The recent disclosure of an alleged state-sponsored cyber attack on the Australian parliament highlights yet again the pervasiveness of today’s threats targeting democratic election systems. Election interference has been in the spotlight since the ongoing public reckoning with the scale and scope of Russian operations in the 2016 U.S. Presidential Election. While there’s been a focus on the physical security of ballot boxes, the election showed us that our adversaries don’t need to physically change votes — they need only hack our minds or sow disbelief in civic institutions. The same cultural beliefs -- valuing open and free communication -- that led to the creation of the web and ultimately social media, with its promises of connectedness and community -- are being marshaled against us. Implementing security controls for social media must become a standard frontline defense for protecting our electoral processes. To that end, we have been working with partners in Europe and heads of state and cabinets in Five Eyes countries on knowledge sharing initiatives and defensive strategies.
Digital Life Under Attack
The hacking and subsequent leaking of personal information of German politicians, journalists, and celebrities in January received widespread media attention. However, the method of attack went largely underreported or was glossed over. The hacker, 0rbit, used well-worn social media phishing tactics for account takeover attacks. He posed as Facebook requesting a password update, sending victims to a phishing site disguised as an official Facebook webpage. With stolen credentials tied to email, 0rbit was able to bypass two-factor authentication protocols. From there, 0rbit replicated the strategy to account-hop to other, more sensitive, channels like WhatsApp, DropBox, and even into victims' banking apps. Collecting sensitive information for months, 0rbit completed the circle, as it were, by exfiltrating the data via and Advent calendar style release on Twitter. All it took was time and patience.
The attack illustrates three key points:
The victims were high-profile, digital-savvy users, and even they were easily compromised using low-tech methods. This fact should underscore the urgent need for elected officials to have security controls layered over their social media accounts.
The relative ease with which 0rbit was able to move across accounts illustrates the vulnerability exposed by the interconnected nature of digital life. It's nearly impossible to track down the attack method for every single victim, but it's easy to posit that with one set of credentials 0rbit may have been able to move quickly via single sign-on. We have seen this sort of movement before: Email is the key to social, and social is the key to other apps.
Everyone now leads a "digital life," on social and other channels, which is much larger than the experiential life in terms of data collected. Security controls enabled by one platform, such as Facebook, will not necessarily protect victims on another, such as Twitter or YouTube. A defense structure must be platform-agnostic and offer cross-channel protection.
Defense is a proactive endeavor. For our clients, this includes constant scans across social and the dark web for threats. In government, these threats take many forms, such as disgruntled insiders leaking classified information on Twitter. In another instance, our scans surfaced the social media accounts for a purported new political party. The timing, ahead of elections, was suspicious. Our threat detection platform analyzed the accounts against an array of risk signatures, and the accounts scored highly for disinformation content and bot behavior. Further analysis revealed the accounts' followers to be other bots, employing the "amplification node" tactics that we described in our research into Russian Twitter bot behavior. In this same vein, we have also intercepted accounts impersonating elected officials and consulates abroad. More to the point, our platform has empowered our clients to request takedowns directly -- sometimes within hours of discovery -- or provided enough evidence to approach the platforms directly to remove accounts.
The halcyon days of social media are behind us, but that doesn't mean the world won't continue to grow more connected. The one-to-many technology is a powerful communication tool for political leaders and community organizers. It's better to think of the technology as a force rather than in zero-sum terms of good or evil. Social media can be harnessed to great effect or for nefarious ends. As vulnerabilities continue to be exposed, increasing the possibility for real damage, we need to take the right action to address exploitation that undermines our democratic systems. Safeguarding social media accounts is one critical way to stop the cyber attacks at the tip of the spear. We remain committed to continuing to work with our European and Five Eyes partners to do just that.
July 6, 2020