©2020 Netenrich, Inc. All Rights Reserved

06 Information Warfare Campaigns Disinformation campaigns Using social media apps, and ads for propaganda

08 Foreign Entities Russia China Iran North Korea India

13 Domestic Threats Coronavirus impact on voter turnout Interference with mail in ballots Violent or disruptive actions

14 Reputational Threats Smear campaigns Fabricated media

16 Conclusion

In the months leading up to the 2020 U.S. Presidential election, it is necessary to analyze and understand potential threats to the election. Possible threats to the election and to the electoral process include but are not limited to cyber attacks, information warfare campaigns, targeted attacks by foreign and domestic Wut d fuct! entities, reputational threats, and physical threats. These threats may seek to undermine or interfere with the election process, to manipulate the outcome of the election in favor of a particular candidate, to allow criminals opportunistic U.S. officials have financial gain, and to allow threat actors to gather intelligence on a particular stepped up election demographic or policy issue. systems security since 2016, when Russian Potential Cyber and Electronic Threats threat actors targeted Attacks on electronic voting systems in all 50 states. According to the Department of Homeland Security, election systems are being scanned by unknown entities. Scanning is a technique used for cyber attack reconnaissance. However, it is possible that these systems were also passively scanned. Regardless of the motive, U.S. officials have stepped up election systems security since 2016, when Russian threat actors targeted systems in all 50 states. Attacks on electronic voting could include cyberattacks on polling locations, critical infrastructure attacks meant to prevent people from voting, attacks meant to manipulate votes in favor of a particular candidate, and attacks that seek to postpone the tallying of votes.

Hacktivism

Hacktivists - those activists who leverage information and cyber attacks to promote their ideologies - may pose a small threat to the 2020 election. Hacktivists typically have limited capabilities and resources. Common tactics, tools, and procedures (TTPs) employed by hacktivists include defacing websites, leaking information, doxxing individuals, and launching distributed denial of service attacks (DDoS) to overwhelm and incapacitate a particular website or service. Possible targets include individuals and organizations representative of ideologies or policy positions that oppose those of the hacktivists.

page | 3

©2020 Netenrich, Inc. All rights reserved Thus far, the only reported election-related hacktivist activity was an attack on Roblox user accounts. Roblox is a popular free-to-play multi-platform game with over 164 million active users. The userbase primarily consists of children under the age of 16. Pro-Trump hacktivists accessed Roblox user proﬁles and sent political messages, encouraging the userbase to tell their parents to vote for Donald Trump. The hacktivists also added red hats and patriotic themed clothing to the user avatars. The red hats were representative of the red MAGA (Make America Great Again) caps often worn by Trump supporters.

Cybercrime

Cyber criminals will potentially use the election as an opportunity for monetary gain. One of the most likely scenarios involves ransomware attacks. These may be used in conjunction with big game hunting (BGH) activities targeting the Presidential candidates. Big game hunting activities are strategically targeted attacks typically leveraging ransomware to target high value data or assets with a low tolerance for downtime. These attacks may target infrastructure and networks supporting the electoral process or those used by the candidates or major political parties. Theoretically, a ransomware attack on election infrastructure could stall the voting process by locking down electronic votes, postponing the official tally, and thereby delaying the results of the election. In the past, BGH actors have targeted law firms known to have prominent political figures as clientele. Cyber criminals have also been known to steal data and leverage it for extortion, threatening to leak sensitive data and demanding that the affected person or organization “buy back” the data. Other cyber crime ventures may include information theft, phishing attacks, phone call based fraud, or donation scams.

High proﬁle account hacks

In the past, threat actors have been known to hack the accounts of high proﬁle individuals, such as politicians and celebrities. While these account hacks are typically perpetrated by hacktivists or trolls, it is possible that a username threat actor may temporarily take over the account of a candidate or

Login prominent political ﬁgure and post oﬀensive messages meant to negatively impact the individual’s reputation, to sow discord, or to elicit a negative reaction from foreign governments.

page | 4

The official campaign apps of Presidential candidates Joe Biden and Donald Trump provide a unique attack surface. Additionally, their collection and sharing of user data raise privacy concerns. The Vote Joe Wut d fuct! App is Joe Biden’s official campaign app. It was intended as a way for supporters to share and spread voting awareness to family and friends. The app requires users to upload their phone contacts to check if their The Official Trump friends and family are registered to vote. The app used data supplied by 2020 app's Android a political marketing firm called TargetSmart. If a match was confirmed, the app displayed voter details including name, age, birthday, and most APK files exposed recent voter activity. However, the technology used by the app also hardcoded secret keys allowed users to create a contact with any voter’s name, allowing someone to potentially gather information on a person they do not associated with its know, whether out of curiosity or for malicious purposes. The “bug” has Twitter and Google reportedly been fixed since the unintended use was discovered. services. However, few people seem aware that many states have their registered voter data available for public access. The Official Trump 2020 app also experienced security related issues. In June, the app’s Android APK files exposed hardcoded secret keys associated with its Twitter and Google services. Researchers also found that the app collects large amounts of data, which includes tracking users. The Android version of the app requests a large amount of data including but not limited to access to user contacts and location, phone status and identity, the ability to read and delete SD card contents, permissions to view network connections, and permissions to prevent the phone from sleeping. In addition, users must provide their name, phone number, email address, and zip code at signup. Some may consider the data collection and access permissions to constitute an invasion of privacy.

VOTE

page | 5

Disinformation campaigns Phony memes In late September, the FBI and CISA (Cybersecurity and on Instagram Infrastructure Security Agency) issued an announcement to raise awareness of the potential for disinformation campaigns regarding 2020 election results. The agencies noted that threat actors may create or change websites or social media content in an attempt to falsify election results, discredit the electoral process, and undermine conﬁdence in the U.S. political system. These threat actors could use the time needed to certify election Digital voter results as an opportunity to disseminate disinformation suppression regarding purported voter suppression, spread false news of cyberattacks on election infrastructure, allege voter fraud, and to spread disinformation regarding other issues that would cause the populous to question the election’s legitimacy. Other types of disinformation ideos fake" v campaigns targeting the election may include "Deep disinformation about how to legitimately vote (time, location, methods) and disinformation about political candidates or their standing on important political issues.

actics WhatsApp scare t Hostile russians and Iranians F m or-pr anipu oﬁt latio n ser vices rated Domestically gene distortions

Digital voter suppress ion Unwitting protesters

page | 6

Using social media apps, and ads for propaganda Wut d fuct! Due to its prevalence and ease of sharing posts, social media is a prime tool The networks originated in the Philippines for spreading propaganda. Facebook recently discovered two networks and in China. Facebook removed over leveraging social media to spread government propaganda. Related accounts, pages, and groups were removed due to violation of Facebook’s 200 accounts policies regarding CIB (coordinated inauthentic behavior). The networks originated in the Philippines and in China. Facebook removed over 200 42 pages accounts, 42 pages, 9 groups, and 27 Instagram accounts related to these campaigns. The Chinese account network used GANs (Generative 9 groups, and Adversarial Networks), an AI technique capable of fabricating faces in an attempt to elude detection. The Chinese campaign included activity directed 27 Instagram toward the U.S. 2020 elections. The pages and groups created for these accounts related to these campaigns. campaigns included one for each major candidate. Such pages and groups could be used for spreading propaganda about a particular party or candidate or for gathering information on users who support a particular candidate or ideology. Mobile apps and ads are other potential means to spread propaganda. The official Android App Store, Google Play, recently announced that it is taking measures to prohibit apps that could be used for political influence campaigns. In regards to these apps, Google defined “misrepresentation” as apps or developers that “impersonate any person or organization, or that misrepresent or conceal their ownership or primary purpose.” This includes apps that misrepresent their location or affiliation and contain content relating to politics or social issues. Google has applied similar parameters to its Ads policy.

Google deﬁned “misrepresentation” as apps or developers that “impersonate any person or organization, or that misrepresent or conceal their ownership or primary purpose.”

page | 7

Russia

According to researchers, Russian threat actors appear to take a pro-Trump anti-Biden stance. Potential threats by Russian entities include propaganda and influence operations, espionage targeting elected officials and candidates, and information leaks. In 2016, multiple Russian threat actor groups reportedly conducted intrusion operations against the DNC. After gaining access to DNC systems, the threat actors engaged in post- exploitation reconnaissance and exfiltration of DNC user data. Based on known indicators of compromise (IOCs) and TTPs, a targeted intrusion of the Democratic Congressional Campaign Committee (DCCC) was also attributed to Russian threat actors. Russian threat actors also carried out a large scale social media influence operation beginning in mid-2015 through the 2016 election season.

Likely targets for Russian espionage in 2020 include people and institutions in a decision-making position who are likely to impact U.S.-Russia relations. Other targets may include personnel aﬃliated with the Trump and Biden campaigns, the Republican National Convention and Democratic National Convention, prominent members of Congress, and state and local institutions involved in the electoral process. Previous Russian threat actor activity Wut d fuct! targeting U.S. elections also included espionage attempts targeting federal and state politicians and political institutions, raising the possibility of repeat activity in 2020. Based on prior activity and targeting, several Russian Fancy Bear threat actor groups are likely to target systems or information relevant to also known as APT28, the 2020 election. Fancy Bear, also known as APT28, is a Russian threat actor group that has ties to Russia’s intelligence organization GRU. They are is a Russian threat reportedly linked with Military Units 26165 and 78430. The group has been actor group that has active since at least 2004 and is known to target multiple sectors, including ties to Russia’s government, NGOs, military, and aerospace. intelligence organization GRU. They are reportedly linked with Military Units 26165 and 78430.

page | 8

©2020 Netenrich, Inc. All rights reserved One of their better known TTPs is spearphishing campaigns that deliver malicious documents containing a malware payload. APT28 is an advanced threat actor group with skill, funding, and a track record of TTPs successful intrusions against targeted entities. They launched attacks against U.S. political entities during both the 2016 and 2018 elections. APT28 was reportedly involved in the 2016 DNC hack, the DCCC hack, and SV in a targeted attack against Hillary Clinton’s campaign. The persona R RF Guccifer 2.0, which was used as a scapegoat for the DNC hacks, was also linked to APT28. In 2018, the group targeted Senator Claire McCaskill using a spearphishing attack. Researchers have observed recent activity linked to APT28. The group reportedly harvested Oﬃce 365 credentials of U.S. organizations involved in political activity, including political campaigns, advocacy groups, parties, and political consultants. APT28 also targeted several state-level party organizations. Other Russian threat actor groups known to target U.S. political interests include Cozy Bear (APT29), VooDoo Bear, and Berserk Bear. APT29 is reportedly aﬃliated with Russia’s foreign intelligence service, the SVR RF. APT29’s focus is on intelligence related to foreign policy and politics. They are also known to maintain persistence in victim networks. APT29 was one of the threat actor groups Wut d fuct! responsible for hacking the DNC during the 2016 election. Their activity in DNC networks began as early as summer 2015. In 2016, APT29 also conducted spearphishing campaigns with a lure related to election results TTPs which targeted multiple verticals, including government entities and is spearphishing political think tanks. VooDoo Bear has been linked to GRU Unit 74455 and is thought to operate in support of or in tandem with APT28. The group campaigns that deliver has been active since at least 2011. VooDoo Bear is known to leverage malicious documents cybercrime related TTPs in order to thwart attribution and hinder containing a malware detection. payload. ar Be DCCC oo oD Vo APT28 is an advanced threat actor group with skill, DNC funding, and a track record of successful intrusions against targeted entities. APT2g

page | 9

©2020 Netenrich, Inc. All rights reserved Berserk Bear is known to target internet-facing infrastructure associated with U.S. state and local governments. The group has been Wut d fuct! active since at least 2017, when it attempted to gain access to mail server infrastructure belonging to a U.S. state legislature. State and local government infrastructure is significant not only for its day-to-day purposes but also for its involvement in the oversight of the Presidential election. In 2020, observed Berserk Bear activity includes conducting Unit 74455 remote vulnerability scanning against a web server associated with a operators were local level government organization in the U.S. Researchers have linked involved in the 2016 other 2020 election related activity to unspecified Russian threat actors. SKDK, one of Presidential candidate Joe Biden’s election attacks against a state campaign advisory firms, was reportedly targeted by board of elections, a Russian threat actor group. However, security measures rendered the attempted resulting in the theft of attack unsuccessful. As noted above, Russian threat personally identifiable actors are also likely to engage in influence operations surrounding the election. Prior to the 2016 election, information (PII) of an information campaign known as Project Lakhta over 500,000 voters. was activated. They also obtained access to a voter registration software vendor. Additionally, Unit 74455 launched The project, reportedly run by the St. Petersburg Internet Research the dcleaks[.]com Agency (IRA), which is often referred to as the “troll factory,” disseminated propaganda via social media regarding topics such as website, which racial tension and high profile political issues. contained stolen election related Troll factory propaganda often seeks to documents, including create political strife and influence the emails from the Clinton targeted population. It is estimated that campaign and DNC over 29 million people received targeted files. content from IRA backed accounts, while the target audience included over 126 million people prior to the 2016 election.

page | 10

©2020 Netenrich, Inc. All rights reserved The troll factory controlled accounts on Twitter, YouTube, and Facebook. It is possible that they leveraged other social media platforms as well. It is assumed that these information operations persist to present day. At present, state funded Russian media outlets seem to be involved in electionfocused inﬂuence operations. Recently, Russian media outlets were observed posting election related English-language material with an anti-Biden narrative. Media outlets pushing the narrative included Russia Today (RT), Sputnik, News Front, InfoBrics, TheDuran, USA Really, and others. Other potential propaganda recently published by Russian media outlets includes inﬂammatory posts regarding racial tensions in the U.S., posts that question the credibility of the U.S. mainstream media, and posts that may cause readers to question the legitimacy and integrity of the American political system.

China Wut d fuct! According to researchers, Chinese threat actors appear to exhibit a pro-Biden anti-Trump stance. Based on prior activity and objectives, Chinese threat actors are less likely to attempt to influence the outcome of the election and are more likely to use it as an opportunity APT31 for espionage and intelligence collection. Targeted intelligence In 2020, little activity collection may include building a dossier of U.S. citizens based on political affiliation, gathering information on politicians, and obtaining attributed to Chinese information that may help predict future foreign policy changes and shifts in power. Chinese threat actors are most likely to target threat actors and individuals and organizations affiliated with the Biden and Trump related to the U.S. campaigns, state and local government officials in swing states, Congressional candidates representing states that have a large elections has been business interest in China, and candidates known for anti-Chinese observed. Judgment sentiment. Panda, also known as APT31 specializes in intellectual property theft. According to Microsoft, in June the group targeted high-profile individuals associated with Joe APT31, is a Chinese Biden’s campaign, as well as prominent figures in the international threat actor group that affairs community. reportedly carries out attacks at the behest of the Chinese government.

page | 11

According to researchers, Iranian threat actors have demonstrated a pro- Biden anti-Trump stance. Threats imposed by these groups may include phishing and account compromise of individuals aﬃliated with political campaigns and social media disinformation campaigns. According to Microsoft, Iranian threat actor group Charming Kitten, also known as APT35, has targeted personal accounts of individuals associated with Donald Trump’s campaign. APT35 reportedly has ties to the Islamic Revolutionary Guard Corps (IRGC).

North Korea

According to researchers, North Korean threat actors are likely to take a proTrump anti-Biden stance. North Korean threat actors are unlikely to launch attacks meant to threaten the integrity or outcome of the election but may conduct espionage or distribute propaganda. The North Korean threat actors that are most likely to engage in activity targeting the 2020 elections are Velvet Chollima and Labyrinth Chollima (APT38). APT38 is reportedly linked to Bureau 121 of the Reconnaissance General Bureau, which specializes in clandestine operations for the Korean military. Both groups have a track record of targeting U.S. government entities.

India

In February, BL Santhosh, who is aﬃliated with India’s Bharatiya Janata Party (BJP) threatened to interfere in the 2020 election. At the time, potential Democratic candidate Bernie Sanders condemned the Trump administration’s response to a violent riot in New Delhi earlier that month that killed at least 27 people. At present, India’s stance on the U.S. Presidential candidates is unknown. Despite Santhosh’s threat, past actions by Indian threat actors indicate that it is unlikely that they will conduct cyber activities related to the election.

page | 12

Coronavirus impact on voter turnout

It is likely that the Coronavirus pandemic will have signiﬁcant impact on voter turnout. While virus related restrictions and social distancing guidelines vary per state and across other institutions, it is likely that some people will be hindered in their ability to register to vote or to cast a ballot in person on Election Day.

Interference with mail in ballots

Due to the Coronavirus pandemic and related restrictions, many states are encouraging their citizens to vote via mail-in ballot. However, many people, including incumbent President Donald Trump criticize this method, pointing out the potential pitfalls. While the likelihood of interference with mail-in ballots is currently unknown, several possibilities exist. Some sources argue that ballots may be lost in the mail, unintentionally misplaced, or not delivered in a timely manner by the postal service. Some note that it would be easy for those with malicious intent to hide, destroy, or refuse to count ballots supporting a particular candidate. It is also possible that the ballots of voters in controlled environments (such as a nursing home) may never reach their intended destination due to caregiver apathy or intentional failure to mail select ballots. Other concerns include but are not limited to foreign or domestic entities potentially printing fake ballots, dishonest citizens exploiting mail-in ballots to vote multiple times, and physical attacks on post oﬃces or mail trucks to steal and sabotage ballots. While there seems to be no supporting evidence for some of these claims, even the low-likelihood scenarios remain possible.

Violent or disruptive actions

Considering the recent protest culture and ensuing riots over political and ideological stances, such as the Black Lives Matter protests, anti-police demonstrations, and Antifa riots, the potential for physical disruption at polling locations must be considered. Disruptions by activist or domestic terror groups may include physical attacks or intimidation targeting election workers or voters, otherwise peaceful protests that block voters from accessing the polls to vote, disruptive demonstrations or riots causing destruction, or other events orchestrated to hinder or intimidate voters.

page | 13

Smear campaigns

Political smear campaigns are a common and opportunistic threat to a candidate’s integrity and reputation. Any candidate has the potential to leverage allegations or unscrupulous revelations about an opposing candidate or their family or associates in an attempt to discredit them. The prevalence of social media allows individuals to quickly spread smear campaign material, often with little context or corroboration. Political smear campaigns have occurred in the past. Prior to the 2016 election, Hillary Clinton’s campaign allegedly used information about Paul Manafort (Trump’s campaign manager at the time) to question the integrity of Trump and his associates. The DNC also reportedly used information related to a meeting at the Kremlin to try to tarnish Trump. Likewise, Trump leveraged disputed reports of Hillary’s campaign finance Wut d fuct! records and of her alleged misuse of official email during her tenure as Secretary of State as “evidence” of his claim that she was unfit to run as a presidential candidate.

The DNC The underlying investigation focused on H. Biden’s role on the board of reportedly used Burisma Holdings, a Ukrainian natural gas firm. The focus was primarily information related on financial transactions. There were reportedly millions of dollars in “questionable” financial transactions between H. Biden and his to a meeting at the associates and foreign individuals. Among these were individuals linked Kremlin to try to to the Chinese government and China’s People’s Liberation Army. One of the more notable points was a $3.5 million transaction between H. Biden tarnish Trump. and Yelena Baturina, who was the wife of the former Moscow mayor Yury Luzhkov (now deceased).

The 2020 election is not without scandal. A report released in September by the U.S. Senate, allegations were made that unspeciﬁed records tie Hunter Biden to illegal activity. Hunter Biden is the son of Democratic Presidential candidate Joe Biden.

page | 14

©2020 Netenrich, Inc. All rights reserved Baturina allegedly has involvement with major criminal groups, including Solntsevskaya Bratva, an organized crime group. Another notable point in the report was that unspeciﬁed records exist showing H. Biden sending thousands of dollars to (unnamed) Russians and Ukrainians who have “been involved with transactions consistent with possible human traﬃcking.” The report does not indicate that Joe Biden has any involvement in these activities. However, it is possible that this information may be leveraged to attempt to discredit Joe Biden by association or to persuade potential supporters to consider supporting another candidate.

Fabricated media

At present, advancements in technology such as video, audio, and photo manipulation using sophisticated Wut d fuct! software or artificial intelligence (AI) allow the creation and production of deep fakes and other synthetic media. While some synthetic media are arguably very artificial in appearance, others are Baturina indistinguishable from a legitimate video, photo, or been involved with voice recording. Deep fakes and other synthetic media transactions consistent can be used to fabricate “evidence” to convince a target audience that a candidate or other individual did with possible human or said something that is scandalous or potentially trafficking. damaging to their reputation, thereby affecting their candidacy for an elected or appointed position.

page | 15

As noted above, potential threats to the 2020 election are of both foreign and domestic origin. Potential attack vectors include electronic, informational, physical, and reputational. But all have one thing in common. Whether to gain inﬂuence or wealth, to manipulate or to vindicate, all have the potential to undermine our faith in our democracy.

For this reason, it is imperative that those in the position of providing security for potential targets are aware of these threats and remain vigilant in monitoring and protecting those assets.

Credits: The Netenrich Threat Research Center Brandon Hoﬀman, CISO

Netenrich is a Resolution Intelligence company with threat and attack surface page | 16 intelligence oﬀerings for digital brands. Learn more about the threats to these elections or even to your organization at https://know.netenrich.com. ©2020 Netenrich, Inc. All rights reserved