In August 2020, the US Senate Intelligence Committee released a nearly one-thousand-page report documenting the Russian Government’s interference in the 2016 presidential election. The report conclusions leaned on a District of Columbia federal grand jury decision to indict twelve Russian military intelligence officers for their alleged roles in interfering with the elections. As foreign election interference remains a severe threat to US democratic processes, new findings may reveal past, ongoing, and future election-process exposure to foreign interference. Therefore, this blog shows how the State of Texas may become a victim of foreign interference with their forthcoming elections.
Threat Actors Continue to leak Government documents
On February 21, 2022, Cyble Research Lab discovered a Threat Actor (TA) named datarobberman who posted a Texas Republican Campaign data leak on a cybercrime forum. The TA claims that the data leak originates from two US-based companies, EasyVote and ProtectionSolutions. EasyVote Solutions provides election officials software to reduce the time it takes to perform election tasks, and Protection Plus Solutions is a background check screening company.
Figure 1 shows the post by the TA on RaidForums.
The TA exposed 100 documents as a Proof of Concept for its claim. These documents reveal operational, financial, and legal information about the State of Texas’ Republican Party and its members. The provided information ranges from personally identifiable information (PII) data to appropriate licenses to operational details, as shown in the following figures.
Ransomware Novel Approach Helps Threat Actors Access Critical Infrastructure
Ransomware operations are highly lucrative for cybercriminals. For example, an attacker can steal sensitive data for victim organizations before deploying a ransomware payload, called the double extortion technique. Cyble Research Lab has recently identified the novel ransomware approach used by threat actors, who sell access to critical infrastructure rather than sell stolen data.
On February 19, 2022, the Everest Ransomware group posted on their site a leak post, claiming to have access to various servers, databases, backups, employee access to the administration of POS terminals, and much more. The TA was selling access for 250K USD. The group lures its buyers by stating that “You can become king of electricity of the country.”
Figure 10 shows a recent post of the Everest Ransomware group on their website.
Everest Ransomware group allegedly claimed that they have access to the following critical infrastructure of the USA, Argentina, and Peru:
- Ministry of Economy of Peru – Access to 600 pc along with a lot of confidential documents, pst files of employees.
- Argentina Government – Root access MySQL & phpMyAdmin.
- USA Government – Root access of multiple servers.
Everest Ransomware group has been active since 2021, and Cyble Research Labs has been monitoring the group since then. Figure 11 showcases the heat map of the Everest Ransomware group attacks and their victim distribution thus far.
The top 5 countries targeted by the Everest Ransomware group are France, the United States, Canada, Italy, and Australia.
Everest Ransomware group is known to target legal services, with more than 35% of victims observed within this sector, shown in Figure 12.
Conclusion
Election interference remains one of the US Government’s highest homeland security priorities. The present leak reveals how severe election-related interference is, showing everything from the volunteer’s PII to legal documents to financial documents. Consequently, state-sponsored TAs have many options to influence any future local, state, or federal US elections – TAs could implement anything from social engineering to election staff blackmailing to supply chain disruption. Therefore, private-public cooperation remains essential in protecting free democratic elections.
As stated by the ransomware group, the largest defense electronic equipment company’s data files are exposed and for sale. This claim poses a significant threat to the entire electric grid of a country. Especially in current times of uncertainty due to various geopolitical events happening around the globe, the buyers for this kind of access sold in the dark web can be seen increasing.
Our Recommendations
Following some essential cybersecurity best practices create the first line of control against attackers. We recommend our readers to follow best practices as given below:
- Have a strong password policy.
- Regular audits and VAPT exercises help find loopholes that an attacker can exploit.
- Cybersecurity awareness training for staff and management is necessary.
- Include threat intelligence in the security posture of the company.
- Keep software and firmware updated.
- Limit exposure of critical assets over the internet.
- Implement a zero-trust security model.
Disclaimer
The Cyble Research team will continue to investigate the claims made by the Threat Actor. We monitor data leaks on the dark web to inform our customers about such incidents and validate their impact from third-party breaches.