Russian election threat potent, but interference so far slim

Russian state interference has been minimal so far in the most tempestuous U.S. presidential election in decades

“The big story so far is how little we have seen from Russia during the course of this election,” said Dmitri Alperovitch, former chief technical officer of Crowdstrike, the cybersecurity firm hired by Democrats to probe the 2016 hack-and-leak operation.

But U.S. intelligence officials still consider Russia the most serious foreign cyberthreat, and fear it might try to capitalize on turmoil in an election in which Trump has claimed without basis that the voting is rigged and has refused to commit to honoring the result.

State and local government networks remain highly vulnerable, and dozens have already been battered by ransomware attacks sown largely by a few Russian-speaking criminal gangs.

“If the elections are a mess and we won’t find out for weeks who won, that creates all sorts of opportunities for Russians and others to try to cause more divisions and more havoc and chaos,” Alperovitch said. Those go beyond disinformation operations — such as Kremlin attempts to smear former Vice President Joe Biden — which he considers "background noise.”

There are indications that Russian malware planted long ago is lurking hidden, awaiting activation should Russian President Vladimir Putin give the order.

Agents from Russia’s elite Energetic Bear hacking group have since September infiltrated dozens of state and local government networks, federal officials announced last week. They said there was no evidence that election infrastructure was targeted or violated.

Election officials fear a “blend” of overlapping attacks intended to undermine voter confidence and incite political violence: taking over state or local government websites to spread misinformation, crippling election results-reporting websites with denial-of-service attacks, hijacking officials’ social media accounts and making false claims about rigged voting.

So far, the highest-profile foreign meddling incident has been by Iran — a ham-fisted, quickly detected operation in which some Democratic voters received emails threatening them if they didn’t vote for Trump. U.S. officials said Iranians spoofed the sender addresses, purporting to be from the far-right Proud Boys.

On Friday, the FBI and DHS issued an advisory saying the Iranians had scanned state election websites at the end of September — researching their firewalls — and successfully obtained voter registration data in at least one state, using it in a amateurish propaganda video that almost nobody saw before YouTube took it offline. The advisory did not name the affected states or say if any voter registration data was altered.

There have been other incidents. Tuesday’s brief hacking of Trump’s campaign website — an apparent scam by someone seeking to collect cryptocurrency — is a taste of what could be in store. Another was a ransomware attack on Hall County, Georgia, that scrambled a database of voter signatures used to authenticate absentee ballot envelopes.

Election officials across the country have faced phishing attempts and scans of their networks but that’s considered routine and none have been publicly linked this election cycle to specific malware infections by foreign adversaries.

Election security officials say they worry more about misinformation mongers eroding confidence in the election than about the potential for vote-tampering.

“The goal is not necessarily to influence a race, but to break down democracy,” said Dave Tackett, chief information officer for West Virginia’s secretary of state. “My biggest concern is a hook that is already in that could explode.”

Such a hook would be malware bombs long hidden in government networks that Russia or another adversary could activate in the thick of a close election as ballot-counting continues past Tuesday due to the large number of mailed-in ballots.

In 2016, Kremlin agents didn’t act after infiltrating Illinois’ voter registration database and election operations in at least two Florida counties. It’s not clear they would show similar restraint this year.

“I do think they returned those arrows to their quiver and made them better for this year,” Peter Strzok, a former FBI agent who helped lead the 2016 election interference probe, said in an interview. He declined to elaborate.

Following Russian military agents’ posting online of emails they hacked from Democrats in 2016, federal officials endeavored to harden state and local government networks. But cybersecurity experts say they remain highly vulnerable, and the public should be wary of claims by election officials that vote-staging and tabulation are fully segregated from those networks.

Often, computer systems “that are thought to be completely isolated turn out to have some sort of connection to the network that the folks weren’t aware of,” said Suzanne Spaulding, the Department of Homeland Security’s top cybersecurity official during the Obama administration.

That exacerbates concerns about ransomware, the FBI's biggest worry for election interference. Typically seeded weeks before activation, it encrypts entire networks into gibberish until the victims pay up. An attack — with plausible deniability for the Kremlin — could freeze up voter registration databases or election-reporting systems

While care has been made to segment election systems from other operations at the state level, counties generally don’t separate them. That spells danger.

The cybersecurity firm Awake Security reviewed publicly available databases of internet-facing government servers in 48 states this month and found apparently vulnerable machines in every one. More than 2,500 servers showed critical or high-risk vulnerabilities. A skilled adversary could wipe entire networks clean.

Complicating the equation is the Trickbot network of infected zombie computers controlled by a Russian-speaking criminal consortium that Microsoft has been attempting to disable. It has been the main conduit for Ryuk, the ransomware the FBI says is being wielded against U.S. healthcare facilities.

Alexander Heid, chief research officer for SecurityScorecard, said his firm found 30,000 Trickbot infections on 12 state networks in September and early October.

It’s unclear who’s behind Trickbot and Ryuk or if there’s a relationship with the Kremlin. But cybersecurity threat analysts say that cybercrime syndicates based in its realm generally can't operate without the tacit consent of Russian security services.

“In many cases, when Russian cybercriminals are arrested they’re given a choice to put on a uniform and work for the state or go to prison. And obviously, many choose the former,” said Alperovitch, the Crowdstrike co-founder.

———

Associated Press reporters Eric Tucker and Ben Fox in Washington, D.C., and Christina A. Cassidy in Atlanta contributed to this report.