Election Cybersecurity: A Cybercriminal Network Goes Dark as High-Profile Attacks Continue

As Republican Senator Marco Rubio warned in 2016, when some members of his party were happily using information that Russia had stolen from Hillary Clinton’s campaign: “Today it is the Democrats. Tomorrow, it could be us.”

Rubio was prescient. Last week, the Republican Party announced that it had in fact now become a target.

The Republican National Committee said that one of its third-party technology vendors, Synnex, had been hacked. Initial reports indicate the hack was conducted by Cozy Bear, a group backed by Russian intelligence — and the same organization that allegedly broke into the Democratic National Committee’s systems in 2016.

The RNC’s announcement comes on the heels of “the single largest global ransomware attack on record,” also conducted by Russian cybercriminals — a hack of software provider Kaseya, an operation that shut down hundreds of businesses around the world because of interruptions to their systems. Another Russian cybercriminal group, REvil, was likely responsible for that attack (in addition to also being behind the ransomware attack on meat processing company JBS in May).

But in a plot twist worthy of a spy novel, REvil mysteriously disappeared from the internet a few days ago.

It’s unclear why REvil’s online properties went dark. One possibility is that the criminal enterprise is trying to lay low after conducting several high-profile, successful attacks. It’s not uncommon practice for these groups to go quiet, only to later reemerge after some of the attention has subsided.

Another possibility is that someone — such as the United States government — took REvil’s properties offline, to send the group a message that there will be consequences for its actions.

A third option is that the Russian government directed REvil to go or be taken offline, to release some of the international pressure that’s been building because of these attacks. U.S. President Joe Biden spoke with Russian President Vladimir Putin several days ago about a number of issues, including the latest ransomware attacks. According to the White House:

“President Biden underscored the need for Russia to take action to disrupt ransomware groups operating in Russia and emphasized that he is committed to continued engagement on the broader threat posed by ransomware. President Biden reiterated that the United States will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.”

We don’t know whether Putin took that message seriously and, as a result, REvil was somehow shut down by Russian actions or pressure — but it’s not out of the question.

Whatever the cause of or reason for REvil’s darkness, it’s almost certain that we haven’t seen the end of the organization, and experts will be on the lookout for how and when it reappears.

Finally, a ray of good news to end this week’s blog: On Monday, the U.S. Senate confirmed Jen Easterly as the next head of the Cybersecurity and Infrastructure Security Agency (CISA), the organization tasked with securing federal networks and helping state and local governments, the private sector, and other critical infrastructure operators protect their properties. Easterly is a former senior official at the National Security Agency and the White House, where she worked on cyber issues and counterterrorism, and is a well-respected expert who will bring strong leadership and substantive expertise to CISA. It is essential to have competent public servants in these roles, as unfortunately cyber attacks increase in their scope and scale.

By Marie Harf
International Elections Analyst, USC Election Cybersecurity Initiative

Marie Harf is a strategist who has focused her career on promoting American foreign policy to domestic audiences. She has held senior positions at the State Department and the Central Intelligence Agency, worked on political campaigns for President Barack Obama and Congressman Seth Moulton, and served as a cable news commentator. Marie has also been an Instructor at the University of Pennsylvania and a Fellow at Georgetown University’s Institute of Politics and Public Service.

 For more resources and insight into the state of elections in the US and abroad, be sure to check the USC Election Cybersecurity Initiative’s Experts Corner each week.