Political parties in Europe and the U.S. have cybersecurity practices that fail to meet basic standards, leaving them vulnerable to hackers and foreign influence operations with elections rapidly approaching, according to security researchers.
An assessment of 29 political parties in 11 countries released Tuesday by SecurityScorecard found that a party in France relies on end-of-life technology that has not had a security update in four to five months, for example. There also is a strain of malicious software emanating from an IP address assigned to an economic subcommittee of the European Union in Brussels right now, SecurityScorecard’s Director of Threat Intelligence, Paul Gagliardi, tells CyberScoop.
And while American political parties tend to fare better than European political parties, according to the report, the Democratic National Committee and the Republican National Committee still have weak spots.
Malware in the EU
The details of the report arrive just as the European Parliament elections kick off Thursday.
The malware SecurityScorecard identified at the IP address in Brussels is known as Gamarue, according to the report. Also called Andromeda, Gamarue is a Windows-based hacking tool that can steal files, log keystrokes, and download files. Still, Gagliardi said, caution should be used in assigning electoral significance to the revelation there is malware on the EU’s network in the buildup to the European Parliament elections.
“We’re certainly not asserting that the malware is on the EU’s president’s computer, but it’s somewhere on their network,” Gagliardi advised. SecurityScorecard doesn’t probe for the context behind its findings, and just has the security posture information that malware is beaconing from a specific IP address. “This could be on their guest WiFi network, it’s always a possibility that it is potentially a false positive.”
And yet, attacks may use multiple-step processes and move laterally within organizations to achieve their ends, says SecurityScorecard’s Chief Technology Officer Jasson Casey.
“It’s never about one finding. These significant events are always about a chain of events like getting onto a system, figuring out what’s there, moving across someone’s infrastructure,” Casey said.
Although Microsoft and law enforcement agencies disrupted the Gamarue malware family in 2017, Gamarue has been for sale in crime forums online, so a return of the botnet is not out of the question.
In this case, the malware has “already reached a target space, may be propagating further and is beginning to execute on its goals,” the researchers write.
The European Union did not immediately return request for comment.
The stakes are high for European voters this week. The continent faces a rise in populism, with some candidates especially sympathetic to Russia, and an impending leadership vacuum. Already, some social media accounts linked with Russia and far-right groups have attempted to sow disinformation on social media platforms in the buildup to the elections, according to The New York Times.
Russia has waved off allegations of disinformation and meddling.
DNC posture still lags behind RNC
SecurityScorecard, which bases its assessments on its external examinations of application security, finds that although the DNC and RNC have improved their security posture over the last few years following the 2016 intrusions of the DNC servers, both parties are still lacking in certain areas.
The DNC and RNC have boosted their stances, for instance, by using the identity management firm Okta and the internet security company Fastly, respectively.
But the DNC in at least one case has run a server unencrypted over HTTP. That could allow for man-in-the-middle attacks and stolen credentials, the researchers write. The DNC has since shut down the URL, a DNC official confirmed to CyberScoop, as Wired first reported.
The DNC’s cybersecurity chief, Bob Lord, told CyberScoop the DNC always appreciates getting alerted to areas it can improve its cyber hygiene.
“Our understanding from talking to the vendor is that their findings were hygienic and not exploitable,” Lord said. “The DNC has spent the last two years completely overhauling its cyber infrastructure and we continue to welcome help from researchers and other organizations to help improve the security posture of the entire Democratic ecosystem.”
“In aggregate, the DNC security scores lag behind the RNC in almost all categories,” the researchers write. “This same trend was observed in the Spring of 2016 prior to the Presidential elections and the reported DNC hacks and WikiLeaks releases.”
The RNC is not immune — SecurityScorecard uncovered an unencrypted login to what appears to be an RNC API server. The RNC did not respond to request for comment.
In one case, another party the researchers did not identify was recently leaking PII from a server, including names, addresses, and birth dates.
Gagliardi tells CyberScoop the party fixed the configuration within 12 hours of notification. Although the party appeared to have made efforts to have the list hidden, access to the PII did not require credentials.
“Security through obscurity is not the best,” Gagliardi said. “You shouldn’t set up a server that anyone — without any authentication, without any credentials — can just type in someone’s name and out [PII] pops.”
Copycats to come
The report, which found that Sweden had the best cybersecurity aggregate score and France had the worst, assessed security based on several measurements, including network security configurations, DNS configurations, and patching cadence.
One French party in particular has an insecure login system to its mailing system through which credentials are sent in unencrypted plaintext, which Gagliardi says would require a low level of sophistication to exploit.
The party also appears to be running its site using an end-of-life PHP that hasn’t been updated since last year. And although SecurityScorecard doesn’t have visibility of what exactly these insecure systems could provide access to, the room for damage is still there.
“If it’s part of a network that has access to interesting information, it’s a pretty big door,” Casey tells CyberScoop.
Broadly speaking, although some of the countries and political parties named are not facing elections imminently, attackers seeking to sow discord or influence elections gather information in advance. Russians who were engaged social media interference in the U.S. in 2016, for example, began reconnaissance work years in advance, according to the Special Counsel report on Russian attempts to interfere in U.S. elections.
Moving forward, Gagliardi said his concern is that copycat actors interested in influencing upcoming elections may have yet to come out of the woodwork seeing Russia’s efforts.
“They saw success of seemingly a nation-state achieving to influence an election in America,” he said. “I think when they can see that success and the level of sophistication it took I would worry that some less sophisticated actors might try to get involved in manipulating something.”