Meddling in Elections - The Case of Russian Attackers

Ukrainian Elections Ukraine has proven to be a testing ground for Russian aggression in cyberspace.

Ukrainians went to the polls this Sunday for the first round of presidential elections. The two most popular candidates – the comedian Volodymyr Zelenskiy and the current head of state Petro Poroshenko – out of almost 40 will head to a run-off most likely on April 21.

Ahead of the election, network defenders reported heightened cyber aggression and the Ukrainian security agencies confirmed that Russian campaigns against the election were ongoing. Additionally, a Russian national was accused of digital espionage.

FireEye recently reported that hackers backed by Russian authorities are at work to influence the European Parliament elections taking place this May. Microsoft has detected what looks like Russian activity targeting political and non-governmental players such as think tanks – most notably German Council on Foreign Relations, the Aspen Institute and the German Marshall Fund – ahead of that vote.

These events, as well as US campaign hacks, offer insight into adversarial strategy. The attacker is likely to view these attacks as a testing ground, a way of figuring out what they are likely to get away with. Furthermore, the consequences of politically motivated and state-backed cyber campaigns stretch far beyond the political sphere, as Petya/NotPetya, the most devastating cyber attack to date, demonstrated.

Thus, a reexamination is best preparation for the European Parliament elections this spring and the upcoming US 2020 elections, particularly as the tools and techniques that were part of the adversarial toolkit are likely to surface again. As part of defenses, vulnerability assessment and prioritization appear to be underutilized in building resilience to these highly opportunistic attacks.

Constant Escalation

In Spring 2014, Ukraine was also gearing up for a presidential election. As troops were moving in to occupy the Crimean Peninsula, the Ukrainian digital infrastructure suffered assaults in cyberspace.

Most notably, the website of the Central Election Commission (CEC) was defaced on election night, erroneously displaying Dmytro Yarosh as winning the elections with 37% of the vote. In reality, he ranked 11th with a somewhat less impressive 0.7%. Regardless, the alleged CEC screen shots were quickly spread across Russian media. The CEC website was unavailable ahead of a parliamentary vote that October due to cyber-attacks.

While website defacement and DDoS do not require intricate knowledge, CERT-UA found advanced spyware on the systems pointing at a more sophisticated skill set in the attacker(s). It was suggested that a vulnerability in the CISCO ASA software served as entryway.

Before 2013, Ukraine had already witnessed cyber-attacks. As political events of Euromaidan and the Russian aggression in Crimea unfolded, the campaigns in cyberspace became more aggressive, political and more sophisticated. Operations on the ground, in the information- and cyber-space appeared to be related, leading up to the 2017 Petya/NotPetya malware. This devastating cyber-attack with an estimated $10 billion in damages is indicative of the sort of aggression that has been attributed to Russia.

Similar Attack Vectors

Suspected and proven cases of Russian cyber aggression are similar in the attack vectors that they utilize. Generally speaking, they do not always begin with the most sophisticated technology. Rather, Russian actors have preferred phishing or spear-phishing attacks that rely on users to click on malicious links, often very well socially-engineered. Known vulnerabilities are exploited for the purpose of gaining access and maintaining foothold in target systems. Once they gain access, however, the attackers begin installing backdoors and malware, some of it customized, that allows them to destroy data in addition to exfiltrating information.

Based on publicly sourced information, Russian hackers were able to penetrate the DNC servers in 2016 by spear-phishing then campaign chairman John Podesta. Once inside, they began installing malware that allowed them to steal and tamper with information on the servers.

All of these politically-motivated attacks have since been linked to Russian actors. It becomes clear that they tend to utilize known vulnerabilities and social engineering in combination with malware.

Moreover, there is also evidence that Russian-based hackers re-use some forms of malware to accomplish their goals. For example, a post-mortem of the DNC hack revealed that malicious actors had installed a type of malware known as “x-agent”. Later in 2016, x-agent was found again, this time targeting mobile phones of Ukrainian service members.

Cybersecurity company CrowdStrike issued a report that detailed Fancy Bear’s efforts to use x-agent malware to identify Ukrainian artillery positions on the battlefield. This hacker group is also known as APT 28 and thought to be the Main Directorate of the General Staff of the Armed Forces (GRU) of the Russian Federation, the main military foreign intelligence service, that compromised the Democratic institutions.

Timeline of Election-Meddling

A quick online search reveals election hacking has history. A timeline of ascertained cyber-meddling in political election campaigns, highlighting the 2016 DNC hack, showcases how simple tools can be leveraged to obtain important information which consequently is used to manipulate the images of political parties and candidates.



April 2015

Systems in the German government, universities, and businesses are subjected to cyber-espionage in the wake of strong criticism of Russia’s intervention in Ukraine.

Summer 2015

Cozy Bear aka APT29, a group believed to be backed by Russian Foreign Intelligence Service (SVR) or Russian Federal Security Service (FSB), allegedly hacks the Democratic National Committee (DNC). The attacks primarily utilize the SeaDaddy malware - related to SeaDuke and CozyCar - that is often used as a secondary backdoor for access or data exfiltration.

March 15, 2016

Fancy Bear aka APT 28, assumed to be the Main Directorate of the General Staff of the Armed Forces (GRU) of the Russian Federation, the main military foreign intelligence service, appears to begin searching for vulnerabilities in the networks of DNC and Democratic Congressional Campaign Committee (DCCC).

March 16, 2016

Wikileaks publishes a Hillary Clinton email archive, consisting of more than 30,000 public and private emails in a searchable archive. More than 7,500 of the documents were sent by Hillary Clinton.

March 19, 2016

Clinton campaign chair John Podesta receives a spear-phishing Google password-reset, traced to user "john356gh," believed to be GRU lieutenant Aleksey Viktorovich Lukashev.

March 21, 2016

John Podesta's account is compromised, which allows access to all account content and related data. More than 50,000 emails are stolen. A later data dump reveals the password as “Runner4567", perhaps used across platforms.

March 28, 2016

A number of other campaign staffers are targeted with similar spear-phishing emails.

April 2016

GRU Lt. Captain Nikolay Yuryevich Kozachek (allegedly part of Fancy Bear) develops, modifies, and monitors x-agent malware (aka Sofacy) before and during the DNC-breach.

April 6, 2016

A DCCC employee is duped by a spear-phishing email when she clicks on either an infected link. Her legitimate credentials are transmitted and subsequently abused. More malicious emails are thought to be sent out the same day.

April 7, 2016

The search for vulnerabilities in the DCCC network is thought to commence.

April 12, 2016

The DCCC-network is breached using the previously stolen credentials.

April 18, 2016

The DNC-network is compromised through the use of stolen credentials.

April 19, 2016

BTC obtained through BTC-mining purchase the “” domain using the same BTC-wallet that also was used to complete payments of a Russian VPN and a server farm in Malaysia. Records show the domain registered to alias "Carrie Feehan" of New York.

April 22, 2016

Several gigabytes of DNC's opposition research material is allegedly stolen and compressed, in preparation for data exfiltration.

April 25, 2016

A newer version of the x-tunnel malware is installed on the DNC’s servers as the creation date later found indicates. This malware is commonly associated with x-agent and the group Fancy Bear.

April 28, 2016

DNC staff detect and confirm that unauthorized users have gained access to the DNC network.

April 28, 2016

DNC senior staffers hold an emergency meeting discussing the  compromise. CrowdStrike is hired for analysis and mitigation. Within a day the perpetrators are identified as Russian.

May 2016

Both the DNC and DCCC assure they were aware their networks had been compromised by the beginning of May.

May 5, 2016

CrowdStrike installs anti-malware platform Falcon on DNC-servers whilst an evolved version of the x-tunnel malware is developed. The restricted use of the malware, which employs tools like Microsoft's Powershell and Windows Management Instrumentation helps to avoid suspicious activity being flagged by anti-malware technologies.

May 10, 2016

The x-agent malware, used in combination with x-tunnel for exfiltration, is found on the DNC servers. X-agent was originally discovered in 2015 and is commonly associated with Fancy Bear. It allows for persistent access, command execution, keylogging, and aids in the transmission of files.

May 15, 2016

Event log of MS Exchange server is erased.

Sometime Between May 25 and June 1

The DNC's Microsoft Exchange server is compromised, thousands of emails are believed exposed and exfiltrated.

June 8, 2016

DCLeaks site goes live and will later include information obtained from the Democratic Party in 2015. For now, it exposes (some of the) information gleaned from the DNC- and DCCC-systems in 2016.

June 10, 2016

DNC computer systems and network are replaced secretly. As part of the remediation, employee’s laptops, phones, and email accounts are taken offline.

June 14, 2016

Democrats announce the attack against their systems and networks and accuse Russian actors.

June 30, 2016

Over all, 33 computers are established to have been compromised. Malwares are thought to have been installed on DCCC-systems to maintain discreet access to the network.

July 22, 2016

WikiLeaks launches "DNCLeaks".

October 2016

At least one Linux-based version of x-agent remained (active) on the DNC-network until sometime during the month of October, 2016.

December 22, 2016

X-agent is identified by CrowdStrike as targeting both iOS and Android devices via an app used by Ukrainian service members.

November 14, 2018

Spearphishing emails similar in content to those received in 2016 hit the inboxes of DNC-officials.


Known Vulnerabilities

It appears elections are not the only incentive for Russian-orchestrated cyber-campaigns. The approach so far established for the compromise of systems and infrastructure is strikingly similar to the December 2015 Ukraine power grid and attempted 2017 U.S. electric grid attacks. In both of these cases, hackers used spear-phishing emails to gain access to servers before installing malware onto them.

In the former case, hackers also exploited CVE 2015-5374 to compromise the SCADA industrial control system of the power grid controllers and further launched a DDoS attack against industrial ethernet systems. That particular vulnerability was patched in July of 2015, around five months before the Ukraine power grid attack.

The patch might have helped prevent falling victim to the attack but critical infrastructure systems around the world are often notoriously out-of-date. This is particularly of concern as the operational technology increasingly runs on the same platforms as business and user systems. Vulnerabilities in these everyday platforms are  well known and understood by hackers and quite often discussed online which makes them more likely to be used in an attack.

In the spirit of taking advantage of vulnerabilities in ubiquitous platforms, Russian hacking groups have also been observed exploiting common Microsoft server vulnerabilities like CVE 2014-4076 and CVE 2015-2387 for Windows computers. Both vulnerabilities -known since 2014 and 2015 – have allowed Russian hackers to escalate their user privileges, gaining full and unrestricted access to compromised systems.

These cases help to show that, for every practical purpose, there are simply too many vulnerabilities for organizations to keep up. Identifying and patching these flaws is a time- and resource-consuming task for traditionally under-resourced IT-departments. Thus, it is crucial to optimize resource-allocation by pinpointing the vulnerabilities most at risk for exploitation as early as possible.

Integrated and Agile in Nature

Russian-backed attackers, as these cases demonstrate, use a combination of attack tools and vectors, going for the lowest hanging fruit and often include thorough preparation and perseverance. Showing a high level of agility and appearing quite opportunistic, the attackers have so far utilized a wide range of tools: technically unsophisticated attack vectors and known vulnerabilities combined with customized and at times (if necessary) advanced malware.

The aggressor, in the end, is constantly testing a number of tools and their effectiveness, evaluating information and approaches on the fly. This means that no tool – be it within cyber-attacks or the wider influence context – is off bounds and are deployed as considered effective.

In being opportunistic, well-resourced and persistent with access to a wide toolkit, Russia has been seeking to sow confusion and doubt in the very nature of the processes and networks that underlie representative democracy. This politically motivated attacker sees cyber-attacks as integrated into a wider political context. Leaks, social media activities and information operation are similarly utilized.

Time to Prepare

As the political and diplomatic response has been sometimes considered lacking and - so far - did not result in altered behavior, deterrence seems to not be in place. It is therefore even more important to learn to defend against the most likely attacks. Otherwise, the adversary is only emboldened in using the same playbook over again. In cyber-defense, after all, efforts are geared toward making the potential gains not worth the cost and effort for potential intruders.

User cyber hygiene and good information security practices continue to be key in avoiding and detecting such attacks. Given how simple the attack vectors were in the cases analyzed here, there is plenty of room to deny attackers the low-hanging fruit. Improved user awareness, patch management taking prioritization of vulnerabilities based on threat intelligence into account, better network monitoring and segmentation, and more critical access practices would have likely avoided the most detrimental effects.

In particular, thinking like an attacker is useful in understanding where the next attack might be coming from, which tools and entryways would be used or which of the assets are most prone to compromise. Given the complexity and sheer volume of known vulnerabilities in business systems, prioritization allows intelligent decisions on resource-allocation. Ranking in vulnerability management points directly to critical patches or responses. Since many IT systems used in democratic procedures run on commonly used platforms or use off-the-shelf hardware, they are as vulnerable to known faults as any other. Furthermore, systems only used for elections, not run constantly, have historically lagged behind as upgrades are postponed leading to outdated software being run because of resource scarcity.

Therefore, information security has to be first priority in the face of opportunistic attackers. Sound cyber security practices need to be employed to ensure the confidentiality, integrity and availability of our democratic systems. Only once proper the house of the election organizer, the political candidate or any other organization is kept in order, can they worry about the wider hybrid context. Good strategic communication cannot neglect cyber security.


CYR3CON uses artificial intelligence to model, quantify, and predict attacks by malicious hackers. CYR3CON’s flagship product, CYR3CON Priority, has allowed several Fortune 500 companies to avoid cyber-attacks before they appear in the wild by predicting which software vulnerabilities hackers will exploit in the future.