Pragmatic Political Campaign Security

thaddeus t. grugq on 2019-02-20

Unique Threats Beyond Influence Campaigns

A major infosec related threat during the 2018 midterm elections had nothing to do with politics or influence operations. This boring “just another day in infosec” cyber threat actor actually poses a more significant threat to more election campaigns that the evil machinations of foreign intelligence services.

APT419

A serious existential threat to campaigns during elections — invoice fraud by 419 hackers.

Election campaigns live on money; money that is spent on ads. The term of art for purchasing ad space in a media channel — a vital process for a campaign — is an “ad buy.” Typically this will all be arranged with the distribution channel (e.g. a local TV station) and the campaign “accounts payable” person will get an invoice “pay $50,000 to Media Corp.” These days this done by email.

Western African threat actors discovered that hacking the email accounts of campaigns provides access to the “accounts payable” ad buy invoices. These invoices, along with other information found in the email spool (such as telephone numbers, names, and details about the purchase) provide sufficient data for the invoice fraud attack.

Armed with an invoice, a due date, a phone number, and details about the purchase, the hackers will call up the campaign’s finance person a few hours before the ad runs and explain that for $REASONS the account number listed on the invoice for the ad buy is not correct. The invoice fraudsters provide an account that they control, the finance person sends the ad buy money to Western Africa — and now there are massive problems for the election campaign.

The invoice fraud criminals performing these attacks are not politically motivated. They only want the money, and Republican money spends just as well as Democrat money.

APT419 is a greater threat than APT28

Election campaigns can handle the threat of propaganda or losing control over their internal strategy documents etc. Information warfare is not an immediate existential threat to an election campaign, nor is it a threat to the majority of campaigns.

For an adversary, waging effective information warfare is complex, requires preparation time, investment and it is not guaranteed to work. An election campaign hacked by APT28, it is, quite frankly, not the end of the world. The problems that a malicious FIS present to most campaigns is effectively nil.

Even for campaigns at risk from FIS attacks or other information warfare adversaries, it is a manageable threat. Election campaigns are themselves propaganda and information warfare organizations. They are at least capable of engaging the adversary on familiar ground. Over the last few years, people have created a lot of information on countering information warfare methods, and the strength of many techniques has been diminished.

Campaigns can fight info war, but without money they’re dead

Election campaigns cannot exist without money. Being robbed blind is an existential threat to a campaign. This is actually a counterintuitive point for information security professionals. To cripple a candidate’s campaign it’s easier to just steal their money, rather than craft an effective information operation. The 419 hackers who just want to take the money are a very real risk (they target everyone, even small campaigns), and actually present an existential threat.

Campaigns are an excellent target for 419 hackers as well. The desire to suppress the breach report is extremely strong. Keeping the bad news out of the public eye is a more important concern than recovering the lost money. No campaign wants to be earn the label “can’t be trusted with money” in the public eye. For an attacker, a victim who is incentivized to keep quiet is an added bonus. These factors combine to make political campaigns prime targets for financially motivated hackers, unfortunately all the public focus has been on info war and cyber.

Sexy Security Sells

Infosec, politicians, the media, seemingly everyone has become singularly fixated on the threat of information warfare. I personally find the topic fascinating. But as is usually the case for information security, it isn’t the flashy scariest sounding threat that is the biggest risk — it is the basics addressed by plain security hygiene. For political campaigns, the fundamental element is money. Securing a campaign? Ensure there are procedures and protocols in place to keep the money safe.

Staying Safe

Fortunately, the basic information security steps that protect against email attacks by Russian hackers also protect against West African hackers.

Security hygiene

I recommend following this guide from Tech Solidarity, supplemented with another of their guides. It was written based on experience trying to get non-technical people up and running with sufficient information security hygiene. If you want to wage offensive information warfare against threat actors then check out my guide.

Financial and Invoice handling protocols

The policy for financial transactions above a threshold amount must ensure the financial person does sufficient verification before transferring money. At a minimum, they should call back to check that the call is legitimate. Ideally, have the contact numbers of the accounting people handling the ad buy at the media company who handle their account. Never transfer money without calling and talking with them first. Never initiate a fund transfer or payment to based on someone calling in, do basic verification and call them back. It is not a perfect solution, but it is a vast improvement over losing $100,000 to a fraudster because of a phone call.

Cyber insurance opportunity

Invoice fraud attacks is an area where cyber insurance can innovate in providing coverage. There is a real need to have this risk mitigated, and technical solutions will never be completely comprehensive, even with more secure procedures. A financial solution that protects the vulnerable part of the campaign is important.

Final thoughts

The discovery of invoice fraud attacks against election campaigns was a revelation for me. I hadn’t even considered the application of one of the most simple and successful cybercriminal attacks as a political threat. The fact is that information warfare is not as effective as many believe. The major threat from social media is micro-targeting (which needs to be, and can be, addressed) and several types of amplification. For most campaigns, a foreign intelligence service hack is simply not something to worry about. However, for all campaigns, losing funds is an existential threat.

Never mind APT28, here’s APT419.