Written by Shannon Vavra
With Election Day less than 100 days away, the National Security Agency and U.S. Cyber Command are carefully monitoring threats to the 2020 U.S. presidential election from Russia, China, Iran, and groups of criminal actors, two officials said Friday.
And while Russian government operatives have probed state IT systems and run hack-and-leak operations to influence U.S. elections in the past, the playbook is not necessarily the same this year, the NSA election threats lead, David Imbordino, and Brig. Gen. William Hartman, the Cyber Command election threats lead, said.
While Russia depended on the Internet Research Agency (IRA) to run influence operations in 2016, they have been outsourcing operations to other actors, Imbordino and Hartman said, confirming that the IRA recently set up an offshoot of its troll farm in Ghana and Nigeria.
“In terms of 2020 [in the IRA] we’ve seen a shift towards more use of proxies…intermediaries…laundering information through other individuals in the media space,” Imbordino said while speaking on a panel at the virtual DEF CON conference. “They had set up something in Africa, in Ghana — in terms of having people there trying to put stuff online about divisive issues, using covert influence websites being able to get their narrative out.”
Beyond Russia’s shifting tactics, the officials said the country is dealing with a whole host of foreign government interests outside of Russia in U.S. politics.
As part of a recognition of the growing threats from nations other than Russia — to include China, Iran, and North Korea — the NSA and Cyber Command formalized its Election Security Group following the 2018 midterm elections to cover threats from all four nations, as CyberScoop first reported. Previously, the NSA and Cyber Command only had a joint taskforce for Russian threats, the Russia Small Group.
The NSA and Cyber Command have been tight-lipped about election threats from abroad. But Friday appeared to mark a pivot point: the two officials delivered their assessment of foreign governments’ efforts to interfere in U.S. politics just minutes after the Office of the Director of National Intelligence released a statement revealing details of Russia’s, China’s, and Iran’s thoughts on President Donald Trump’s and former Vice President Joe Biden’s campaigns.
Bill Evanina, Director of the National Counterintelligence and Security Center, revealed Russia wants to “primarily denigrate … Biden,” while China “prefers that President Trump … does not win reelection.” The intelligence community has assessed “that Iran seeks to undermine … President Trump, and to divide,” Evanina added.
NSA and Cybercom size up ransomware
Threats to U.S. elections don’t stop with nation-state actors’ social media operations.
Ransomware threats to U.S. elections are so great, for instance, that the Election Security Group in recent months has expanded their focus to include those types of attacks, a U.S. government official told CyberScoop.
Imbordino noted Friday he is concerned about ransomware, indicating that ransomware actors could — wittingly or unwittingly — contribute to possible election interference operations.
“I think ransomware is one of those wild cards out there that could be wielded by anyone, criminal actors, etc.,” Imbordino said.
In the case that a ransomware attack does target any election infrastructure or networks, Imbordino expressed concern that malicious actors could seize the moment to make people distrust the election results. Imbordino said he is worried bad actors might spread disinformation suggesting that a ransomware attack could impact the tally of people’s votes, even if that’s not the case.
“You can have a ransomware in a local network that actually doesn’t even impact the election’s counting,” Imbordino said. “But someone could then spin an influence campaign from that and report it to make you think there has been an impact and then not trust the results.”
Moving forward, the NSA is continuing to monitor China’s threats to the election, primarily due to both the scope and depth of their capability, Imbordino said.
“[For] China, I think scale is something that is a bit unmatched in terms of them as a threat both from a cyber standpoint and from an influence standpoint. Certainly on influence they’ve been very active in that region — Taiwan [and] Hong Kong,” Imbordino said. “Them potentially becoming more aggressive in the U.S. space is something that we’ve been monitoring.”
The Election Security Group is also continuing to monitor Iran’s social media influence efforts, Imbordino indicated. The U.S. intelligence community assesses Iran’s efforts will “probably will focus on online influence, such as spreading disinformation on social media and recirculating anti-U.S. content,” according to the ODNI.
Chinese- and Iranian-linked hackers have also been sending spearphishing emails to Biden and Trump campaign staff, respectively, according to Google’s Threat Analysis Group.