Election Day in the U.S. passed with no evidence of cyber attacks, but the aftermath has been rife with disinformation.
One day after the voting deadline had passed, Cybersecurity and Infrastructure Security Agency (CISA) director Christopher Krebs reported the agency found no signs of cyber attacks or election hacking. There were concerns leading up to Nov. 3 about potential ransomware attacks or other malicious activity that would cause massive disruptions to voting and vote counting; however, no such activity has been reported, according to CISA.
"Importantly, after millions of Americans voted, we have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies," Krebs said in a statement. "We will remain vigilant for any attempts by foreign actors to target or disrupt the ongoing vote counting and final certification of results."
While voting across the country occurred without major disruptions or cyber attacks, CISA has had its hands full with disinformation efforts over the last week regarding ballot fraud, software glitches and election hacking. Most of the activity attempts to cast doubt on the results of the election and undermine the projected winner, former Vice President Joe Biden.
CISA set up a rumor control page prior to the election in an attempt to address misinformation and disinformation campaigns. The page provides information related to pre-election, election day and post-election rumors or conspiracy theories pertaining to polling places, rejected ballots, voting system safeguards and more.
For example, CISA addressed accusations that some election workers handed out Sharpies at polling stations to disenfranchise voters because such pens were incompatible with some ballot scanning equipment. "Rumor: Poll workers gave specific writing instruments such as Sharpies, only to specific voters to cause their ballots to be rejected," the advisory said. "Reality: Election officials provide writing instruments that are approved for marking ballots to all in-person voters using hand-marked paper ballots."
One of the more widespread pieces of disinformation involves reports that voting results were manipulated in favor of Biden through election technology called "Hammer" and "Scorecard." CISA, however, threw cold water on such reports, saying there are numerous safeguards in election infrastructure to prevent manipulation of voting results. Krebs also shot down the so-called Hammer and Scorecard conspiracies, which have been repeated by some news outlets.
"I'm specifically referring to the Hammer and Scorecard nonsense. It's just that -- nonsense," Krebs said on Twitter. "This is not a real thing, don't fall for it and think 2x before you share."
Although voting has ceased, CISA's rumor control page will continue to update and address new disinformation. Other agencies and departments are also continuing their efforts to monitor for potential threats. "Our efforts did not end last night -- election defense is integrated into our everyday operations," the U.S. Cyber Command wrote on Twitter last week.
Election Day concerns
Although 2020 election security concerns have been anticipated and addressed since the 2016 election ended, Krebs said at this year's RSA Conference that he could not guarantee election security. One of the more serious early warnings came during Krebs' Black Hat USA session in August, in which he warned that ransomware attacks on local, state and city governments could disrupt voting on Election Day.
Krebs further noted that election-interfering ransomware could have an impact on infrastructure like pollbooks or voter registration databases. In general, ransomware activity has been consistently rising in recent years, including attacks on enterprises, municipalities and healthcare organizations. While there has been a significant amount of news related to ransomware in the last few months, it appears that, at least for the moment, ransomware did not make any notable disruption in the 2020 election.
But the threat of ransomware was serious enough that the U.S. government, along with private sector companies, took preemptive action with the takedown of Trickbot. In October, Microsoft and several partners used legal action to seize the servers of the notorious botnet, which has been widely used to conduct ransomware attacks. In addition, Trickbot activity was disrupted by altered updates to systems with Trickbot that cut off communications with the botnet's command and control infrastructure; the disruption was reportedly the word of U.S. Cyber Command, though the U.S. government has not commented on those reports.
Although Trickbot activity appeared to bounce back at first, Microsoft later reported that they had taken down a vast majority of its operation. Trickbot has apparently infected more than one million devices across the globe since it was created in 2016, and while the complete identity of the entities operating Trickbot is unknown, the botnet is suspected to in part serve the interests of nation-state threat actors.
Disinformation campaigns have also been a major concern in lead up to this year's election. The most prominent example of disinformation waged by nation-states was disclosed in the October press conference led by U.S. Director of National Intelligence John Ratcliffe and FBI Director Christopher Wray. They revealed that both Russia and Iran had obtained voter information, and that Iranian hackers were posing as the far-right group Proud Boys to send threatening emails to voters demanding that they vote for President Trump "or else!"
CISA later confirmed that Iranian hackers successfully hacked into a voter registration database in at least one state. The hackers used the data to send voters the disinformation material. "The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records," CISA said in the advisory, though there was no indication the hackers had accessed or tampered with any voting machines or vote-counting systems.
SearchSecurity requested additional information from CISA, but the agency declined to comment.