Cybersecurity Advice for Political Campaigns

Political campaigns face attacks from cybercriminals and nation-state actors who steal credentials, intercept communications, and exploit weak IT configurations. Countermeasures include enabling two-factor authentication everywhere, minimizing software to reduce the attack surface, keeping systems patched, and being skeptical of messages demanding urgent actions or requesting clicks on links.

Political campaigns are targets of cybercriminals and nation-state adversaries, who possess formidable persistence and expertise. Yet, campaign participants can resist these malicious actors by taking specific proactive steps and practicing ongoing vigilance. This article suggests such measures based on the attacks observed in recent years.

If you’re participating in a political campaign, the best publicly available starting point is the Cybersecurity Campaign Playbook from the Defending Digital Democracy project. Follow its advice if you don’t have patience for anything else. For a more comprehensive set of defense principles based on real-world attacks see below.

How to approach defending the campaign?

The short-lived nature of most political campaigns typically precludes them from building formal cybersecurity security programs. Given this, on which defensive practices should campaigns focus their limited time? To figure this out, we can learn from the tactics the attackers employed against recent campaigns to derive reasonable defenses.

The mechanics of attacks against political organizations starting from around 2016 included the following tactics:

Abusing and exploiting application features
Stealing campaign participants’ access credentials
Stealing sensitive documents
Tricking victims into taking risky actions
Intercepting network communications
Exploiting weak IT configurations

Below are reasonable countermeasures against these attacks. Though no preventative measures are foolproof, especially against an advanced attacker, our goal is to make it harder for the adversary to cause significant damage:

The longer you resist the attack, the more time you have to adjust your practices and ask for help.
The stronger your resistance, the greater the chances that the attacker will have to work harder, generating more noise or going elsewhere.

It’s impractical to go into details behind each item in the following list. Consider discussing these items with your friendly IT or information security professional.

Anxious about cybersecurity? Here’s a picture of a kitten to make you feel better. Wondering what tactics attackers used against political campaigns and how you can resist them? Read on…

Attackers abused and exploited application features.

Modern applications support features that attackers can abuse to install malware on your system. Campaign adversaries have taken advantage of such capabilities quite frequently; they’ve also exploited unpatched vulnerabilities in the software to infect computers.

To resist such attacks, minimize the attack surface: the less software you have, the smaller the attackers’ window of opportunity. Keep the software you need up-to-date on security patches.

Use the latest OS version for your systems and devices.
Install security updates for your apps and the OS as soon as they come out.
Use built-in software for your work, avoiding third-party apps when practical.
Install software from the app store when possible, instead of downloading it from websites or getting it from other sources.
Uninstall the apps you don’t regularly use.
Enable as many OS and app security features as practical.
Use modern, reputable anti-malware software.

Attackers stole campaign participants’ access credentials.

Campaign attackers have been highly effective at fooling victims into revealing their logon credentials to copycat websites (phishing). They’ve also tricked people into granting malicious applications access to email and other sensitive resources.

Enabling two-factor authentication is perhaps the most important step toward resisting such tactics (attackers have intercepted SMS codes, so use other methods, if possible). More broadly:

Enable two-factor authentication everywhere.
Only grant/request/keep access you truly need.
Remove API access from apps you don’t use.
Use a password vault, avoiding password reuse.
Don’t share user accounts with others on your team.

Attackers stole sensitive documents.

Adversaries have routinely pursued sensitive campaign documents. They’ve also stolen seemingly inconsequential information, which informed their subsequent actions when attacking other organizations related to the campaign.

Resisting such attacks involves being mindful what information you share, how, and with whom:

Share files only with people who need them.
Consider when to send attachments and when to share links to documents in cloud storage.
Use encrypted chat for sensitive discussions.
Automatically delete old messages.

Attackers tricked victims into taking risky actions.

Many of the attack tactics involved elements of social engineering—persuasion tactics that take advantage of human psychology to trick victims into taking actions that have aided the adversaries.

To resist social engineering, be skeptical of any email or chat messages that demand an urgent action or that ask you to click on links or open attachments:

Scrutinize any messages related to security alerts.
Be wary of every link and attachment in an email.
When in doubt, don’t click or open the file.
Confirm with the sender via a separate channel before taking actions related to links or attachments.
Minimize the use of email, if practical, in favor of closed-group, encrypted messaging tools.

Attackers intercepted network communications.

Campaign adversaries used several approaches to intercept network communications of victim organizations, which allowed them to steal login credentials, sensitive documents, and private communication details.

To resist such attacks, operate with the assumption that any network to which you connect—be it a cafe or an office—is untrusted. Encrypt your network communications and watch out for security warnings. More broadly:

Avoid websites that don’t use HTTPS; the browser extension HTTPS Everywhere can help.
Pay attention to browser warnings about anomalies such as bad SSL certificates.
Require authentication for printer, server, computer, and device access even on local networks.
Change default passwords for devices and apps.

Attackers exploited weak IT configurations.

Attackers have taken advantage of the weaknesses in IT configurations for systems and applications campaigns used. For example, this allowed the adversaries to intercept all campaign emails and compromise campaign-related websites.

If you’re managing IT aspects of your campaign, review security settings related to your users’ accounts and applications. Tighten your domain configuration. Enable security options according to your provider’s recommendations (e.g., the G Suite security checklist).

Lock down domain registrar and DNS settings.
Place websites behind a reputable cloud or plugin-based web application firewall (WAF).
Uninstall or disable unnecessary features or plugins.
Regularly review authorized users and their access.
Require two-factor authentication for all accounts.
Enable organization-wide security features.

Tired of security advice? Here’s a picture of a puppy for making it almost to the end of this post!

For background details, review these sources.

I formulated the advice above mostly based on the tactics used against 2016 and 2018 election campaigns in the United States, as publicly described by the news media, cybersecurity companies, and the U.S. government. Here are links to just some of the documents I reviewed:

Two Years of Pawn Storm by Trend Micro
Microsoft Security Intelligence Report, Volume 19, the STRONTIUM section
US Department of Justice Indictment of GRU Officers, July 13, 2018
US Department of Justice Press Release Number 18-1296
Threat Group 4127 Targets Hillary Clinton Presidential Campaign by Secureworks
How Russian Hackers Stole Information from Democrats by Vox
Democratic House Candidates Were Also Targets of Russian Hacking by the New York Times
Documents Reveal Successful Cyberattack in California Congressional Race by Rolling Stone
Russian Hackers’ New Target: a Vulnerable Democratic Senator by Daily Beast
G.R.U., Russian Spy Agency Cited by Mueller, Casts a Long Shadow by the New York Times
Dutch Agencies Provide Crucial Intel About Russia’s Interference in US-Elections by de Volkskrant

Image sources: map - ioat/Shutterstock.com; kitten - Andres Chaparro/Pexels; puppy - Lum3n/Pexels\

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →