Travis Farral, director of security strategy, Anomali
Travis Farral, director of security strategy, Anomali

It's been hard to miss all of the rumours surrounding the recent US election, particularly the speculation surrounding Russia's involvement. Examples of nations interfering in other countries' political affairs is nothing new, it's the scale and ways in which they decide to execute that are changing. However, Russia is not the only adversary to be concerned with. Lone wolf actors, Islamic activists, and other politically motivated players or groups should also be sources of concern.

Organisations can learn a great deal of lessons from the malicious activity in both the US election and historical nation-state hacking to inform future strategies. Those in control of critical infrastructure and particularly sensitive data should take note, especially parties that are in control of assets ahead of the upcoming German, French and Northern Ireland elections.

In the case of the US election, reports released by federal agencies offered some insight into the indicators and tactics supposedly used in the attacks. But the findings also contained many indicators used by other malware families not associated with the Russian government, The Onion Router (TOR) exit nodes, which could be used by anyone who uses the service, IP addresses of legitimate companies (such as Yahoo, Microsoft, and Twitter), or legitimate Content Delivery Networks (CDNs), including some that are used by popular services like Skype and Microsoft Azure. Also included is a diagram that explains common tactics used throughout the hacking community, which are not specific to just the Russians. The result is a muddled mix of indicators, tools, and techniques that overlap with commonly seen activities and offer little in the form of context.

Despite this, there is indication that supports involvement by the Russian government- and it is compelling. The actions taken by those responsible for the attacks certainly do align with Russian state interests. It can be expected that further activities involving their state interests are likely. But, the evidence is not strong enough on its own to eliminate other possibilities.

Central to this, is the issue of attribution, an oft-debated topic within information security circles. The problem lies in the fact that it is far too easy for different actors to reproduce many types of evidence regularly cited to determine attribution.

More often than not, there is no smoking gun that points to a specific individual or group. Thus there is much scepticism. Actions could have been performed by a wide range of attackers. Attribution, at least via publicly available data, tends to rely on circumstantial evidence and rarely includes solid conclusions pointing to a specific adversary.

For example, as detailed in Anomali's Election Security in an Information Age, the following wouldn't be hard for any modestly skilled bad actor to do:

  • Create an account on Yandex,, QQ mail, or other foreign language webmail provider to use for domain registrations or other communication.
  • Use similar infrastructure used in other attacks such as certain discount domain registrars, hosting companies, Virtual Private Network (VPN) providers, or Virtual Private Server providers.
  • Change computer keyboard settings and include comments in scripts or malware used in a foreign language (such as Russian or Mandarin).
  • Use techniques like phishing emails to deliver malware or attempt to steal credentials through fake login pages.
  • Use URL shortening services to obfuscate links to malicious infrastructure or links to malware (for example,
  • Use widely available hacking tools like Mimikatz in attacks.
  • Using proxies or compromised systems to perform attacks from IP addresses in other countries.

Given the care which culprits can take to obfuscate digital evidence during attacks, evidence is often too weak, incomplete, or mostly circumstantial to solidly link certain attacks to the same actor. Any individual or group capable of creating and deploying successful phishing attacks designed to steal credentials or deploy malware could conceivably perform similar attacks to what was seen recently in the US related to the elections.  

Those with the means, motive, and opportunity to try and sabotage an election may make an attempt to do so. This is especially true considering the relatively low cost of actually performing these attacks, which is what could lead to new actors attempting to manipulate elections. Even young, aspiring hackers looking to make a name for themselves can be a threat, such as the 16 year old arrested in February 2016 in the UK, after allegedly hacking into the personal email account of then CIA director, John Brennan.

Secure elections are a cornerstone of Western democracies. Protecting the integrity is therefore a paramount responsibility. Understanding these threats and taking steps to protect against them will be of increasing importance in future elections. 

The more connected our society becomes, the more avenues for obtaining and releasing sensitive details becomes. The challenges of protecting all these potential attack avenues are broad and will get larger as more options become available. Primary targets include private organisations and individuals. For governments, offering guidance for keeping secure is one of the few options available to protect against future network breaches. Additionally, they should be doing everything in their power to dissuade, disrupt, and respond to attacks. This includes leveraging diplomacy, retaliatory measures, regulations, and even in extreme cases, conventional warfare. While organisations and individuals can take simple steps to defend against phishing attacks, improve credential security, and ensure network systems are patched and protected.

Organisations should look to work with cyber-security experts to detect, identify, and prioritise malicious activity, to strengthen its defences against myriad emerging threats. At the same time, sharing intelligence also helps to build proactive defences against attacks. It enables organisations to not only proactively respond but can also lead to deeper details learned, to develop collective profiles of common attackers, and better attribution across subsequent attacks.

Elections are complex events. Hacking will continue to evolve. Organisations must use every resource at their disposal to gather evidence, analyse all sources, and bolster defences no matter where the threats are coming from.

Contributed by Travis Farral, director of security strategy, Anomali