In 2016, Russian-sponsored threat actors allegedly interfered with the United States presidential election through systematic cyber-attacks, data leaks, and disinformation campaigns. This cyber intrusion into the American democratic process marked a shift surrounding nation-state cyber-crime and the rise of disinformation as a powerful tool of disruption. If the United States could effectively fall victim to damaging interference in a major presidential election, then no state – or future election – would be immune.
Notably, beginning with the compromise and theft of private data and communications from the United States Democratic National Committee (DNC) in mid-2016, Russian forces sought to influence the outcome of the U.S. presidential election in their favor. These malicious actors employed cyber-crime and intentional public deception to subvert the authority of the American Democratic Party and then-presidential candidate Hilary Clinton, releasing private, illegally obtained information to discredit the Clinton campaign.
While it is impossible to estimate the degree to which this interference affected the election outcome, there was a sustained impact on media and public attitudes toward the Clinton campaign. The Russian Federation’s alleged perception that a Trump presidency would prove more advantageous or less obstructive for their geopolitical goals and deliberate attempts to influence this outcome through cyber-crime set a dangerous global precedent.
Electoral processes can never be truly fair and secure if adversaries can pursue political interests in cyberspace. With significant U.S. midterm elections on the horizon and geopolitical tensions already high amid the ongoing Russia-Ukraine conflict, cyber defenders are wary of a repeated attempt to undermine the political process – now in the American legislature.
The Rise of Disinformation
Information is now available almost instantaneously with an internet-connected device. News spreads quickly, and adequately verifying or evaluating information is more complicated than ever. Misinformation, often the result of unintentional inaccuracies, and disinformation, the deliberate dissemination of untruths, are commonplace – and increasingly challenging for consumers to identify.
In the wake of the 2016 U.S. election, nation-states across the geopolitical spectrum better understand the power of messaging – true or false – in shaping public opinion. In addition to releasing stolen information damaging Clinton online via WikiLeaks, the alleged Russian effort to influence the result of the U.S. presidential election included an extensive social media campaign denigrating Clinton and promoting Trump. While these attacks might begin with data theft, as in the compromise of the DNC and Clinton’s email communications, disinformation campaigns often do not take the form of traditional cyber-attacks.
Disinformation has become a tool for threat actors within the former Eastern Bloc and beyond. With little risk of attribution or discovery, attackers can shape media cycles, stoke political polarization, and even decide whole elections by lying or misrepresenting information on social media. In a matter of seconds, these untruths can reach and impact millions of civilians, many of whom rely on social media for accurate news in the digital age.
With little existing regulation of disinformation, these campaigns can be challenging to identify and even harder to prove, allowing the cyber-criminals to continue operating in secret and earning consumer trust. At a time when disinformation proliferates, social media organizations must begin to thoroughly interrogate content present on their platforms so that users can better evaluate the information they consume.
As Russia struggles to challenge the narrative about its military aggression in Ukraine and avoid further global economic sanctions, it will likely look to this previously effective tool in its cyber toolbox. In the coming weeks, the Russian Federation could potentially leverage disinformation campaigns to retaliate against or distract from economic sanctions, ignite political divisions in the U.S. during midterm elections, and potentially contribute to the election of allegedly ‘favorable’ legislators to disrupt future legislative processes.
An Expansive Threat Landscapes
While disinformation is a rapidly growing threat in the U.S., it is not the only cause for concern for cyber-defenders. The Cybersecurity and Infrastructure Security Agency (CISA) continues to warn American organizations of the growing necessity to keep their ‘Shields Up’ against malicious cyber activity, both retaliatory and otherwise, from Russian state-sponsored and non-state threat actors. CISA, alongside its Five Eyes intelligence partners, has highlighted the risk of cyber-threats, “including destructive malware, ransomware, DDoS attacks, and cyber espionage” to organizations operating critical infrastructure.
Attacks on critical infrastructure continue to threaten national and economic security, even jeopardizing access to essential resources like energy, healthcare, food, and water for civilians. Given this high cost, organizations offering services in one of the United States’ 16 critical infrastructure sectors are increasingly targeted by malicious, often nation-state-sponsored cyber-criminals, seeking to maximize financial gain and exact the most disruption and damage possible from a single attack.
Last year’s watershed breach of oil and gas supplier Colonial Pipeline by allegedly Russian state-sponsored ransomware gang REvil, demonstrated the cyber-vulnerability of many of the most vital critical infrastructure providers. Often characterized by a mixture of information technology (IT) and operational technology (OT), organizations operating critical infrastructure are made more vulnerable by OT/IT convergence.
In these digital environments, incredibly old, legacy infrastructure, previously protected from tampering or cyber-attacks by physical barriers, increasingly interacts with IT systems and connects to the internet for greater efficiency. This connection exposes vulnerable industrial systems to all the threats that may target an IT environment. For Colonial Pipeline, the potential for the ransomware threat encrypting data within their IT systems to spread to their industrial technology forced the organization to shut off OT systems and even induced them to pay a substantial ransom to prevent further disruption.
Since the Russian invasion of Ukraine this February, cyber-crime has increased sharply, including this kind of pervasive ransomware. While the Russian-sponsored critical infrastructure attack that many cyber professionals projected immediately after the invasion never came, the threat is just as prevalent, making it necessary for organizations to keep their ‘Shields Up.’
Though some posit that ransomware is on the decline, it is more likely that attackers are continuing to pivot, innovate, and find new ways to leverage existing malware. Recent reports even point to hacker gangs like Conti, which publicly announced allegiance to Russia amid the conflict with Ukraine, targeting firmware to leverage stealthy attacks allowing cyber-criminals to wipe all data and irrevocable damage or ‘brick’ any given device.
Managing Cyber Risk
These attacker innovations continue to outpace updates to security posture; U.S. organizations and government institutions, including critical infrastructure operators, consistently fall victim to cyber-threats either directly or via unforeseen vulnerabilities in their software supply chains or developer infrastructure. While these organizations cannot hope to avoid a breach entirely, they must prioritize evaluating and minimizing their cyber risk to stay ahead of state-sponsored and non-state attackers.
The U.S. must expect adversaries to continue targeting its national security, democratic process, critical infrastructure, and businesses across industries. With a looming economic recession and ongoing midterm elections, the U.S. cannot afford a damaging cyber-attack and cannot possibly anticipate every breach. Instead, it must focus on engaging government institutions and private sector organizations to assess and mitigate cyber risk. These organizations should emphasize maintaining business resilience by reducing the potential for disruption or data loss, no matter the breach.
U.S. government and private institutions need to focus on proactively hardening systems to prevent future cyber-attacks by gaining complete visibility into their internal and external attack surfaces, mapping vulnerabilities, and hardening chokepoints where an attacker is most likely to breach systems. Organizations must move security to the left if we want to give the advantage back to the defenders finally.
About the author: Justin Fier is the VP for Tactical Risk and Response at Darktrace. Justin is one of the nation’s leading cyber intelligence experts, and holds the position of VP, Tactical Risk and Response at Darktrace. His insights on cybersecurity and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly skilled technical specialist and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.
