A three-pronged wave of cyber-attacks aimed at wrecking Ukraine’s presidential vote – including an attempt to fake computer vote totals – was narrowly defeated by government cyber experts, Ukrainian officials say.
The still little-known hacks, which surfaced May 22-26, appear to be among the most dangerous cyber-attacks yet deployed to sabotage a national election – and a warning shot for future elections in the US and abroad, political scientists and cyber experts say.
National elections in the Netherlands, Norway, and other nations have seen hackers probe Internet-tied election systems, but never with such destructive abandon, said experts monitoring the Ukraine vote.
“This is the first time we’ve seen a cyber-hacktivist organization act in a malicious way on such a grand scale to try to wreck a national election,” says Joseph Kiniry, an Internet voting systems cyber-security expert. “To hack in and delete everything on those servers is just pillaging, wanton destruction.”
That wanton destruction began four days ahead of the national vote, when CyberBerkut, a group of pro-Russia hackers, infiltrated Ukraine’s central election computers and deleted key files, rendering the vote-tallying system inoperable. The next day, the hackers declared they had “destroyed the computer network infrastructure” for the election, spilling e-mails and other documents onto the web as proof.
A day later, government officials said the system had been repaired, restored from backups, and was ready to go. But it was just the beginning.
Only 40 minutes before election results were to go live on television at 8 p.m., Sunday, May 25, a team of government cyber experts removed a “virus” covertly installed on Central Election Commission computers, Ukrainian security officials said later.
If it had not been discovered and removed, the malicious software would have portrayed ultra-nationalist Right Sector party leader Dmytro Yarosh as the winner with 37 percent of the vote (instead of the 1 percent he actually received) and Petro Poroshenko (the actually winner with a majority of the vote) with just 29 percent, Ukraine officials told reporters the next morning.
Curiously, Russian Channel One aired a bulletin that evening declaring Mr. Yarosh the victor with 37 percent of the vote over Mr. Poroshenko with 29 percent, Ukraine officials said.
“Offenders were trying by means of previously installed software to fake election results in the given region and in such a way to discredit general results of elections of the President of Ukraine,” the Ukrainian Security Service (SBU) said in a statement.
Still, there was more to come.
In the wee hours of the morning after polls closed, as results flowed in from Ukrainian election districts, Internet links feeding that data to the vote tally system were hit with a barrage of fake data packets – known as distributed denial of service (DDoS) attacks. So from about 1 to 3 a.m. on May 26, election results were blocked, delaying the finally tally until the early morning, a preliminary report by international election observers recounted.
An analysis of the DDoS attack by Arbor Networks, a Burlington, Mass., cyber-security company, ties it to CyberBerkut.
In the end, international observers declared Ukraine’s vote “a genuine election.” But US researchers say it’s clear that Ukraine dodged a major cyber-bullet.
“We’ve seen vote fraud before in Ukraine, including a rigged computer system in 2004,” says Peter Ordeshook, a California Institute of Technology political scientist. “But this wasn’t an effort to steal the election outcome, so much as to steal the election itself – by entirely discrediting it in the eyes of key segments of the population in Ukraine and in Russia, too.”
While it was well understood across most of Ukraine and internationally that the far-right candidate Yarosh had little political support, the faked results would have lent credibility to Russian-inspired accounts that the popular revolt last fall against the Ukraine government was fomented by ultra-nationalists.
“In that light, the cyber fakery looks incredibly clumsy from the outside because no one there would have believed it,” Dr. Ordeshook says. “But these faked results were geared for a specific audience in order to feed the Russian narrative that has claimed from the start that ultra-nationalists and Nazis were behind the revolution in Ukraine.”
If the virus with the faked computer results had not been discovered, it would have fomented unrest across the volatile ethnic-Russian Donetsk region now under the shadow of Russian forces on the border with Ukraine, he says. Such spurious results also would have undermined the credibility of the new Ukraine government and could have paved the way for Russian military action, say political scientists who monitor Ukraine elections.
The Ukraine hack is a stark warning for the US and other democracies that use the Internet for tabulation and even direct voting, election security experts say. One clear lesson, they say, is to always have paper ballots to back up election results – like Ukraine – and to avoid Internet voting.
“The Ukraine attack story demonstrates there is no shortage of methods which a determined adversary will make use of to sabotage an election,” says Pamela Smith, president of the Verified Voting Foundation, a US group that has researched US election systems security.
In the runup to the election, President Obama on May 2 warned Russia not to interfere or the US “will not have a choice but to move forward with additional, more severe sanctions.”
Since then, US officials appear reluctant to make too much of the attacks. References to the cyber-attacks have been brief and oblique. With anonymity cloaking cyber-attacks across the Internet, it’s difficult to tell how deeply involved Russia’s government might have been.
Ukraine experienced “cyber-attacks on the Central Election Commission of the kind that generally would require outside support,” Victoria Nuland, assistant secretary of State for European affairs, acknowledged in a May 27 interview on the Charlie Rose show. Mark Green, a former congressman, said in Senate testimony June 6 that he had been told by a US diplomat of a failed Russian cyber-attack on the election.
Ukrainian officials have been unabashed in throwing blame at Russia, saying that arrests were made in the case, although no names have yet been made public.
"It was prepared in advance and stored on Russian (Internet) re-sources," Volodymyr Zverev, head of the Ukraine’s Administration of Public Service of Special Communication and Protection of Information said of the malware that was intended to deliver the fake election results, according to Interfax-Ukraine. "They wanted to, and made the preparations, but they did not succeed."
While Russian hacktivists appear to be linked to at least some of the attacks, not everyone agrees the Russian government had a hand in the most devious element. Internet security expert Mr. Kiniry, for instance, says there is no solid proof yet to back the Ukrainian government claim of a virus carrying fake election results.
Others say Russia’s paw prints are all over the attack.
“Did Russia attempt to sway the Ukrainian Presidential Election? I honestly don’t know the answer to that,” says Jeffery Stutzman, CEO of Red Sky Alliance, a cyber-security group in New Hampshire.
But, he adds, “the idea that these guys were trying to poison the election result by compromising the election commission computers is amazing to me – and this coincidence with the Russian channel showing the same fake results – is just too much. If it walks like a duck and quacks like one, maybe it’s a duck.”