The FBI and the Cybersecurity & Infrastructure Security Agency (CISA) have issued a warning that hackers – and possibly hackers associated with nation-states – have infiltrated the US governments cyber networks.
In the joint alert, the CISA, which is a division of the Department of Homeland Security, that in its detection of the breach they can conclude that there has been some unauthorized access to election support systems.
The agency said that, to date, there is no evidence that the integrity of elections data was compromised. They also indicated that “it does not appear these targets are being selected because of their proximity to elections information.”
Malicious cyber actors are exploiting legacy vulnerabilities against SLTT, Critical Infrastructure, and Elections Organizations. Read our joint advisory with the @FBI for technical details and recommended actions: https://t.co/FDbCpPdNbV #InfoSec #InfoSecurity #Protect2020 pic.twitter.com/D2Clny9zUI
— Cybersecurity and Infrastructure Security Agency (@CISAgov) October 10, 2020
But officials at the CISA did suggest that data associated with election systems are vulnerable to compromise. “There are steps that election officials, their supporting…IT staff, and vendors can take to help defend against this malicious cyber activity,” they wrote in the statement.
The hackers achieved access by exploiting a combination of vulnerabilities (“vulnerability chaining”) that targeted a Virtual Private Network, or VPN. Vulnerability chaining is a tactic used to targeted federal, state, local, tribal, and territorial government networks, along with critical infrastructure, and elections organizations.
In September, Microsoft issued information that they detected Russian, Chinese and Iranian actors targeting the 2020 US elections. They again detected specific threats to the US election infrastructure in October, citing an ongoing hacking campaign by a “threat actor” described as a “financially motivated nation-state actor.”
We’re seeing more activity leveraging the CVE-2020-1472 exploit (ZeroLogon). A new campaign shrewdly poses as software updates that connect to known CHIMBORAZO (TA505) C2 infrastructure. The fake updates lead to UAC bypass and use of wscript.exe to run malicious scripts.
— Microsoft Security Intelligence (@MsftSecIntel) October 6, 2020
Questions remain as to why Microsoft hasn’t more aggressively sought to disrupt these threats and why they haven’t been more resolute in pursuing legislation that would internet tech giants to hobble nefarious actors in the cyber-sphere.