on their platform during the first 2020 U.S. Presidential Debate.
In addition to these actions, the Department of Justice also announced on October 7th that 92 domain names that were unlawfully used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign had been seized. Following this announcement, on November 4th the Department of Justice announced they had seized an additional 27 domains from the IRGC.
Finally, back in October, Proofpoint disclosed that Democratic-registered voters in Florida began to receive threatening emails claiming to be from a right-wing hate group, The Proud Boys. These emails threatened voters, stating there would be consequences if they didn’t vote for the current U.S. President, Donald Trump. As a result, this campaign received immediate and widespread coverage that was quickly addressed by the FBI and attributed within two days as an Iranian false flag operation. The emails had been obtained by the Iranian hackers through public voter registration data, a threat that the FBI had warned about in Public Service Announcement I-092820-PSA.
While Iran’s activity dominated headlines, Chinese government-linked hackers were indirectly attributed to an ongoing global cyber espionage campaign called SlothfulMedia in October. In addition to this report on Chinese activity, Google also released new details about a Chinese hacking group (APT31) that targeted Biden’s campaign in June. In this campaign, both APT31 and Iranian hacking group APT35 targeted campaign staffers’ emails with credential phishing malspam that contained tracking links. This is also the same report from Google’s TAG that highlighted a new world record DDoS attack, a UDP amplification attack that originated from Chinese ISPs (specifically, ASNs 4134, 4837, 58453, and 9394).
In my personal opinion, and one I spoke briefly about in a previous blog, Russia’s biggest contribution to interfering with the current elections in the United States came in 2016 when they publicized the Tactics, Techniques, and Procedures (TTP) used for conducting disinformation campaigns. As a result, United States citizens were among the majority of those spreading disinformation during the 2020 presidential election in the hopes of influencing voter opinion.
In addition to teaching citizens how to run localized information operations, the CISA and FBI announced in a security alert, AA20-296A, that Russian State-sponsored APT actor Energetic Bear had targeted dozens of SLTT government and aviation networks through chaining vulnerabilities together. As of October 1st, the CISA and FBI report that data was exfiltrated from at least two victim servers. The reason for concern related to the election was the result of election information being hosted on SLTT government networks. In the report, the CISA and FBI confirm there is no evidence of data suggesting the integrity of the election was compromised due to the breach.