With the international political situation becoming increasingly fraught and divisive, it is hard to ignore the shadow of foreign interference looming over electoral proceedings around the world. Not only are the US elections arguably some of the most influential on the global stage, but the infamous cyber attack on Clinton campaign manager John Podesta during the 2016 presidential elections was a watershed moment. The attack, which used email-based social engineering techniques to breach Podesta’s email account and leak thousands of emails, marked a move towards more overt and hostile cyber activity in the political arena. The threat of foreign interference takes many forms, from the more subtle use of fake news and online trolls to confuse and frustrate the political discourse, to direct attacks on vulnerable voting infrastructure and to disrupt or breach political parties and individuals. Four years on from the Podesta hack, email remains one of the most prominent weapons in the cyber attacker’s arsenal – and worryingly, the majority of political parties and candidates are still extremely vulnerable to email attacks.
The threat of political spear phishing
Email is the de facto tool of choice for the vast majority of cyber attacks and is exploited in a wide variety of attack types. When it comes to email-based attacks targeting the election cycle, there are two major categories – direct attacks on political candidates and their campaigns, and attacks targeting third parties such as potential voters and donors.
A direct attack along the lines of the 2016 email hack is perhaps the most obvious and overtly damaging outcome of cyber activity by foreign nation states. By targeting and derailing their political enemies, nation states may hope to empower a party that is better aligned with their own interests.
Sowing discord and unrest throughout the political scene at large can also weaken a country by delegitimizing the electoral process. Recent research from Agari that surveyed 803 registered US voters found just over seven in ten were either somewhat or very concerned about this kind of foreign interference in the 2020 election.
This fear is entirely justified, with North Korea, Iran and Russia reportedly having launched more than 2,700 phishing attacks against presidential campaigns and other high-value targets over the last year.
Targeted spear phishing attacks remain one of the most effective ways of breaching political candidates and their campaign staff. Just as we see with standard criminal attacks targeting organizations, threat actors use identity deception techniques to impersonate a trusted contact and trick their victim into sharing details via a phishing site.
This approach is extremely effective as the emails contain no malware for standard email security defenses to detect. Advanced threat actors are adept at crafting emails that look almost indistinguishable from the real thing or may even use a legitimate email account that has been compromised.
Defending against this threat requires going beyond traditional signature-based email security, and implementing more advanced measures that are able to pick up on subtle signs pointing to an imposter. Mismatched sender IDs are one the most common factors, but it is even possible to pick up on elements such as changes to the location and device used by the sender in the case of a compromised account.
Abusing trusted political identities
Threat actors are also using email deception to impersonate the trusted identities of political candidates themselves in order to attack their network of supporters such as potential voters and donors.
Targeting a candidate’s support base is a powerful vector for nation state threat actors aiming to disrupt and derail a campaign. Successfully infiltrating or impersonating campaign email accounts will for example enable threat actors to target voters and journalists with fake news or policy positions to damage the reputation of the candidate and sow confusion and distrust. Agari’s survey found 61 percent of voters would not vote for a candidate if they had previously received a phishing email using their identity.
Alongside nation state actors, the election cycle also presents a lucrative opportunity for more standard cybercriminals. Attackers can impersonate official donation request emails to divert campaign donations into their own bank accounts, defrauding individuals and depriving the campaign of much-needed funds.
To protect their voters and donors from criminals abusing their trusted identity, campaigns need to implement controls to monitor the use of their email domain. DMARC, a free-to-use email authentication, policy, and reporting protocol, is one of the most effective tools for achieving this. The protocol enables an organization to prevent unauthorized use of its domain, preventing common deceptive tactics such as domain spoofing. Once DMARC has been implemented, the organization must set it to either reject or quarantine to prevent malicious, non-authorized messages from delivery to the Inbox.
Lessons not learnt
Alarmingly, despite the powerful example set in the 2016 presidential elections, we have found that the level of email security is still woefully inadequate for all but a few of the 2020 campaign frontrunners. Agari found that just one of the 13 candidates polling above one percent has implemented the necessary precautions.
Democratic candidate Senator Elizabeth Warren has applied security measures to prevent deceptive email attacks on both her herself and her campaign staff, and attacks impersonating her campaign to target donors, voters and others. Every other candidate has either failed to implement email authentication, advanced email security, or both. Democratic favorite Senator Bernie Sanders and even the incumbent President Donald Trump are among those that lack defenses against fraud and breach attempts.
While many candidates do not have the dedicated staff and resources required to deploy these defenses, frontrunners with heavy political and financial backing and have little excuse.
With less than a year to go until voting begins for the 2020 election, all candidates must act urgently to secure their campaigns and protect their voters against the mounting threat of foreign interference.