The Pentagon has launched a preemptive strike against the Russian hackers who may have attacked the 2016 presidential election with social media influence campaigns. Numerous initiatives, including Harvard University’s Defending Digital Democracy Project, have educated officials on how to fortify elections against cyberattacks and encouraged social media companies to take down fake accounts. Despite these efforts, 67 percent of Americans consider that a foreign influence campaign, either by Russia or other governments, during the midterm elections is “very or somewhat” plausible.
Their worry might have some basis. There’s another threat that few have worked to defend against: malware, or malicious software, designed to steal, deny or alter information. And our research strongly suggests that these attacks are underway in U.S. swing states, as we explain below.
Malware has been used to attack other nations’ elections
Malware seeks to steal, block or alter data. It’s the kind of code used to steal your passwords or credit card numbers. And it can also steal your vote.
It’s recently been used in a number of other countries. With Comodo Cybersecurity malware detection data, for instance, we measured the spread of different malware types before and after the 2018 presidential elections in Turkey. The figure below shows the order in which various types of malware appear — which tells us how they are working to influence an election.
Malware detection in Turkey during its 2018 election
How does this work?
Let’s look at such campaigns step by step. Computer hacking and human hacking both begin with reconnaissance. Who are the targets? Where are they? What are they doing? Are they open to influence? Intimidation? Every country is different. To gather information about a very large group of people, hackers have figured out that the quickest way is to use an application that a high percentage of the targets already have installed, are willing to install, or are forced to install on their computers. Ironically, one tool for this operation could be voter registration software.
Computers are complex machines. Hackers take advantage of this with novel attacks that are hard to predict. In one case, Amnesty International began tweeting Nazi propaganda after someone hacked its “Twitter Counter” — a third-party program used to analyze Twitter followers. Such “malicious” applications can be used for anything, from collecting background information on likely voters to directing their browsers to political websites.
In Turkey, the blue line shows a massive spike in the detection of malicious applications, which came six days before the call for a snap election. Next came wave after wave of computer worms (shown in green), used to distribute more serious malware like computer trojans. The orange line shows Comodo’s trojan detections in Turkey, which occurred on June 21 — three days before the election.
“Trojan” computer programs can give remote attackers full control over a victim computer. Through them, hackers can steal data, such as email; deny data, as in deleting email; and alter data, such as changing what’s in an email. An attacker could send a user to a certain website or deny access to another website. In countries that allow online voting, the vote could be changed.
The malware detection timeline we found for Russia, below, is nearly identical to what we found in Turkey. First come computer and human reconnaissance via application; then, targeted malware dissemination via worm; and finally, information operations via trojan, doing anything from passively gathering intelligence to actively influencing votes.
Malware detection in Russia during its 2018 presidential election
Turkey and Russia are not unusual. Our research revealed that over a dozen recent national-level elections had similar malware timelines. Among the targets might be electronic ballot boxes, which are not hard to hack, having no military-grade defenses. Hopefully election officials could double-check paper ballots to set the record straight, but that is not always the case.
Hacker reconnaissance in the U.S. swing states
So what’s happening in the United States? As of October 2018, RealClearPolitics had the following 13 U.S. states listed on the political fence: Arizona, Florida, Indiana, Minnesota, Missouri, Montana, North Dakota, New Jersey, Nevada, Tennessee, Texas, Wisconsin and West Virginia. And guess what? These 13 swing states are now recording more malware detections per day than the 37 non-swing states!
Malware detection in the U.S.: swing states vs. non-swing states
Below is a malware timeline for Minnesota. See the massive October spike in adware? Seven other swing states have nearly identical charts. Like computer trojans, adware often seems to be doing something useful for you — but in fact, it can hide secret and malicious functionality. Often, adware tries to acquire and sell data about you, from your geolocation to a list of what websites you visit.
Recent malware detections in Minnesota
Our research offers strong evidence that politicians and spies are also using adware to collect information — after which they run more invasive, targeted cyber operations.
Why are spikes in malware detection troubling?
With malware, hackers can steal, deny or alter any type of digital information. Hackers can help politicians more easily win an election.
As you can see, hackers are conducting digital reconnaissance against the U.S. swing states. With that intelligence in hand, they are likely to run influence operations targeting voters, perhaps via social media. More aggressively, they might try to deceive election officials or infrastructure with false numbers or narratives.
During the 2014 Ukrainian presidential election, hackers briefly changed the final vote tally on the official election website to a ridiculously wrong number that was immediately broadcast on Russian television. One software coder associated with the incident went missing. Since then, cyberattacks on Ukraine have manipulated its electricity grid and targeted the business sector in what was the most costly cyber incident in world history.
The United States should not assume that it is immune from such attacks.
Back to our upcoming election. Donald Trump won the 2016 poll by a grand total of 107,000 votes in three key swing states — or about the same number of people who attend a home Michigan Wolverines football game. Thus, from a statistical perspective, not all that much is required to determine the winner of an election, especially given the surprising power of computer hacking and malware.
Kenneth Geers is a senior fellow with the Atlantic Council, a NATO Cyber Centre of Excellence Ambassador, and the chief research scientist at Comodo Cybersecurity.
Nadiya Kostyuk is a fellow with EastWest Institute’s Global Cooperation in Cyberspace Initiative, a nonresidential fellow with the Cyber Security Project at the Belfer Center, and is completing her PhD at the University of Michigan in political science and public policy.