Under Attack?
Search
Menu
  • Blog
  • Security
  • Did Nation-State Attacks Impact the U.S. Elections?

Did Nation-State Attacks Impact the U.S. Elections?

By Daniel SmithNovember 19, 2020

Every election process, going back for ages, has faced the threat of possible election interference in one form or another. The only thing that has changed in terms of foreign election intervention today is the way current operations are conducted in the digital era. Now, there are a few fundamental ways an adversary could digitally interfere with an election process. These mainly take the form of information-based operations or disruptive-based attacks designed to manipulate voter turnout and opinion.

So, was the 2020 Presidential election in the United States interfered with on a Nation-State level? Of course, though I think the real questions are:

  • Did it have any meaningful impact?
    • No. While everyone prepared for external information campaigns and attacks, the real threats came from within the country this time. 
  • What was the United States able to mitigate?
    • The U.S. Cyber Command took more of a defensive forward strategy during this election and carried out several preemptive operations designed to help deter a major attack on our election infrastructure.

Iran

Once considered a low-level APT threat, Iran became noteworthy in 2020. During the run-up to the presidential elections in the United States, Iran’s activity began to take center stage. In early September, the United States Department of Justice indicted two Iranian hackers for defacing websites following the assassination of Qasem Soleimani, as well as three State-Sponsored Iranian hackers for stealing critical information related to U.S. aerospace and satellite technology.

Then on September 17th, the Department of Justice announced that the DOJ, FBI, DHS, and the Department of Treasury had all engaged in a coordinated effort to disrupt and deter malicious cyber activities by actors associated with the Islamic Republic of Iran’s Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC). A few days later, on September 30th, Twitter announced that (based on Intelligence provided by the FBI) it had removed approximately 130 accounts that appeared to have originated in Iran and were attempting to disrupt the public conversation on their platform during the first 2020 U.S. Presidential Debate.

[You may also like: The Issue & Impact of Malspam in the U.S. Elections]

In addition to these actions, the Department of Justice also announced on October 7th that 92 domain names that were unlawfully used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign had been seized. Following this announcement, on November 4th the Department of Justice announced they had seized an additional 27 domains from the IRGC.

Finally, back in October, Proofpoint disclosed that Democratic-registered voters in Florida began to receive threatening emails claiming to be from a right-wing hate group, The Proud Boys. These emails threatened voters, stating there would be consequences if they didn’t vote for the current U.S. President, Donald Trump. As a result, this campaign received immediate and widespread coverage that was quickly addressed by the FBI and attributed within two days as an Iranian false flag operation. The emails had been obtained by the Iranian hackers through public voter registration data, a threat that the FBI had warned about in Public Service Announcement I-092820-PSA.

China

While Iran’s activity dominated headlines, Chinese government-linked hackers were indirectly attributed to an ongoing global cyber espionage campaign called SlothfulMedia in October. In addition to this report on Chinese activity, Google also released new details about a Chinese hacking group (APT31) that targeted Biden’s campaign in June. In this campaign, both APT31 and Iranian hacking group APT35 targeted campaign staffers’ emails with credential phishing malspam that contained tracking links. This is also the same report from Google’s TAG that highlighted a new world record DDoS attack, a UDP amplification attack that originated from Chinese ISPs (specifically, ASNs 4134, 4837, 58453, and 9394).

Russia

In my personal opinion, and one I spoke briefly about in a previous blog, Russia’s biggest contribution to interfering with the current elections in the United States came in 2016 when they publicized the Tactics, Techniques, and Procedures (TTP) used for conducting disinformation campaigns. As a result, United States citizens were among the majority of those spreading disinformation during the 2020 presidential election in the hopes of influencing voter opinion.

[You may also like: The U.S. Government’s Response to Election-Related Cyber Threats]

In addition to teaching citizens how to run localized information operations, the CISA and FBI announced in a security alert, AA20-296A, that Russian State-sponsored APT actor Energetic Bear had targeted dozens of SLTT government and aviation networks through chaining vulnerabilities together. As of October 1st, the CISA and FBI report that data was exfiltrated from at least two victim servers. The reason for concern related to the election was the result of election information being hosted on SLTT government networks. In the report, the CISA and FBI confirm there is no evidence of data suggesting the integrity of the election was compromised due to the breach.

Read “A Guide to State-Sponsored Cyberthreats” to learn more.

Download Now

Posted in: Security

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Related Articles

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?