By: Daniel Frey, Yelisey Boguslavskiy, & Mikaela Buryj
Key Takeaways
On September 1, 2020, Russian media outlets reported that US voter data had been accessed and circulated in the DarkWeb causing a wide-spread discussion of cybersecurity and electoral policies.
AdvIntel identified DarkWeb chatter suggesting that the emotional reaction and election-related cases of panic in social media may facilitate the formation of a new segment of cybercrime in which election-related operations attract actors from various cybercrime domains who aim to capitalize on the election exploitation.
As the election draws near the American public is caught in the middle between Russian hackers concealing their for-profit activities as political meddling in attempts to capitalize on election security emotions and the journalists / social media influencers (both Russian and American) whose representation of the events lead to panic. As a result more actors are expressing their desire to exploit the emotional public response, defraud electoral security institutions, and use fear of election meddling for their monetary gains.
In this piece, AdvIntel subject matter experts address the change in the electoral security threat landscape which as a merger between political and for-profit interest have been trending across the Russian-speaking DarkWeb leading to attempts to sell voter data.
The Threat Landscape
On September 1, 2020, Russian media outlets reported that voter data of US voters have been circulated across the Russian-Speaking DarkWeb.
Russian-speaking threat actors claimed access (threat reported by AdvIntel in July 2020) to publicly available voter information in at least 19 U.S. states, including North Carolina, Michigan, Alabama, Arkansas, Colorado, Connecticut, Delaware, Florida, Kansas, Missouri, New Jersey, New York, Ohio, Oklahoma, Pennsylvania, Rhode Island, Texas, Utah, and Washington.
This news, covered by the US media made an impression of Russian interference into the US 2020 election process. However, soon after, both the US law enforcement and security community, as well as the US cyber threat intelligence community, announced that the information shared by the actors was publically accessible.
DHS’s CISA (Cybersecurity and Infrastructure Security Agency) specifically stated that "Information on U.S. elections is going to grab headlines, particularly if it is cast as foreign interference. Early, unverified claims should be viewed with a healthy dose of skepticism."
Indeed, in the wake of Russia’s interference in the 2016 U.S. election, and with the 2020 election now fast approaching, the electoral security issue becomes a central subject for cybersecurity discussions, and, unfortunately to emotional claims.
At the same time, government officials are rightly concerned with threats to election security and integrity. Recently, for instance, fake election websites with domain names similar to those of legitimate ones have appeared online, raising concerns about voting-related disinformation. Now, threat actors on the DarkWeb are also taking note of vulnerabilities, and where possible, exploiting them for profit.
In this piece, AdvIntel subject matter experts address the change in the electoral security threat landscape which as a merger between political and for-profit interest have been trending across the Russian-speaking DarkWeb leading to attempts to sell voter data.
Ukraine: Where It All Begins
Over the past month, AdvIntel has been tracking a set of DarkWeb threat actors who have advertised access to voter data in Russia, Ukraine, and the United States. As many experts have already noted, some of the information – particularly in the U.S. case – is already publicly available. In Russia and Ukraine, though.
In late March 2020, threat actor “Kiev-1�? (alias obfuscated) advertised access to a database of Ukrainian voters, with more than 30 million records available. Although “Kiev-1�? lacked an established reputation on the underground forum, their post nonetheless attracted significant attention from other threat actors, including two threat actors (“G_9 and “Denver-7�? (alias obfuscated) who later advertised access to American voter data (as we describe later in this report).
“Kiev-1�? advertising access to over 30 million voter records from Ukraine.
Screenshot Source: AdvIntel’s Andariel Platform
Russian-speaking threat actors have a history of targeting Ukrainian information systems. Although in the Russian-speaking DarkWeb it is prohibited for hackers to work within the Commonwealth of Independent States (“CIS�?, a collection of post-Soviet countries) they do tend to make exceptions for Ukraine.
Indeed, Russian-speaking cyber threat actors will often test out their capabilities there, before moving on to other targets. In March 2019, for instance, the chief of Ukraine’s cyber police reported an “uptick in requests on dark web forums for unauthorized remote access to Ukraine’s voter registry.�?
Although the exact means by which “Kiev-1�? gained access to this data remains unknown, the existence of the data dump itself appears to fall in line with this trend.
Back to the United States
True to form, Russian-speaking threat actors have not stopped at Ukraine. Beginning in June 2020, a group of at least four Russian-speaking threat actors “G_9�?, “Astor1�?, “Denver-7�?, “Seattle-2�? (aliases obfuscated) began advertising access to voter data from a large number of U.S. states.
Of this group, “G_9�? and “Astor1�? (aliases obfuscated) have proven particularly active, collectively claiming access to U.S. voter information from 19 states, including: North Carolina, Michigan, Arkansas, Alabama, Colorado, Connecticut, Delaware, Florida, Kansas, Missouri, New Jersey, New York, Ohio, Oklahoma, Pennsylvania, Rhode Island, Texas, Utah, and Washington. Although the data were not publicly priced, many of the dumps were significant – some contained well over a million records.
Top: “G_9�? selling access to U.S. voter information in several states.
Bottom: “G_9�? advertising access to a collection of 7.6 million voter records from Michigan.
Screenshot Source: AdvIntel’s Andariel Platform
“Astor1�? claiming access to a host of U.S. states’ voter data.
A third actor “Seattle-2�? advertised access to a nearly 5 million-record voter database from Washington state, laying claim to information such as names, dates of birth, gender, congressional districts, mailing addresses, and last time voted. They also claimed access to voter information from Delaware (over half a million records), Colorado (3.8 million records), and Connecticut (2.2 million records). The fourth - “Denver-7�? (alias obfuscated), meanwhile, advertised access to an unspecified number of records from Colorado.
Meanwhile, in Moscow
In July 2020, and recently on September 6, 2020, a reputable threat actor, “Moscow-1�? (alias obfuscated), advertised access to Moscow/Nizhny Novgorod Oblast online voter data containing over one million records. The dump appears to mirror a data leak reported by the investigative Russian-language outlet, Meduza.
“Moscow-1�? advertises a database of Moscow and Nizhny Novgorod Oblast internet voters with more than 1 million records. Screenshot Source: AdvIntel’s Andariel Platform
As mentioned previously, Russian-speaking threat actors tend to avoid targeting CIS countries, for fear of retribution from local law enforcement. But “Moscow-1�? appears to have heeded no such concerns in this case – perhaps because they were entranced by the value of the haul. Indeed, it is not hard to imagine scenarios in which partisans – aligned with either the regime or the opposition – could purchase this data, and use it as a stepping stone to identify critics and supporters.
Although they did not express specific interest in “Moscow-1’s�? Russian voter data, it is notable that two of the U.S.-focused threat actors “G_9�? and “Seattle-2�? mentioned previously – corresponded with “Moscow-1�? regarding other data leaks from Thailand, Malaysia, and India. These dumps were not necessarily political in nature, but the threat actor interactions associated with them do capture how interconnected the underground community is, especially when it comes to data leaks.
Threat actors that participated in Moscow and Ukraine voter data leakages were closely connected to the actors who shared US voter data
Points of Concern - Cybercrime Rallies Around Elections
If the voter data, especially, the US data is publicly available, why would Russian-speaking actors be trying to share or sell it on the DarkWeb? And why does this data is accompanied by Moscow and Ukrainian voter information on forums?
The likely answer is that we currently may see a formation of a new segment of cybercrime community in which election-related operations are becoming a point of connections between carders, identity fraud experts, ransomware groups, network intruders, and web traffic manipulators.
We have seen this process ongoing with many other areas of cybercrime, specifically, ransomware. With the level of social and political gravity that the US 2020 elections have, criminals are likely intuitively around this subject rally in order to share their experience, find a for-profit way to monetize electoral compromises, and, potentially, find a political actor which may be interested in their services.
To analyze the political consequences of the Russian and Ukrainian voter data shared on the DarkWeb, AdvIntel interviewed Alexander Korzun, a Russian democratic activist and a political science expert with a focus on the Russian electoral process. Mr. Korzun who has been directly involved in Russian election monitoring and fraud prevention as an election observer since 2007, argues that this is a very worrying trend.
"In Russia, registered voters data is often used by corrupt polling stations workers to detect voters who usually don't vote or who are dead. Then they could mark those voters as those who have received a ballot to throw in fake ballots or just to falsify the final results based on falsified voter data. The more data they have, the easier it is to find vulnerabilities for manipulations. This voter fraud method is called "dead souls", it's very popular in Russia and it's very difficult to detect."
What makes the American voter dumps shared in 2020 so concerning is that the data they house can be used for a range of nefarious purposes. Depending on the specificity of the information involved, identity theft is one possible scenario. Likewise, another possibility is that the voter data information could be used for political microtargeting by devious domestic actors, or even political interference from foreign ones. It is true, in the United States at least, that a certain amount of voter data is already publicly or commercially available. But given these threat actors' involvement in illegal data dumps in Russia and Ukraine, it is not implausible to imagine scenarios in which they would also illicitly target confidential voter information in the U.S. This is conjecture – not fact – but in our judgment, the possibility remains nonetheless.
Based on our long-term source intelligence, this year’s spike in voter data breaches are unusual. Voter data has, of course, been sold on the DarkWeb in the past. But the dumps generally proved sporadic and often housed outdated information. The threat actors we are now monitoring on the DarkWeb appear to be offering voter data more frequently, and data that is much more current. It remains to be seen whether what we are observing is merely a blip on the radar or part of a new trend.
Points of Concern - Public Vulnerability as Election Season Draws Near
As elections approach there may be another reason why threat actors may decide to share voter data on DarkWeb forums - which is - the exploitation of public concerns.
When Russian-speaking threat actors were advertising access to voter records, despite this information largely being publicly available this was followed by heightened levels of media attention surrounding this so-called new wave of disinformation and meddling in the United States democratic system.
This way the activities of DarkWeb threat actors who have for-profit interests met the coverage by the media industry, particularly journalists, who are in search of a scandal emanating from these forums and are working to bring them to fruition. What is then produced is a state of confusion for those involved and subsequently those watching.
The Fear of Disinformation as a Highly Exploitable Vulnerability
A prime example of this state of confusion is the recent report from the Russian newspaper, Kommersant. Attention was brought to it report as it was outlined by US traditional and especially social media with claims that Russian hackers had obtained U.S. voter data. These reports rapidly spread, especially through social media causing widespread panic, and highlighted the ever-present vulnerabilities of American media consumers when it comes to disinformation.
An article appearing in Russian Newspaper ‘Kommersant’ on September 1, 2020, reporting that US voter information has appeared on a Russian hacker site.
While there was some truth to the fact that Russian speaking DarkWeb threat actors had obtained U.S. voter data, the consequent panic related to the suspected interference was unsubstantiated. It is evident that the widespread media attention to this supposed new wave of Russian meddling in U.S. elections illuminates the ease with which the American public emotional response can be evoked surrounding this topic.
This fear of interference and the spread of disinformation becomes a vulnerability as DarkWeb threat actors feel (and communicate) that they are now able to exploit American social reactions to election interference. According to the DarkWeb chatter, threat actors share opinions that they can capitalize on the emotional response “while journalists, subject experts, and political personalities who have not done their due diligence and chose to spread the rumors about Russian election meddling�?.
Essentially, an emotional public reaction may motivate even the majority of non-politically motivated cybercriminals to exploit the subject of electoral security in the United States. Since August,2020, AdvIntel has identified multiple discussions related to fraud schemes in which fake compromises could be reported to the US authorities for monetary gain.
Prior and after the September 1, 2020 publication, Russian speaking threat actors sought to leverage the voter information they had obtained for a reward from the US State Department’s Rewards For Justice program. This initiative, which was created in 1984, offers up to $10 million USD as a reward for offering up information about individuals working on behalf of a foreign government to interfere in the US elections by means of illegal cyber activities. A spokesperson for the State Department has recently declared that no rewards have been paid out yet.
Even though, there is no clear evidence of such schemes being operational (even though one of the threat actors claimed that their “colleague�? was able to receive $4,000 USD from the US State Department) - the additional burden on institutions responsible for electoral security is evident. As the alleged reports of Russian hackers obtaining information was put out by Kommersant and spread by political and national security personalities, various Department of State had to investigate and publicly clarify that they were not hacked.
Threat actor referencing the US State Department’s Rewards For Justice program and climbing they knew an individual who claimed to receive $4,000 USD from the State Department for a Connecticut voter database
Additionally, as Foreign Policy magazine reports, the FBI and the Cybersecurity and Infrastructure Security Agency then also had to investigate and make public announcements that they had not seen evidence of cyberattacks on voter databases. This illustrates how the spread of resulting confusion and public hysteria may be more damaging than the suspected meddling.
In summary, as the story of the alleged seizing of voter information by Russian Hackers was spread online, another source of danger becomes clear. While the American public is the victim of the alleged Russian interference, the weakness and vulnerabilities of the victim are being overlooked as the focus is placed on the intent and impact of the aggressor.
An illustration of this are the recent reports related to the 2020 election fake news campaigns present on Facebook. The Internet Research Agency, a group backed by the Kremlin, was recently reported to have created 13 fake accounts on Facebook. According to the media, the presence of these 13 accounts on Facebook indicates meddling in the upcoming election. Some major media outlets went as far as reporting that the IRA is currently repeating and continuing its work from the last Presidential election four years ago, pushing voters away from the Democratic candidate.
As a result, a widespread confusion was created around the 13 Facebook accounts, which in the grand scheme of things are not that many. Simultaneously, however, the public attention was dragged from a fundamental electoral threat - the possible lack of preparedness of infrastructure involved in the election process. On September 11, 2020, VICE reported that the USPS Office of Inspector General claimed that the services which would be incremental for tenths of millions of mail votes was using applications with significant vulnerabilities.
In sum, as the U.S. Elections are fast approaching, it becomes evident that Russian-speaking threat actors and the coverage by both Russian and domestic media can heighten social reactions within the United States leading to confusion and deformed threat prioritization. While it is likely that information about the U.S. elections, especially in the shadow of interference, will continue to appear in the headlines, it is important to become a defensive media consumer and view headlines and especially social media pieces with skepticism.
If sentiments of fear and distrust run amongst the American public, elections can continue to attract malicious actors. In focusing so heavily on the acts and intentions of threat actors, the weakness and vulnerability of the public's social reactions are illuminated.
Our Team:
Daniel Frey is a senior cyber threat investigator at Advanced Intelligence, LLC specializing in breach and ransomware threat prevention, especially in the areas of industry and critical infrastructure. Previously, Daniel has worked in various capacities at McLarty Associates, PeaceTech Lab, and the Institute of Modern Russia. Daniel's areas of interest lie at the intersection of foreign affairs, technology, and data science. He recently published research on Russian disinformation efforts, using Twitter’s official dataset with nearly 2 million records. Daniel holds a data science program degree from George Washington University and is an alum of the Georgetown University Master of Science in Foreign Service program.
Mikaela Buryj is a cyber threat researcher at Advanced Intelligence, LLC graduated Magna Cum Laude from Union College with a B.A. in Political Science and a Minor in Law, in June 2020. In the future, Mikaela will be serving as a Peace Corps volunteer in Ukraine and then plans to attend law school and earn a J.D. While working with Advanced Intelligence, LLC, her research has focussed on various threat actors and the cyber threat concerns pertaining to the 2020 elections.