Twitter accounts spreading fake news. Turning off a city’s closed-circuit cameras. Hacking self-driving cars and navigation apps. Targeting a city’s 911 call center with a DDoS attack.
These are some of the tactics a red team playing the role of attackers used to impede voting in a tabletop exercise Cybereason held Thursday to show how cyberattacks could be used to interfere with elections. The exercise didn’t include hacking electronic voting machines, the method that’s usually mentioned in discussions on how threat actors could impact an election. Instead, the simulation focused on methods that are less obvious but equally effective: disinformation, traffic jams, confusion around where and when to vote. With U.S. midterm elections approaching and concerns that foreign countries are attempting to influence how people vote, election integrity has become a key issue for local, state and federal governments.
“Elections are very attractive because they’re at the cornerstone of our democracy,” said a Boston city official.
Countering the attack was the blue team, which was comprised of police officers from various Massachusetts towns and state and local officials. Their objective was to keep a fictional city’s polls open. While the exercise’s objective wasn’t to name a winner or loser, the hackers, played by Cybereason staff and students enrolled in Boston College’s cybersecurity program, had the advantage during the simulation. The defenders couldn’t fully counter the disinformation that the hackers were putting out, said Ross Rustici, Cybereason’s Senior Director of Intelligence Services.
“The messaging aspect was really critical since most of what the red team was doing was trying to undermine the information the public was getting. How effectively state and local officials are at regaining control of the message is critical to the hacker’s success,” he said.
Spreading fake information was part of the hacker’s strategy, said Dani Wood, Cybereason’s director of advisory services and a member of the red team. Instead of manipulating the election to favor one candidate, the hackers wanted to affect voter confidence.
“Our goal was to get everyone to think that the election was rigged and that the results were invalid,” she said.
The attackers wanted their efforts to have an impact that was felt long after people cast their ballots, said Cybereason CSO Sam Curry, who was one of the hackers.
“We wanted people to question the results for years,” he said.
Some of the actions carried out by the attackers included:
-- Hijacking the city’ emergency alert system to spread false notifications that gas leaks were occurring in two voting districts.
-- Creating fake social media accounts and using them to send messages to create confusion around what polling places were open.
-- Creating Twitter hashtags that questioned the election’s validity.
-- Hacking the city’s close-circuit cameras and turned them off.
-- Exploring hacking navigation services like Waze and autonomous vehicles, which were being tested in the fictional city.
The defenders focused on public safety and getting local and state leaders on television to ally the public’s concerns. The goal was to allow the elections to continue, but as events unfolded, this outcome grew increasingly unlikely.
“Given the cascading crises, I’m not sure that we would have continued on with a full vote that day,” said one police officer.
Some of the measures took to counter the attackers’ actions included:
-- Using reverse 911 to reach people and tell them to contact law enforcement using the non-emergency number.
-- Allowing people from affected voting districts to vote at any polling station in the city.
-- Establishing official social media channels to convey accurate information to the public.
-- Reach out to federal agencies, including the FBI and Department of Homeland Security, for help.
“We're playing catch up. That's the world of cyber. We want to be more proactive and less reactive,” said a Massachusetts government official. Based on feedback from the law enforcement personnel and government officials who attended the simulation, here are some recommendations on how the defenders can keep pace with the adversaries.
-- Make communication between local, state and federal agencies routine. This will insure that when a crisis happens, all sides are coordinating effectively and convey the same message across all levels of government.
-- When disinformation is being spread, the narrative has to be controlled early. Not countering the fake social media posts as soon as they appeared put the defenders at a disadvantage they were never able to overcome. The government needs staff monitoring social media and sending out messages to counter any false information that’s posted.
Here's each turn, or move, that the red and blue teams made during the exercise:
- Stop DDoS attack.
- Issue emergency alerts by using local news broadcast to tell voters to avoid districts one and two.
- Agree on a clear, unified across all government branches of government and local, state and federal. Address public need to know who is responsible and say that with cyberattacks knowing who the perpetrator is isn't always possible.
- Emphasize to the public that the elections will continue.
- Gain social media access.
- Create fake social media accounts to spread disinformation, including a bomb threat.
- Hack city cameras to prevent officials from using them.
- Deal with phony tweets
- Communicate that social media accounts have been manipulation.
- Assign social media staff to track messages and handle fake information.
- Have the secretary of state issue a statement on the voting.
- Create a social media botnet.
- Create Twitter messages and hashtags questioning the legitimacy of the election results.
- Continue to keep city from accessing cameras.
- Develop a way to access the Waze navigation service and self-driving cars.
- Work with the state government to consider looking into independent verification of voting for credibility purposes.
- Turn off all traffic lights across city (had access to system start).
- Post fake social media messages that voting has been suspended in a certain district and direct those voters to another district.
- Create rush hour traffic jams.