Black Hat 2020: zvelo Cybersecurity Observations

Black Hat 2020 Goes Virtual:  zvelo Cybersecurity Quick Look and Observations

As with many in-person cybersecurity conferences, Black Hat 2020, and its sister events (DEFCON and BSidesLV), moved to virtual delivery this year in light of the ongoing COVID-19 pandemic.  The shift to an online medium creates a much larger opportunity for individuals to participate – especially those whose organizations are working with limited budgets.   As with previous years, Black Hat provided access to substantially more talks and interesting topics than time would allow for an individual participant to attend.

From a global pandemic to the upcoming United States Elections in November, 2020 has already been an unprecedented year for events beyond anyone’s control, and it’s far from over in terms of Malicious Cyber Attacks.  Earlier this spring, zvelo identified significant increases in domain name registrations related to ‘Coronavirus’, ‘COVID-19’, and ‘government relief’ — specifically targeting the panic and paranoia related to the pandemic.  The vast majority of the registrations observed were suspicious, pointing toward fraudulent activities.  Some, however, turned out to be malicious delivering malware or data stealers to exploit victims.  While Malicious Cyber Actors (MCAs) have already registered domains related to the upcoming elections, their activities will be less about exploiting victims and more about influencing their votes.  We anticipate this behavior to increase in the coming weeks and months ahead.

The zvelo Cybersecurity Team attended several talks related to election security.  Mr. Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security (DHS), provided an update on US Government preparedness for the 2020 general election.  Citing excellent cooperation across the 50 States, he reminded everyone that 2020 is not just about Russian interests but also includes China, Iran, and North Korea.  One of the major points that Mr. Krebs made is that US voters may not know who won the Presidential election on November 3rd, especially considering the circumstances of the COVID-19 pandemic, which does not necessarily mean something is awry.

A number of speakers at Black Hat 2020 who presented on the topic of this year’s upcoming elections, cited the term Information Operations (IO) as the primary ongoing threat that should draw concern from citizens.  IO is a term lifted from military operations that refers to actions in and through the Information Environment (IE) to influence, disrupt, corrupt or pre-empt adversary decision making and enablers, while protecting friendly decisions (see US Army Field Manual 3-13).  In the context of the 2020 elections, the IE includes the internet and associated resources, social media platforms and users, the press, and average citizens whose susceptibility to potential influence is prized by MCAs.  To make things even more confusing, the tactics of disinformation and amplification of divisive issues are not just the tools of MCAs but also utilized by anyone with a perceived stake in the elections.  While MCAs and other election influencers continue to use traditional internet infrastructure (e.g. domain name registrations, malicious and phishing website infrastructure, and email), most of their work will reside in social media spaces.

MCAs and other election influencers are masters at amplifying perceived or actual divisions in the targeted society.  MCAs and other election influencers are masters at amplifying perceived or actual divisions in the targeted society.  Social media supplies a low to no cost platform for MCAs to share content, images, and memes which have a high propensity to elicit strong emotional reactions with the intent to drive engagement and fuel division.  For example, the semi-famous Yosemite Sam (Warner Bros cartoon character) meme, who was supposedly ‘banned for guns & violence’, received more than 900,000 interactions on social media and very few know that it was created by the Russian Internet Research Agency (IRA).

MCAs are quite adept at creating virality (the ability to cause something to go viral on the internet).  More than once, you may have liked or shared a meme, picture, or other content that was originally created or seeded by an MCA without even knowing it.  For example, in May 2017, there were a number of Honor the Fallen memes circulating the internet around Memorial Day.  Many of these memes, include the following image of an “Angel Flight” circulated by a variety of veterans’ groups on social media in the United States:

Image Source: https://www.snopes.com/fact-check/angel-flights-fallen-soldiers/

To the untrained eye, who would not like and share an image that honors fallen service members?  Here is the problem with this image: it is a Russian transport plane.  Wait, what?  Why would US veterans groups be helping an image that includes a foreign transport plane go viral?  The short answer is that they likely had no idea where the meme came from and they simply passed it on.  When it comes to influencing the elections, that is exactly what MCAs are hoping social media users will do – share the meme, message, conspiracy theory, or other content – further amplifying their campaign at a massive scale.

The theme of many presentations during Black Hat 2020 focused around how MCAs aim to undermine the legitimacy of the US elections.  While there are currently no direct indicators of preferred activities, as we approach the 2020 US elections, we anticipate MCAs will implement the following tactics:

• Hack & Leak Information:  Similar to what happened to the Democratic National Committee in 2016 (a favorite tactic of APT28/Fancy Bear).
• Hacking Voting Infrastructure:  According to CISA, in 2016 all 50 states experienced some type of incursion; it would not be surprising if this occurs again.
• Infiltrate Groups:  MCAs will use troll farms to gain membership in “closed” social media groups to spread disinformation or amplify their preferred messaging.
• Amplify Narratives:  Paying witting or unwitting locals (via gamification algorithms) to share specific messages with the intent to increase societal divisions or drive wedges where none currently exist.

Each of these tactics provides any MCA with a potential means to an end — At best, influence the US elections and at worst, disrupt them via a direct Cyber Attack on critical infrastructure.

What can you do?

While there were many key takeaways from the Black Hat talks on the elections, there five things you should consider right now:

1. Be an informed voter.  Have a plan on how you will vote (in-person or mail-in).
2. Be skeptical of social media posts that seem to fit and amplify your values and beliefs.
3. Do not fill out social media or internet surveys without verifying the validity of the requesting organization.
4. As always, do not click on links or open attachments from unknown sources.
5. Finally, know that you and your vote are the target of MCAs, no-one is immune.