It appears Russia didn’t attempt to disrupt the 2016 election through ads only on social media.
Nearly lost amid the deluge of reports about Kremlin-run Facebook and Twitter campaigns designed to influence the American electorate, the Department of Homeland Security last week messily notified 21 states, including Wisconsin, that Russia had targeted their election systems. The Wisconsin Elections Commission (WEC) then quietly issued a press release describing an unsuccessful August 2016 cyberattack that took the form of neither a targeted phishing attack nor an attempt to crack a password, but an ad.
The elections commission said that the state IT division’s protective measures had “blocked an advertisement embedded in a publicly available website from being displayed on a WEC computer.” When the state Department of Enterprise Technology provided the IP address it had blocked to DHS, the agency identified that address as “connected to Russian government cyber actors,” according to the release.
Steve Michels, the DET’s communications director, told TPM that the ad his department’s firewall identified and blocked was consistent with run-of-the-mill website advertising. Such filtering “commonly occurs in conjunction with an internet advertising pop-up or banner,” he said. While Michels said he couldn’t confirm what site the ad originated with, neither Facebook nor Twitter serves pop-up or banner ads.
“This attempt was blocked by our web content filtering tool and no data was exfiltrated,” Michels told TPM. “This blocked content request came on an elections commission network, likely a desktop computer.”
Toni Gidwani, director of research operations for respected cybersecurity firm ThreatConnect, told TPM that such “malvertising”—malicious advertising—” is a pretty common attack vector.” Gidwani, who cautioned that ThreatConnect couldn’t independently verify DHS’s claim of Russian targeting of Wisconsin without the actual IP address, which Michels declined to disclose, said the tactic is often used on general-interest sites where advertisers don’t exercise broad control over their audiences.
“If the website was something really specific to elections and/or something that WEC workers specifically would navigate to more consistently than other targets, that would be notable,” she told TPM. “If the website was something really general, then it might be hard to make the case that the activity was targeting the WEC. ”
The first kind of attack to which Gidwani referred is sometimes called a “watering hole,” a trap set for a particular set of users at a website they seem likely to visit; it’s not clear that the WEC employee who set off the ad was targeted that way. But it does appear that Russian cyberactors were able to participate in the broader digital ad ecosystem, with its self-applied regulations and well-documented vulnerability to malicious activity, in addition to their use of Facebook and Twitter ads.
It’s not clear what the 2016 attack was intended to accomplish, but tools designed for ad fraud—usually used to inflate the records of successfully completed ads, which determine how much an advertiser pays—have been repurposed in the service of Russian propaganda efforts before. In 2015, someone used a network of bots designed for malvertising to redirect users to pro-Russian videos on Dailymotion.
Jonathan Albright, research director at the Two Center for Digital Journalism who was mapping ecosystems of online disinformation as far back as November 2016, told TPM that many of the websites spreading that disinformation contained malicious code.
“There were definitely suspicious resources (i.e., content and code) in the batch of propaganda/disinfo/hoax sites I looked at back in November 2016,” Albright said. “If I remember, I believe 3 of the 116 sites were pre-emptively blocked by my browser as I scraped the ad tech. Lots of redirects to weird IPs, external insecure image/graphics loading, etc.”
Targeting a body like the Wisconsin Elections Commission would not be a particularly difficult or sophisticated operation, Albright said.
“It’s absolutely possible to target a business, and based on what I’ve seen, even more likely that an individual government office or bureau/department would be targeted,” he told TPM. “I think a directed story or topical hoax piece could be written to bring in a specific audience and then used as a vector to compromise individual computers and/or ranges of IP addresses.”
Wisconsin blocks tens of thousands of attempts to game its web applications and more than half a million attempts to crack passwords annually, Michels said. He was emphatic that the ad served to the WEC computer was one small attack in a sea of similar attempts, and that it was thwarted.
Regardless, experts already suspected that Russian government operators had used malvertising elsewhere; now DHS has confirmed they used it in the 2016 elections, too.