The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Cyberattacks, influence campaigns rear their heads in the midterms

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! It's good to be back, even though I'll miss the sloths, soursops and other flora and fauna I left behind on vacation in Costa Rica.

Below: An industry group sues over the U.S. government's sanctions on a cryptocurrency mixer, and Georgia election officials reportedly wanted to copy election equipment data. First:

Hackers and attempts to manipulate voters are still around in the 2022 midterms

Cyber Command Chief Gen. Paul Nakasone said Tuesday that his agency is not seeing significant signs of new cyber campaigns against U.S. elections. 

Yet hackers and attempts to manipulate voters — which have bedeviled U.S. elections since the 2016 cycle — are still alive and well.

Two industry reports shed light on those traditional election security threats:

  • On Wednesday, cyberfirm Trellix identified phishing emails that multiplied in the buildup to the primaries in Arizona and Pennsylvania, as hackers sought to lure election workers into clicking on links that would steal their passwords or otherwise enable access to their systems.
  • This morning, fellow cyber company Recorded Future released a forecast of malign influence campaigns between now and Election Day. It pinpointed some signs of Russian and Chinese bids to sway or confuse voters so far.

The reports follow closely on the heels of distributed denial of service (DDoS) attacks against several U.S. states’ websites last week intended to disable or knock them offline with a flood of traffic. A pro-Russian hacking group, Killnet, took credit for the attacks. The website of the Kentucky Board of Elections was one apparent victim.

And both Nakasone and Cybersecurity and Infrastructure Security Agency Director Jen Easterly said they’re watching closely for signs of new cyber campaigns directed at elections and dealing with disinformation operations, Martin Matishak reported for the Record.

Some attempted hacks

Trellix doesn’t know for sure who’s behind the phishing emails they highlighted, but the targets appear deliberate rather than users being caught up in a scattershot campaign, Patrick Flynn, head of the advanced program group at the company, told me.

“I don’t have enough information to tell you, ‘Yes, positively, it’s a nation-state or a criminal,’ but it’s at the time of year where the reasonable impression that we have is that they’re focusing on a network trying to create some level of disruption to the process,” Flynn said.

The firm detected a huge spike in malicious activity in Arizona and Pennsylvania from the end of 2021 through the first two quarters of 2022 leading up to the primaries. For example, in Pennsylvania the number of detections rose from 1,168 in the fourth quarter of 2021, to 4,460 in the first quarter of 2022, to 7,555 by the end of the second quarter. Pennsylvania held its primaries on May 17.

  • In one kind of phishing email, the hacker pretends to be an IT administrator asking about an expiring password to lure the victim into giving it to them.

“The attacker could access election process documents, voter records, colleague contact lists, administrative tools and a variety of other documents and forms” with the password, according to Trellix. “The attacker could send voters incorrect election process information to mislead them into invalidating their votes or create confusion in the lead up to election day that undermines their confidence in the process.”

  • In another kind of phishing email, the hacker uses a stolen or forged email thread to make it appear like the message comes from a contractor distributing and collecting absentee ballot applications.
Some attempts to sway the election

In its report, Recorded Future’s Insikt Group finds that even though Russia is preoccupied with the war in Ukraine, a Russian organization that tried to influence the 2016 election looks like it has reemerged for the 2022 midterms. U.S. intelligence agencies in 2017 dubbed the Internet Research Agency a “troll farm.”

“We are almost certain that known networks associated with the Russian Internet Research Agency (IRA, Lakhta Internet Research, LIR) are engaging in covert malign influence on a subset of the US population,” Recorded Future concluded, identifying that subset as conservative voters.

China, meanwhile, is harboring a grudge against the United States after House Speaker Nancy Pelosi (D-Calif.) visited Taiwan, the cyberfirm said. It spotted a campaign in September from “state-sponsored influencers” who were circulating anti-U.S. messages on social media sites. That diverged from China’s past, less-active role in influence campaigns during U.S. elections, the company said.

“China’s state-sponsored influencers are almost certainly conducting malign influence operations targeting US voters with divisive political themes in an attempt to further divide American voters over key political issues in the US midterm elections,” according to Recorded Future. “China likely views electoral interference and voter influence ahead of the US midterm elections as an appropriate response to the US’s perceived interference with Taiwan.”

Iran and domestic U.S. extremist groups are also among those likely to carry out influence operations between now and Election Day, the company said.

Each group has its own aims, Recorded Future said:

  • Russia, as it has in the past, wants to undermine faith in U.S. institutions.
  • China, besides its anger over Pelosi’s visit, wants to tar candidates who are critical of China and position itself as a better global leader than the United States.
  • Iran seeks a favorable outcome to nuclear negotiations.
  • Domestic extremist groups want to cast doubt on U.S. electoral processes.

And there’s synergy between some of those groups, according to the company.

“A majority of content we’ve seen stems from overseas,” Craig Terron, director of Insikt Group’s global issues team, told me via email. However, “A symbiotic relationship does exist where foreign influence actors parrot and puppet US domestic extremist narratives to forward their own goals of weakening the US democratic process, while domestic extremist groups also absorb anti-US, anti-democracy narratives generated by foreign influence networks.” 

The keys

Industry group sues government over sanctions on Tornado Cash mixer

The lawsuit by the Coin Center argues that the Treasury Department’s Office of Foreign Assets Control (OFAC) didn’t have the authority to sanction Tornado Cash, and that the sanctions violate Americans’ privacy and First Amendment rights, the Wall Street Journal’s Mengqi Sun reports. The lawsuit comes around a month after Coinbase said it was bankrolling a lawsuit to force the U.S. government to reverse the sanctions.

When it announced the August sanctions against Tornado Cash, the Treasury Department said the platform laundered more than $7 billion in digital assets. Cybercriminals like North Korean hackers have also used the platform to process funds that they’ve stolen.

“A spokeswoman for the Treasury declined to comment,” Sun writes. “In September, however, OFAC clarified that the sanctions placed on Tornado Cash don’t prohibit U.S. individuals or businesses from interacting with open-source code itself, as long as it doesn’t involve a prohibited transaction with the Tornado Cash platform.”

Pro-Trump election officials in Georgia wanted to copy data from election machines, report says

Two members of the  Spalding County Board of Elections wanted a third-party firm to copy the county’s election equipment, but the office of Georgia Secretary of State Brad Raffensperger (R) stepped in and warned them that the plan was illegal, Rolling Stone’s Justin Glawe reports. As The bipartisan Georgia State Election Board says it’s investigating the officials and their plan, Glawe reports.

“My head is spinning,” said Mike Hassinger, a representative for Raffensperger’s office, per Rolling Stone. “I can see no justification, legal or otherwise, for anyone to have a third party come in and access election equipment. It sounds like they tried to commit a crime.”

The election officials, Ben Johnson and Roy McClain, didn’t respond to Rolling Stone’s request for comment. In emails, they defended the effort, saying it was necessary because of election lawsuits and a security issue with election equipment. Raffensperger’s office rejected those reasons.

Google and other firms are building tools to help Iranian protesters

Google’s elite Jigsaw unit built a VPN tool called Outline, which has surged in popularity in Iran as protesters try to access the internet without government restrictions, Joseph Menn and Yasmeen Abutaleb report. U.S. officials are trying to prod tech companies into providing services — especially communications tools — as the Iranian government continues to crack down on protests, which began in September after a 22-year-old woman died in the custody of the country’s Islamic “morality police,” which detained her for showing too much hair. 

“The VPN, called Outline, is available on its own as an app or web download and in versions distributed by third parties such as nthLink, a company that receives U.S. government funding,” they write. “nthLink says monthly users in Iran of Outline have soared tenfold in two months, to 2.4 million unique devices in September.” Outline is a free VPN tool that lets users hide their tracks online better than most paid versions.

Jigsaw is run by Yasmin Green, who fled Iran with her parents when she was 3 years old. Google founder “Larry Page used to say all Google products ought to be like a toothbrush, where everybody uses it at least twice a day,” Green said in her first extended interview since she was promoted to lead Jigsaw in July. “We changed the metaphor to an air bag. People don’t need it often, but when they do, they absolutely need it to work.”

Industry report

Former NSO CEO and ex-Austrian Chancellor found startup (Globes)

National security watch

New White House national security strategy light on cyber specifics (The Record)

Government scan

Why CISA won’t release ‘public’ comments on upcoming performance goals (NextGov)

Securing the ballot

Cochise County supervisors shrug off legal advice, still want to hand-count ballots (Votebeat)


  • Deputy national security adviser Anne Neuberger, Rep. John Katko (R-N.Y.) and Google Cloud global director of risk and compliance Jeanette Manfra discuss cybersecurity at a Washington Post Live event today at 9 a.m.
  • The Atlantic Council hosts an event on a new transatlantic data privacy framework on Monday at 10 a.m.
  • Emily Goldman, a strategist at U.S. Cyber Command, discusses cyberspace strategy at a Heritage Foundation event on Monday at noon.
  • The Carnegie Endowment for International Peace holds an event on Russian information warfare on Monday at 2 p.m.
  • CISA Director Jen Easterly, NSA Cybersecurity Director Rob Joyce and top Ukrainian cybersecurity official Victor Zhora speak at Mandiant’s mWISE conference starting Tuesday.

Secure log off

Thanks for reading. See you tomorrow.