With the U.S. Elections Fast Approaching, Fear Becomes a Vulnerability

Updated: Oct 8

By: Daniel Frey, Yelisey Boguslavskiy, & Mikaela Buryj

Key Takeaways

  • On September 1, 2020, Russian media outlets reported that US voter data had been accessed and circulated in the DarkWeb causing a wide-spread discussion of cybersecurity and electoral policies.

  • AdvIntel identified DarkWeb chatter suggesting that the emotional reaction and election-related cases of panic in social media may facilitate the formation of a new segment of cybercrime in which election-related operations attract actors from various cybercrime domains who aim to capitalize on the election exploitation.

  • As the election draws near the American public is caught in the middle between Russian hackers concealing their for-profit activities as political meddling in attempts to capitalize on election security emotions and the journalists / social media influencers (both Russian and American) whose representation of the events lead to panic. As a result more actors are expressing their desire to exploit the emotional public response, defraud electoral security institutions, and use fear of election meddling for their monetary gains.

  • In this piece, AdvIntel subject matter experts address the change in the electoral security threat landscape which as a merger between political and for-profit interest have been trending across the Russian-speaking DarkWeb leading to attempts to sell voter data.

The Threat Landscape

On September 1, 2020, Russian media outlets reported that voter data of US voters have been circulated across the Russian-Speaking DarkWeb.

Russian-speaking threat actors claimed access (threat reported by AdvIntel in July 2020) to publicly available voter information in at least 19 U.S. states, including North Carolina, Michigan, Alabama, Arkansas, Colorado, Connecticut, Delaware, Florida, Kansas, Missouri, New Jersey, New York, Ohio, Oklahoma, Pennsylvania, Rhode Island, Texas, Utah, and Washington.

This news, covered by the US media made an impression of Russian interference into the US 2020 election process. However, soon after, both the US law enforcement and security community, as well as the US cyber threat intelligence community, announced that the information shared by the actors was publically accessible.

DHS’s CISA (Cybersecurity and Infrastructure Security Agency) specifically stated that "Information on U.S. elections is going to grab headlines, particularly if it is cast as foreign interference. Early, unverified claims should be viewed with a healthy dose of skepticism."

Indeed, in the wake of Russia’s interference in the 2016 U.S. election, and with the 2020 election now fast approaching, the electoral security issue becomes a central subject for cybersecurity discussions, and, unfortunately to emotional claims.

At the same time, government officials are rightly concerned with threats to election security and integrity. Recently, for instance, fake election websites with domain names similar to those of legitimate ones have appeared online, raising concerns about voting-related disinformation. Now, threat actors on the DarkWeb are also taking note of vulnerabilities, and where possible, exploiting them for profit.

In this piece, AdvIntel subject matter experts address the change in the electoral security threat landscape which as a merger between political and for-profit interest have been trending across the Russian-speaking DarkWeb leading to attempts to sell voter data.

Ukraine: Where It All Begins

Over the past month, AdvIntel has been tracking a set of DarkWeb threat actors who have advertised access to voter data in Russia, Ukraine, and the United States. As many experts have already noted, some of the information – particularly in the U.S. case – is already publicly available. In Russia and Ukraine, though.

In late March 2020, threat actor “Kiev-1” (alias obfuscated) advertised access to a database of Ukrainian voters, with more than 30 million records available. Although “Kiev-1” lacked an established reputation on the underground forum, their post nonetheless attracted significant attention from other threat actors, including two threat actors (“G_9 and “Denver-7” (alias obfuscated) who later advertised access to American voter data (as we describe later in this report).

“Kiev-1” advertising access to over 30 million voter records from Ukraine.

Screenshot Source: AdvIntel’s Andariel Platform

Russian-speaking threat actors have a history of targeting Ukrainian information systems. Although in the Russian-speaking DarkWeb it is prohibited for hackers to work within the Commonwealth of Independent States (“CIS”, a collection of post-Soviet countries) they do tend to make exceptions for Ukraine.

Indeed, Russian-speaking cyber threat actors will often test out their capabilities there, before moving on to other targets. In March 2019, for instance, the chief of Ukraine’s cyber police reported an “uptick in requests on dark web forums for unauthorized remote access to Ukraine’s voter registry.”

Although the exact means by which “Kiev-1” gained access to this data remains unknown, the existence of the data dump itself appears to fall in line with this trend.

Back to the United States

True to form, Russian-speaking threat actors have not stopped at Ukraine. Beginning in June 2020, a group of at least four Russian-speaking threat actors “G_9”, “Astor1”, “Denver-7”, “Seattle-2” (aliases obfuscated) began advertising access to voter data from a large number of U.S. states.

Of this group, “G_9” and “Astor1” (aliases obfuscated) have proven particularly active, collectively claiming access to U.S. voter information from 19 states, including: North Carolina, Michigan, Arkansas, Alabama, Colorado, Connecticut, Delaware, Florida, Kansas, Missouri, New Jersey, New York, Ohio, Oklahoma, Pennsylvania, Rhode Island, Texas, Utah, and Washington. Although the data were not publicly priced, many of the dumps were significant – some contained well over a million records.

Top: “G_9” selling access to U.S. voter information in several states.

Bottom: “G_9” advertising access to a collection of 7.6 million voter records from Michigan.

Screenshot Source: AdvIntel’s Andariel Platform

“Astor1” claiming access to a host of U.S. states’ voter data.

A third actor “Seattle-2” advertised access to a nearly 5 million-record voter database from Washington state, laying claim to information such as names, dates of birth, gender, congressional districts, mailing addresses, and last time voted. They also claimed access to voter information from Delaware (over half a million records), Colorado (3.8 million records), and Connecticut (2.2 million records). The fourth - “Denver-7” (alias obfuscated), meanwhile, advertised access to an unspecified number of records from Colorado.

Meanwhile, in Moscow

In July 2020, and recently on September 6, 2020, a reputable threat actor, “Moscow-1” (alias obfuscated), advertised access to Moscow/Nizhny Novgorod Oblast online voter data containing over one million records. The dump appears to mirror a data leak reported by the investigative Russian-language outlet, Meduza.

“Moscow-1” advertises a database of Moscow and Nizhny Novgorod Oblast internet voters with more than 1 million records. Screenshot Source: AdvIntel’s Andariel Platform

As mentioned previously, Russian-speaking threat actors tend to avoid targeting CIS countries, for fear of retribution from local law enforcement. But “Moscow-1” appears to have heeded no such concerns in this case – perhaps because they were entranced by the value of the haul. Indeed, it is not hard to imagine scenarios in which partisans – aligned with either the regime or the opposition – could purchase this data, and use it as a stepping stone to identify critics and supporters.

Although they did not express specific interest in “Moscow-1’s” Russian voter data, it is notable that two of the U.S.-focused threat actors “G_9” and “Seattle-2” mentioned previously – corresponded with “Moscow-1” regarding other data leaks from Thailand, Malaysia, and India. These dumps were not necessarily political in nature, but the threat actor interactions associated with them do capture how interconnected the underground community is, especially when it comes to data leaks.

Threat actors that participated in Moscow and Ukraine voter data leakages were closely connected to the actors who shared US voter data

Points of Concern - Cybercrime Rallies Around Elections

If the voter data, especially, the US data is publicly available, why would Russian-speaking actors be trying to share or sell it on the DarkWeb? And why does this data is accompanied by Moscow and Ukrainian voter information on forums?

The likely answer is that we currently may see a formation of a new segment of cybercrime community in which election-related operations are becoming a point of connections between carders, identity fraud experts, ransomware groups, network intruders, and web traffic manipulators.

We have seen this process ongoing with many other areas of cybercrime, specifically, ransomware. With the level of social and political gravity that the US 2020 elections have, criminals are likely intuitively around this subject rally in order to share their experience, find a for-profit way to monetize electoral compromises, and, potentially, find a political actor which may be interested in their services.

To analyze the political consequences of the Russian and Ukrainian voter data shared on the DarkWeb, AdvIntel interviewed Alexander Korzun, a Russian democratic activist and a political science expert with a focus on the Russian electoral process. Mr. Korzun who has been directly involved in Russian election monitoring and fraud prevention as an election observer since 2007, argues that this is a very worrying trend.

"In Russia, registered voters data is often used by corrupt polling stations workers to detect voters who usually don't vote or who are dead. Then they could mark those voters as those who have received a ballot to throw in fake ballots or just to falsify the final results based on falsified voter data. The more data they have, the easier it is to find vulnerabilities for manipulations. This voter fraud method is called "dead souls", it's very popular in Russia and it's very difficult to detect."

What makes the American voter dumps shared in 2020 so concerning is that the data they house can be used for a range of nefarious purposes. Depending on the specificity of the information involved, identity theft is one possible scenario. Likewise, another possibility is that the voter data information could be used for political microtargeting by devious domestic actors, or even political interference from foreign ones. It is true, in the United States at least, that a certain amount of voter data is already publicly or commercially available. But given these threat actors' involvement in illegal data dumps in Russia and Ukraine, it is not implausible to imagine scenarios in which they would also illicitly target confidential voter information in the U.S. This is conjecture – not fact – but in our judgment, the possibility remains nonetheless.

Based on our long-term source intelligence, this year’s spike in voter data breaches are unusual. Voter data has, of course, been sold on the DarkWeb in the past. But the dumps generally proved sporadic and often housed outdated information. The threat actors we are now monitoring on the DarkWeb appear to be offering voter data more frequently, and data that is much more current. It remains to be seen whether what we are observing is merely a blip on the radar or part of a new trend.

Points of Concern - Public Vulnerability as Election Season Draws Near

As elections approach there may be another reason why threat actors may decide to share voter data on DarkWeb forums - which is - the exploitation of public concerns.