Posted: 4 Min ReadElection Security

Subverting Democracy: How Cyber Attackers Try to Hack the Vote

Everything you need to know about APT28 and APT29, the attackers that attempted to influence the U.S. presidential election.

The U.S. midterm elections are taking place on November 6 and, given what happened in the run-up to the 2016 presidential election, many voters may be concerned about whether foreign espionage actors will once again attempt to influence the vote.

Cyber attacks played a central role in the 2016 campaign, creating some of the main controversies of the campaign. Multiple organizations were targeted, with the most talked about incident being the attack on the Democratic National Committee (DNC) which resulted in nearly 20,000 internal emails being leaked.

With the midterm elections now around the corner, there are naturally concerns about further attacks. Here’s a short primer on the 2016 attacks and what tactics were used by the attackers:

How can cyber espionage groups interfere with elections?

While there are many ways a cyber espionage actor could potentially interfere with an election, proven cases to date have involved compromising targeted organizations in order to steal and leak information in the hope that it could influence the outcome and/or sow distrust in the political process.

During the 2016 U.S. presidential election, two cyber espionage groups—APT28 and APT29 —compromised a number of political targets, including the DNC, and stole a cache of information, including a large number of emails. These emails were then leaked online, and their contents became a significant talking point during the campaign. According to the U.S. government, both APT28 and APT29 are linked to the Russian government.

Who is APT28?

APT28 (aka Sofacy, Fancy Bear, Swallowtail, Tsar Team, Sednit) is believed to be a Russian cyber espionage group which has been active since at least January 2007. The group was initially known for traditional, information-stealing espionage campaigns, targeting governments in the U.S. and Europe. It became involved in more overt, disruptive operations in the run-up to the 2016 U.S. presidential election. It was also responsible for the 2016 attack on the World Anti Doping Agency (WADA) and subsequent leak of drug testing information.

How does APT28 infiltrate targets?

The group has been known to employ a variety of methods to gain access to targeted organizations’ networks. These include spear-phishing emails, watering hole websites, infected storage devices, and exploitation of software vulnerabilities, including zero-day vulnerabilities.

During the 2016 U.S. presidential election attacks, APT28 used spear-phishing emails that tricked recipients into supposedly changing their email passwords on a fake webmail domain. The group then used these stolen credentials to gain access to email accounts and steal the contents. This information was later leaked.

What tools does APT28 use?

Symantec has seen APT28 use a number of custom malware tools, including:

Who is APT29?

APT29 (aka Cozy Bear, Fritillary, the Dukes) is believed to be a Russian cyber espionage group which has been active since at least January 2010. Like APT28, it initially confined itself to spying campaigns, focusing on governments, the military, and think tanks in the U.S. and Europe. It later became involved in more subversive operations and was implicated (along with APT28) in disruptive attacks prior to the 2016 U.S. presidential election.

How does APT29 infiltrate targets?

APT29 usually relies on spear-phishing emails to gain access to targeted organizations’ networks.

During the 2016 U.S. presidential election attacks, APT29 sent spear-phishing emails to over 1,000 targeted individuals, including some U.S. government personnel. These emails contained malicious links which, if clicked, would lead to malware being installed on the target’s computer. This allowed APT29 to compromise a political party’s systems and steal emails from several accounts on the network.

What tools does APT29 use?

Symantec has seen APT29 use a number of custom malware tools, including:

Has Symantec previously published research on APT29?

Yes, in July 2015 we published a blog: “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory

How likely are we to see a repeat of these tactics during the 2018 midterm U.S. elections?

Given the impact the 2016 attacks had, there is a strong likelihood that these tactics may be used again in a bid to sow discord and confusion among voters.

How has the link between APT28, APT29, and Russia been established?

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have concluded that both groups are linked to the Russian government. Symantec has no evidence that conflicts with this conclusion.

What is the difference between APT28 and APT29?

The groups are believed to be linked to different Russian agencies. Special counsel Robert Mueller’s investigation has indicted 12 alleged members of Russia’s military intelligence agency (known as GRU) for activity relating to the APT28 attacks.

About the Author

Symantec Security Response

Security Response Team

Symantec's Security Response organization develops and deploys new security content to Symantec customers. Our team of global threat analysts operate 24x7 to track developments on the threat landscape and protect Symantec customers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.