Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/8/2019
08:25 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Iranian Cyberattack on US Presidential Campaign Could Be a Sign of Things to Come

Political parties and election systems will be heavily targeted in the months leading up to the 2020 general elections, some security experts say.

A recently detected Iranian cyberattack targeting a US presidential campaign may well be a harbinger of what's in store for political parties and election systems in the run-up to next year's general elections.

Last Friday Microsoft disclosed it had observed significant threat activity over the past two months by Phosphorus, a threat group believed linked to the Iranian government. Phosphorus, which is also known as APT25 and Charming Kitten, made over 2,700 attempts to break into specific email accounts belonging to Microsoft customers. In many cases, Phosphorus used information about the targets — including phone numbers and secondary email addresses — to try and infiltrate their email accounts.

In the end, Phosphorus attacked 241 targeted email accounts and eventually managed to compromise four of them.

In a blog Friday, Microsoft corporate vice president Tom Burt described the targeted accounts as being associated with a US presidential campaign, current and former US government officials, journalists covering politics, and Iranian nationals residing outside the country. The four accounts that were actually breached, however, were not connected to the presidential campaign or to the government officials.

Bart did not offer any insight on possible motives for the attacks. But he said Microsoft was releasing the information as part of its effort to be transparent about nation-state sponsored cyberattacks aimed at disrupting democratic processes.

Concerns over such attacks have been rampant since 2016, when news emerged of Russian hackers breaking into a system belonging to the Democratic National Committee as well as their attacks on state election infrastructure around the country.

In a heavily redacted report published in July, the Senate Intelligence Committee concluded that Russian hackers in 2015 and 2016 likely tried to break into election systems in all 50 states. The committee said Russian government-affiliated cyber actors "conducted an unprecedented level of activity against state election infrastructure in the run up to the 2016 U.S. election."

The attacks exposed critical vulnerabilities in election infrastructure at the state and local level, including insecure voter registration databases and aging voting machines that were susceptible to exploitation. News of the attacks have also promoted the impression that US voting systems are insecure, which is what Moscow might have wanted to achieve in the first place, the report said.

More Attacks on the Way
Many of the vulnerabilities from 2016 still exist and will likely be targeted in coming months by cybergroups based in nations that are hostile to US interests, security researchers say.

"We should expect to see attacks against election systems, elected officials, and candidates to only increase as the 2020 elections get closer," says John Pescatore, director of emerging security trends at the SANS Institute.

The US, UK, France, China, Russia, Iran, and North Korea all have very active espionage programs against each other and other targets, says Pescatore, a former NSA analyst. In recent years, election and census systems have become part of the espionage mission for these programs, he says. "Such attacks are just a normal part of espionage these days [for them]," Pescatore notes.

The good news is that despite relative inaction at the federal level, many states are taking positive steps to address gaps in their election infrastructure with help from members of the IT vendor and security community. "While the presidential election is for a national candidate, it is really run like 50-plus state elections that get added together at the end," Pescatore says. "[So] the local efforts are really the most important."  

Joseph Carson, chief security scientist at Thycotic, views the recent Iranian cyberattacks as a response to US sanctions and other actions against the government in that country. "Moving forward, I believe that cyberattacks are going to get more aggressive in the lead-up to the US presidential election," Carson says.

The attacks are more likely to target President Trump due to his political stance and recent sanctions against Iran. "Like most cyberattacks, attribution is going to be difficult, and many of these cyberattacks will appear to come from other countries, or even from within the US, occurring from compromised, poorly protected systems," he predicts.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Active Directory Security Tips for Your Poor, Neglected AD."

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.