September 28, 2016

[email protected]

Cytegic Special Intelligence Update United States Presidential Election 2016 Background The following intelligence report was generated using the Cytegic Dynamic Trend Analysis (DyTA) intelligence platform. This report represents the most interesting and noteworthy cyber trends that were identified using the DyTA platform. Executive Summary The following pages represent the most interesting and active cyber trends that Cytegic’s DyTA platform has analyzed leading up to the United States presidential election, which will take place on November 8th, 2016. To set the stage, we analyzed the primary trends and patterns that were identified surrounding similar major political events since 2015. These events show great correlation among eachother and with the current period. In this report we will assess the risks and the threat landscape in terms of attackers, TTPs, targeted assets and industries. We forecast the following trends and activities: 1. An increase in financially-driven cyber activity, targeting the government, banking and finance sectors. We expect mostly bank accounts, payment cards, available services to clients and client data to be most targeted. 2. Political activists and nation-state attackers are likely to attempt attacks on high-profile targets in the government, media, defense and military sectors, targeting their websites and services to clients – potentially targeting polling stations, polling databases and services to voters on the day of the election. 3. Potential high risks for: • Personally identifiable information (PII) leakage amid potential financially driven cyberattacks and potential politically driven attacks on voter databases. • Nation-backed cyber espionage, especially from Russia. • In case of a physical terror attack or a high security alert, politically-driven cyber activity is to increase substantially, targeting the defense sector as well. Organizations belonging to mainly, but not solely to the government and media sectors should be on high alert and perform preemptive measure in order to minimize their cyber risk. We suggest the following preemptive measures: -

Strengthen their anti-phishing and social engineering training and awareness among their employees and managers.

Page 1 of 10

-

Employ strong web application firewalls and prepare for redirection, XSS and DDoS attacks on their websites and mobile apps. Use automated cyber risk assessment and calculation in order to better their resilience and prepare in advance for coming threats.

The Risks Major political events such as the presidential election create high cybersecurity risks, some of which were already demonstrated around the world surrounding political events or political tension. 1. Voter Databases Breaches Several voter and citizenship databases in the U.S. and around the world have been breached this past year. Sensitive and personal data of tens of millions of people were compromised in each incident. Major voter database breaches occurred in the U.S. in the past 12 months: 1. In late 2015, a staffer of Bernie Sanders’ campaign exploited a software error in the Democratic Party’s voter file to access voter information collected by Hillary Clinton's campaign. NGP VAN, the company responsible for the online interface of the voter file stated a bug in VAN code was exploited. When discovered, the company restricted access to affected areas of the VAN product for all users and limited access to data exports. The company’s investigation concluded that no campaigns have access to or have retained any voter file data of any other clients; with one possible exception, one of the presidential campaigns.1 2. In December 2015, a researcher was able to gain access to a database holding personal data of some 191 million voters. The data was left exposed online due to a misconfiguration of the database.2 3. In June 2016, the researcher who discovered the December breach mentioned above discovered yet another U.S. voter database exposed to the public. The researcher claimed that the database, containing data of 154 million American voters, may have been accessed by foreign entities.3 Large scale voter database breaches in 2016 had occurred around the world as well: 1. March 27th - Philippines’ Commission on Elections (COMELEC) database was leaked online, compromising sensitive personally identifiable information - including passport information and fingerprint data - of 55 million Philippine voters. This event took place before the



1

https://blog.ngpvan.com/news/data-security-and-privacy https://www.databreaches.net/191-million-voters-personal-info-exposed-by-misconfigured-database/ 3 https://mackeeper.com/blog/post/239-another-us-voter-database-leak 2

Page 2 of 10

Philippine national elections on May 9, 2016. It is considered to be one of the biggest government-related data breaches in history, surpassing the OPM hack in 2015.4 2. April 4th - Turkish citizenship database was allegedly hacked and leaked online, compromising personal information of 50 million Turkish citizens, including that of president Erdogan. The message left by the hackers on the website hosting the database’s front page indicated the attack may have been politically motivated.5 3. April 14th - Mexico’s entire voter database was discovered online by a security researcher without even the simplest password protection, compromising 93 million voter registration records.6 As forecasted earlier this year in our April report, as we moved closer to the U.S. presidential election in November, we have witnessed more politically motivated data breaches, such as the major breach discovered in June. Our assessment validates that such breaches may occur again before or around the presidential election. These events will most likely be conducted by politically motivated attackers (political activists, rival parties or nation-backed groups). In order to better prepare for such attacks, government entities and relevant private sector companies should take the following measures: • • • •

Restrict database access to relevant users and services only. More specifically, it is advised to configure the firewall system accordingly. Credential and permission management of all users and services accessible to the database. Utilizing “read-only” permission on relevant resources within the database. Backup, encrypt and harden the database.

To best recover from a data breach, it is advised to record all the database’s transaction log, to detect corruption or data altering. Furthermore, it is recommended to have a backup of the database. 2. Nation-Backed Cyber Espionage In our H1 2016 analysis we witness an increasing trend of politically motivated attacks targeting the government sector and a continuing trend of attacks on client data and personally identifiable information. Despite the relatively low activity during the summer months by these attackers, we are now seeing a clear increase in the return of political hackers, targeting the government sector. A recent and notable example is the Democratic National Committee (DNC) email leak. On July 22nd, WikiLeaks published 19,252 emails and 8,034 attachments from the DNC7, which were leaked to the

4

http://blog.trendmicro.com/trendlabs-security-intelligence/55m-registered-voters-risk-philippine-commissionelections-hacked/ 5 https://www.rt.com/news/338409-personal-data-turkey-leaked/ 6 https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data 7 https://en.wikipedia.org/wiki/2016_Democratic_National_Committee_email_leak

Page 3 of 10

organization. Although WikiLeaks did not reveal its source, cybersecurity experts and American intelligence officials pointed the finger at the Russian government, possibly an effort to manipulate the 2016 presidential election, in favor of the republican nominee Donald Trump8. Reports of the DNC hack started to emerge in mid-June9. Following this leak, reports of another cyber-attack by Russia started to emerge. This time it was said that the FBI is investigating a suspected hack of the Democratic Congressional Campaign Committee (DCCC), a Democratic Party organization which raises funds for Democrats running for the House of Representatives10. More recently, it was reported yet again that U.S. intelligence and law enforcement agencies are investigating a possible large scale Russian operation in the U.S. to disrupt the upcoming presidential election11. These attacks are demonstrated in our current analysis and validate our forecasts throughout this year regarding nation-backed cyber espionage on the U.S amid the presidential election. Moreover, this reaffirms our assessment and forecast of increasing attempts of data breaches and politically motivated cyber-attacks against the government sector as we move towards the presidential election in November. 3. Financial Risks Alongside the mentioned risks of data breaches, there is a growing risk to personally identifiable information (PII), especially amid the upcoming presidential election. As forecasted in our H1 2016, supported by the patterns we have identified according to previous similar political events. Our assessment regarding this issue was reaffirmed after analyzing the most targeted assets in the U.S. since then, during the summer months. The most targeted assets were monetary value (mainly bank accounts data), payment cards, available services to clients and client data. All four have been subjected to almost 20% each and about 75% combined of the attacks on American assets. When narrowing the scope to just the government sector, these four assets are still the most targeted, with almost the same relative amount of activity among all targeted assets. 4. Terrorist Acts With the possibility of physical terrorist acts and heightened security levels around the presidential election, it is very likely that we will see an even heightened cyber activity following such events. Throughout the past 12 months, the correlation between physical terrorist acts and heightened cyber activity around has been clearly shown in our previous reports and assessments. 8

http://www.nytimes.com/2016/07/27/us/politics/spy-agency-consensus-grows-that-russia-hackeddnc.html?_r=0 9 https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stoleopposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html 10 http://www.computerworld.com/article/3102024/security/fbi-probing-possible-hack-of-another-democraticparty-organization.html 11 https://www.washingtonpost.com/world/national-security/intelligence-community-investigating-covert-russianinfluence-operations-in-the-united-states/2016/09/04/aec27fa0-7156-11e6-8533-6b0b0ded0253_story.html

Page 4 of 10

Such, were the cases around the November 2015 Paris attacks; the March, 2016 Brussels bombings; the June, 2016 Florida shooting; several security alerts around the aviation and transportation industry and more. Some of these events, like the Paris and Brussels attacks “resonated” in North America in terms of a heightened cyber activity specifically by politically motivated attackers. We have identified a clear pattern regarding the most targeted industries in the days after a major physical incident, when attackers target high profile industries - Media, Government, Critical Infrastructure, Military and Defense. Previous Similar Political Campaigns As part of our analysis and forecast for the presidential election threat landscape, we have analyzed the threat landscape and actual cyber activity around several previous similar major political events which took place in the past 12 months. We have found clear patterns that repeat in all cases. 1. United Kingdom: Referendum, 23 June 2016 Attackers: Three weeks leading into the UK referendum regarding its EU membership, we had noticed an increase in financial activity within the UK, which subsided a week before the referendum’s day and had risen again the following days after. The most notable datum around this event was the sharp increase in activity from political activists, which started a week before the event and had peaked the day before. TTPs: The most prominent TTPs in the three weeks before the referendum were email social engineering and DDoS attacks. These also subsided the week before and increased again 2-3 days before and after the event. A sharp increase in the use of ransomware and Trojans had been registered 1-4 days after the event. Assets: The most targeted assets were monetary value (mainly bank accounts), available services to clients and client data. Monetary value and available services to clients were heavily targeted during the three weeks before the event, and have registered a sharp increase in the day before and in the day of the event itself. Moreover, available services to clients alongside client data registered a large increase during the following days.

Most Targeted Assets - UK Referendum, 23 June 2016

Page 5 of 10

2. USA: Super Tuesday Presidential Primary Election, 1 March 2016 Attackers: Within the three weeks leading into Super Tuesday, we noticed an increase in activity from financial hackers in the U.S., followed by the same be political cyber warriors. Political activists’ actions (such as Anonymous) peaked three days before the event. All this activity subsided the day before the event and the following days as well, with the exception of sensationalists’ activity, which peaked the day before, and financial hackers who continued their activity. TTPs: We had noticed a very high usage of ransomware, email social engineering and DDoS attacks in the week before the event, subsiding just three days before. The use of all TTPs was relatively much lower from two days before and a week after the event.

Most Used TTPs - USA Super Tuesday, 1 March 2016

Page 6 of 10

Assets: The most targeted assets in the three weeks before the event, and especially the week before, were client data, monetary value (mainly bank accounts), payment cards and available services to clients. Similar to the behavior we witnessed regarding TTPs, all assets were relatively less targeted from two days before and through week after the event. Bottom Lines: The aforementioned cases (and to lesser extent other similar cases) show clear, observable patterns. Within the three weeks leading up to a major political event we identify: an increase in financially driven cyber activity; increase in the use of email social engineering and DDoS attacks; increase in the amount of attacks on bank accounts, available services to clients and client data. • •

Financial hackers primarily use ransomware, email social engineering, target client data and bank accounts. Political hackers mostly utilize DDoS attacks, email social engineering, target available services to clients, client data and bank accounts.

A week after a major political event we identify: an increase in activity from financial and political hackers, usually from the day of the event and peaking a day to few days after; increase in the use of email social engineering attacks and ransomware, peaking days after the event; the most targeted assets during the three weeks before the event were also the most targeted in the days after, though in lower volumes. •

Financial hackers use mostly email social engineering and ransomware and target bank accounts, available services to clients and client data.

Page 7 of 10

•

Political hackers use mostly DDoS attacks, ransomware and email social engineering and target available services to clients and bank accounts. Government Sector Threat Landscape and Forecast

Focusing on the government sector in the USA, we identified a pattern based on the major political events above. We assess that the following is going to repeat itself surrounding the coming election: •

Attackers: a clear increasing trend of both financially and politically motivated cyber activity in the weeks before the event. These subside right near and after the event, with an immediate increase throughout the week after the event.



Page 8 of 10

•

TTPs: high use of email social engineering, ransomware, DDoS attacks and Trojans in the weeks before the event. These subside right near and after the event, with an immediate increase throughout the week after the event.



•

Assets: a clear increasing trend of targeting client data, available services to clients and bank accounts in the weeks before the event. These subside right near and after the event, with an immediate increase throughout the week after the event.



Page 9 of 10

About This document was produced using the Cytegic DyTA intelligence platform. Cytegic DyTA gathers, processes and analyzes hundreds of thousands of intelligence feeds from multiple sources on a monthly basis, to allow a quick and understandable cyber-trend analysis. DyTA enables cyberintelligence analysts and CISOs to understand and analyze the threat level of each attacker and attack method relevant to their organization, according to their geo-political region, industry sector and corporate assets. For further information, please contact Cytegic at: [email protected]

Page 10 of 10