Is Windows the greatest cyberthreat to the 2020 US election?

If there’s going to be a successful cyberattack on the 2020 U.S election, you can be sure Windows will be involved. It’s the world’s biggest exposed attack vector and the weapon of choice of cybercriminals and intelligence agencies the world over. In addition, the world’s biggest botnets are made up of millions of infected Windows PCs used to launch cyberattacks.

There’s some evidence that Windows-based attacks may be imminent or have already started. The good news: U.S. cyberagencies are already going after potential intruders — and Microsoft just essentially brought down the world’s largest botnet.

Still, with voting under way and Nov. 3 fast approaching, there’s plenty to worry about, especially because this year’s possible wave of election cyberthreats differs from those launched before.

Here’s what you need to know — and what to expect in the runup to Election Day.

Voting machines, ballot counting aren’t the target

First, a bit of background. Intelligence agencies and security companies and researchers believe that election cyberattacks likely won’t directly target voting machines or the process of counting votes. The presidential election is a federal one only in the sense that we elect someone to a federal office. The actual voting is handled on a precinct-by-precinct basis, and there’s no practical way to change votes in every precinct.

Instead, security pros believe, attackers are more likely to use Windows-based ransomware to go after other voting-related targets in order to sow electoral chaos throughout many states and municipalities, disrupting voting and making it difficult to tally the results of a fair election. The New York Times points to this as the nightmare haunting federal officials: “In the days leading up to the election, or in its aftermath, ransomware groups will try to freeze voter registration data, election poll books or the computer systems of the secretaries of the state who certify election results.”

If the registration data and poll books are inaccessible, people won’t be able to vote. And beyond that, the article explains: “On election night there would be no faster way to create turmoil than altering the reporting of the vote — even if the vote itself was free of fraud.”

Attacks may already be happening

Security experts fear cyber incursions may already be targeting systems in order to launch the attacks on election day or shortly before it. They point to a late-September attack against Tyler Technologies, which is used by election officials around the country to aggregate and report votes, as a potential example.

Windows-based ransomware particularly worries federal officials and security pros. In a ransomware attack, hackers deny companies and governments the ability to use their own systems by locking up data and making it inaccessible. Once a ransom is paid, the attacker frees up the data and systems.

In this case, though, the attackers would lock up the data and systems and leave them locked so they couldn’t be accessed, imperiling the election. And they don’t even have to bring the entire system down to accomplish their task. If there are attacks — even minor, sporadic ones that don’t affect the results — a candidate might claim the election was fraudulent and refuse to accept the outcome.

There’s good reason to fear these kinds of ransomware attacks. The Times warns: “Over the past 18 months, cybercriminals — primarily based in Russia and Eastern Europe — have hit the American public sector with more ransomware attacks than in any other period on record, according to Emsisoft, which tracks the incursions.”

Target: Trickbot

Trickbot, believed to be the world’s largest botnet, has especially worried U.S. intelligence officials and security researchers. Its millions of infected Windows PCs are used to silently install ransomware on Windows machines. Once the ransomware is installed, hackers don’t have to attack right away. They can let the ransomware sit quietly in the background, and only launch attacks when they want — for example, just before or during the election.

The U.S. Cyber Command launched a series of attacks against Trickbot starting in late September. In the attacks, the Cyber Command sent new configuration files to infected PCs in the Trickbot network, replacing the ones hackers use. Hackers use these configuration files to send instructions to Trickbot’s fleet of PCs, for example, telling them at which internet address they should download Windows-based malware updates. The new configuration files sent by Cyber Command  “told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public Internet,” according to Krebs on Security.

The result: all PCs with that config file could no longer be controlled by the botnet.

The Cyber Command attacked Trickbot in other ways, as well. The botnet wasn’t eliminated, but its ability to do damage was being degraded, even if only temporarily.

Then came the second punch against Trickbot — this time, thrown by Microsoft. And this one was more effective. The company “asked a federal court in Virginia to force web-hosting providers to take TrickBot’s operators offline, arguing that cybercriminals were violating the United States’ Digital Millennium Copyright Act by using Microsoft’s code for malicious purposes,” according to the Times.

In concert with that, according to a blog post by Tom Burt, Microsoft corporate vice president for  customer security and trust, Microsoft took a “technical action we executed in partnership with telecommunications providers around the world.” That action was able to “disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”

As a result, “we have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” Microsoft said.

In other words, for now, at least, Trickbot is dead. Of course, there are other threats and other botnets out there. And they might be used to try and disrupt the election.

Whether the election is disrupted in this way or not, though, one thing is clear: Windows is at the core of election security — or insecurity. Let’s hope a few weeks from now we’ll be talking about winners and losers, and not about botnets, configuration files and an election thrown into chaos.