If you’re a US citizen concerned about the integrity of presidential elections, the next paragraph might raise issues that are stressful to contemplate.
in 2016, hackers had some success spear-phishing a US voting software company to target 122 election officials. The NSA detected and analysed the attacks in a report. Unfortunately, the report has now been leaked to a media organisation world in farcical circumstances, which is how we know about the hacking at all.
That the US e-voting system is under attack, allegedly by Russians, is arguably the least troubling part of this story given how much coverage the issue’s already had.
In September, stories started appearing about alleged covert Russian attacks on online voter registration, and possibly electronic voting systems. After the election, Democrat politicians demanded these claims be investigated.
The report gives credence to these allegations, although the only media organisation to read it in full, The Intercept, admits it has not seen the intelligence data on which this conclusion was based.
What might worry people more is how trivially easy it still is for attackers to target official organisations using cheap-and-cheerful phishing attacks many years after these became an everyday occurrence for every large organisation in the world.
In August 2016, seven people working for a voting software vendor used by a number of US states were sent phishing emails purporting to be from Google, at least one of whom was believed compromised.
With a credential bridgehead and stolen documents, the attackers set up a bogus Gmail account from which to attempt the same trick on state voter registration officials who might be fooled by an email from the company.
The method attached Word documents purporting to be product material that were boobytrapped to hijack Windows PowerShell scripting to download malware.
It’s straight out of the cybercrime playbook, exploiting predictable elements: spoofed emails manipulating consumer webmail, boobytrapped attachments, the ubiquity of Windows.
The Russians get the blame but in truth, any nation with the resources to put a few experienced techies in a room could have done as well. This wasn’t exactly hard work.
What did the campaign achieve? Nobody can be sure, although there is, so far, no evidence that election equipment or voter rolls were manipulated.
News sites have since named Reality Winner, a US government contractor with security clearance, as the report leaker. Her method? Reportedly, printing it out and leaving the building.
As you’ll recall, this comes barely four years after Edward Snowden, another contractor, did the same thing on a larger scale, which in turn came three years after Chelsea Manning copied secret diplomatic cables using a humble CD burner and passed them to Wikileaks.
A system this open to leaking – and phishing – is not simply failing to defend its secrecy, it is incapable of defending its secrecy. If these events prompt a more fundamental security reassessment, perhaps the clumsy, almost reckless attempted probing of the US 2016 election will one day be seen as having done its citizens a big favour.