Over the past few months, an escalating series of attacks on computer networks—many of them inflicted by something called the Mirai botnet, which uses a web of infected DVRs, webcams, and other “smart” devices to drown targeted websites in traffic—have wrought unprecedented havoc all over the world. Experts have speculated that these distributed denial-of-service (DDOS) attacks are a “rehearsal” for something bigger. Meanwhile Russian hackers have been busy throwing monkey wrenches into the American presidential election, breaking into the computers of the Democratic National Committee this summer and (it seems) leaking emails from John Podesta, a high-level aide to Democratic presidential nominee Hillary Clinton.
The confluence of these two threats—a super-powerful botnet and the specter of Russian influence on the contest between Hillary Clinton and Donald Trump—has stoked fears of a massive cyberattack that could upend the vote on November 8.
So, yes, the government and the cybersecurity industry are on high alert. “A lot of actors will try to take advantage of a high-profile event to cause trouble or raise their profiles,” says Ian Gray, a cyber intelligence analyst for Flashpoint, which has been at the center of monitoring and mitigating attacks by Mirai. But intelligence does not point to a connection between the autumn spree of DDOS attacks and a state-sponsored effort to hack the election itself. And government officials say they don’t believe an attack is likely to black out some massive chunk of the internet in order to wreak political havoc on Tuesday.
Just in Case
Headed into the election, law enforcement, intelligence, and military teams are on standby to defend the nation’s internet infrastructure, and the Department of Homeland Security’s hacking mitigation teams are likewise ready to assist private sector or government websites targeted by an attack. Cyber command posts like the DHS’ National Cybersecurity & Communications Integration Center in Northern Virginia and the Cyber Threat Intelligence Integration Center, will be carefully monitoring web traffic. “We’re being hyper-vigilant to look for any activity that appears to be out of the norm,” says one high-ranking intelligence official who would only speak anonymously. “The full resources of our cyber operations are engaged.”
Thanks to preparations over the last two weeks, officials expressed cautious optimism that they’d be able to ensure that any Election Day cyberattacks might be minimized quickly. However, officials also say that amid the public hype about cyber shenanigans, they’re anticipating confusion between real attacks and run-of-the-mill technical issues—computer crashes, power failures, or overloaded websites that, in an instant news-cycle, might engender fear of a looming attack. “We’re definitely expecting the cyber equivalent of the forgotten backpack in the airport,” one senior official says.
They’re not getting ready for doomsday—it’s more like getting ready for an inbound hurricane. One senior official compared the preparations to those that accompanied the Y2K scare in 1999. Another said it was the “cyber equivalent of the physical security that would go into a presidential inauguration.” No extra personnel are getting sent to government bunkers. This, administration officials say, is standard Continuity of Government and Continuity of Operations-level preparedness—nothing like the more extensive and eminently scarier-sounding Enduring Constitutional Government and Continuity of the Presidency protocols that secure the nation’s leaders and military chain of command and would point to something more catastrophic.
Similarly, they downplayed intelligence chatter reported in recent days that might point to a pre-election al-Qaeda terror attack. The Wall Street Journal has reported that authorities are specifically focused on possible attacks in Texas, Virginia, and New York, but one senior US official who has been following the potential threats told WIRED that the al-Qaeda warning was “standard threat reporting,” typical of routine information sharing with state and local authorities in advance of a high-profile event. “There are people looking, but they’re not spun up about it,” says the high-ranking intelligence official.
Industry officials requested to speak to WIRED off the record, in part because Mirai botnets have targeted researchers who have been trying to spread and share information publicly about the malware. Government officials spoke anonymously because they were not authorized to discuss ongoing threats.
Who’s Doing the Attacking?
Part of the challenge in anticipating what might unfold Tuesday stems from uncertainty around who controls the Mirai botnet. Mirai, which translates into Japanese as “the future,” is actually numerous botnets controlled by different groups. All share the same fundamental characteristic: They are powered by various Internet of Things devices that have been seized by malware, exploiting vulnerabilities in the devices’ factory settings.
The Mirai malware has been on authorities’ radar since summer, though its threat escalated following the release of a more sophisticated variant in mid-September and after its source code was released publicly soon thereafter. A run-of-the-mill DDOS attack will involve a traffic bump of perhaps around 10 to 30 gigabits per second. An annual report from the internet registrar Verisign shows that over the summer, the strength of DDOS attacks had more than doubled since 2015, to an average of around 17.3 Gbps. Over the last month, the Mirai botnet has launched DDOS attacks of unprecedented scale. The cybersecurity expert Brian Krebs’ news website was hit by a 620 Gbps attack, and the French internet provider OVH has said it saw traffic levels peak at over 1 terabit per second, the largest DDOS attacks ever.
Observers speculate that the attack on Krebs’ website might have been an experiment in advance of a larger attack, meant to help calibrate the botnet’s settings. “That was clearly a test of a big tool—you didn’t need something that big to take down Brian’s website,” the industry official says. However, reports that the African country of Liberia was knocked offline by a Mirai attack last week appear to be overblown. Krebs says that while one Liberian ISP was evidently targeted, it’s not clear there was any wider outage, a conclusion backed up by two industry researchers following Mirai. And while rumors persist that the Mirai attacks are tied to Russian or Chinese actors—drawing from the fact that at least some of the source code was written in Cyrillic, and some of the key botnet infrastructure is based in Eastern Europe—US officials say they doubt that Russia is behind the attacks.
They point the finger instead towards hackers who were targeting Sony’s Playstation network during the October attack on the internet infrastructure company Dyn, which slowed or blocked access to countless major websites along the East Coast including Twitter, Reddit, Amazon, Spotify, and The New York Times. Industry researchers and US investigators say that it doesn’t appear a state actor was behind the Dyn attack. “The motivations of those behind this network would not trend with an election attack,” says one US official.
But even though the Mirai botnet doesn’t seem to have been backed by Russia (unlike the hacks of the DNC and Clinton campaign emails), US intelligence does appear to indicate that the Russian government is monitoring the Mirai DDOS attacks. That has led to some speculation that Russian hackers may deploy their own such attacks in the coming days. “It’s about creating an atmosphere of heightened anxiety,” the intelligence official says. “You don’t know when they’re going to strike. They’re trying to keep people off balance.”
A widespread attack on the nation’s voting infrastructure would be difficult to execute—America’s voting systems are too heterogeneous, antiquated, and diffuse. A likelier form of attack would be built to spread last-minute misinformation about the election. The government has warned organizations like the Associated Press, which traditionally serve as the reporting hub for the nation’s unofficial election-night results, to be on alert for possible attacks. Hillary Clinton campaign aide Jennifer Palmeri tweeted Sunday morning, “Friends, please remember that if you see a whopper of a Wikileaks in next two days – it’s probably a fake.”
Warnings like this may contribute to the fear of a massive cyber attack, but experts hope they will help inoculate the public against potential trouble on Election Day itself. “It downgrades the effect of an information campaign, simply raising awareness in advance,” says Flashpoint’s Gray. “The government’s helping to dispel the effect of any such surprise.”
It’s ironic—a few analysts have described Donald Trump’s free-wheeling and truth-challenged presidential campaign as a one-man DDOS attack on the media because of his propensity to bombard journalists with more untruths, gaffes, and Trumpisms than the press can handle. Here’s hoping the media doesn’t have to face the real thing tomorrow, too.