South Korea ill-prepared for election cybersecurity
A voter puts a marked ballot into a ballot box in Seoul's Jongno District during the presidential election held on March 9, 2022. Korea Times photo by Shim Hyun-chul
National Election Commission dismisses foreign meddling in elections through voter registration data, reveals unpreparedness for risks of cyber breach
This is the second in a two-part series highlighting elections and cyberattacks as the nation will hold National Assembly elections in April next year―ED.
By Kang Hyun-kyung
The National Intelligence Service (NIS) notified the National Election Commission (NEC) that a North Korean hacker had breached an NEC official's email account.
The warning came on March 21, 2021, two weeks before the April 7 by-elections.
In an email sent to the election board, the intelligence agency said the North Korean cyber actor penetrated an unnamed NEC official's email account and viewed it for 10 minutes before logging out. Personal details of the targeted employee, such as name, rank and email, as well as the recipient were included in the email message.
The NIS' email was disclosed in a media report in May when the election board, which was and still is reeling from nepotism allegations, snubbed the intelligence agency's repeated calls for cybersecurity checkups ahead of the 2024 National Assembly elections.
Days later, the embattled NEC accepted the call, allowing the NIS, in collaboration with the Korea Internet & Security Agency, to conduct cybersecurity checkups on the election board.
Cybersecurity expert Choi Sang-myung, also known as Simon Choi, said the NEC staffer's compromised email account suggests that the North Korean hacker had succeeded in the first necessary step to breach the NEC's computer system.
“Depending on who the victim was, the North Korean hacker's intrusion could have a devastating impact,” he said. “If the victim was on the staff in charge of maintaining the NEC's server or other critical infrastructure, the breach itself could have been critically damaging.”
In general, however, Choi said state-sponsored hackers like the North Korean cyber actors launch repeated attacks until they accomplish their goal.
“One possible scenario will be that they send spoofed spear-phishing emails to many other NEC officials to steal their login credentials or other critical information that can ensure their access to the NEC's system and infect their computers until they can find the most effective route to conduct cyberattacks on the election system,” he said.
According to the NIS, there have been eight occasions of cyberattacks on the election board over the past two years, seven of which came from North Korean cyber actors affiliated with the country's Reconnaissance General Bureau.
The intelligence service said the most recent attacks were discovered on March 21 when North Koreans sent malware-laced emails to an unspecified number of NEC staffers. Cyber actors send spear-phishing emails to steal login credentials and gain access to their targets' computers and online accounts.
It remains unknown whether or not any of the NEC officials' computers were compromised.
Gettyimagesbank
The ruling People Power Party (PPP) has been wary of North Korea's purported intrusion as the nation is scheduled to hold National Assembly elections next year.
In a joint statement released on May 3, the PPP members of the National Assembly Public Administration and Security Committee urged the NEC to strengthen its cybersecurity measures.
“If North Korean cyber actors succeed in breaching the election infrastructure, they can steal voter registration data or manipulate election results. It could also paralyze the election system,” they said in the statement.
The PPP and the main opposition Democratic Party of Korea (DPK) agreed to launch a parliamentary probe into the NEC over North Korea's cyberattacks and the nepotism allegations, in which current and former NEC senior officials are accused of having exerted influence one way or another to place their children in the election board.
It remains uncertain when the bipartisan committee will be launched as the two parties have been locked in partisan politics over the release of wastewater from the Fukushima nuclear power plant.
The NEC appears to be ill-prepared for election interference.
Responding to some conservative activists' vote-rigging allegations about the 2020 National Assembly elections
, the NEC confidently dismissed any possibility of voter registration data being stolen.
“Is it possible to alter election outcomes with stolen electoral roll data? The answer is no,” the NEC website reads.
It explains that electoral roll data is only used to check whether or not people who show up at polling stations on Election Day are eligible voters, stressing that Korea uses paper-based ballots, not electronic voting machines, and therefore it is protected from cyberattacks of all kinds.
In this image captured from the National Election Commission's website, the election board dismisses the possibility of election interference through stolen voter registration data.
This statement is misleading, if not misinformation.
Cyber intrusions can be made in several different stages of the electoral process.
Paper-based voting is widely believed to be safe from cyberattacks.
But votes cast need to be counted, captured, stored and transmitted for election results, and varying degrees of technology are used in the process. This means cybersecurity risks still lurk in South Korea's election system.
Tarun Chaudhary, global cyber diplomacy specialist at the Washington D.C.-based nonprofit group International Federation for Electoral Systems (IFES), said voter registration databases are one of the biggest targets for malicious cyber actors.
“Key processes that are often targeted by threat actors (from a worldwide perspective) include voter registration information, results management systems and systems for public communication,” he said in a recent email interview with The Korea Times.
He said the election board should be fully prepared for cyberattacks before, during and after elections. “Elections commissions should put into place a comprehensive cybersecurity strategy that includes measures to prevent and manage cybersecurity risks and steps to respond to cybersecurity events as they happen,” he said.
Stolen electoral roll data can pose a grave threat to the integrity of elections, and this is particularly so if the malicious cyber actors are skilled hackers like North Koreans or Russians.
If cyber actors successfully access electoral roll data, there is a lot they can do to interfere in elections.
Identification theft is one of the best-known risks of stolen voter registration information.
Cyber actors can also alter, delete or manipulate the database in their favor and as a consequence can eventually cause an Election Day meltdown.
Senator Marco Rubio, the vice chairman of the U.S. Senate Select Committee on Intelligence, said manipulation of voter databases is the minimum thing that malicious cyber actors can do, hinting that there is much more they can do with the stolen data.
“Among the things in the Senate Intelligence Committee preliminary report we released this week is that during the 2016 election cyber actors were in a position to, at a minimum, alter or delete voter registration data in a number of states,” he wrote on Twitter on May 11, 2018.
“My biggest concern is that on Election Day you go to vote and have mass confusion because voter registration information has been deleted from the systems.”
An election worker holds ballot papers in this photo taken on March 9, 2022, during the presidential election. Korea Times photo by Shim Hyun-chul
Testifying to the U.S. Senate Intelligence Committee over Russian intervention in the 2016 U.S. presidential election, an unnamed official of the Department of Homeland Security (DHS) also addressed the danger of stolen voter registration information.
“Russia would have had the ability to potentially manipulate some of that data, but we didn't see that,” the official was quoted as saying in the Senate intelligence report released in 2019. “The level of access that they gained ― they almost certainly could have done more. Why they didn't … is sort of an open-ended question.”
The Russian military intelligence cyber actors successfully penetrated Illinois' voter registration database in 2016, ahead of the U.S. presidential election.
According to the U.S. Senate report, Russians accessed up to 200,000 voter registrations. The compromised data included each voter's name, address, partial social security number, date of birth and either a driver's license number or state identification number.
“The Russian cyber actors were in a position to delete or change voter data, but the committee is not aware of any evidence that they did so,” the report reads.
Russia's intervention in the U.S. presidential election consisted of three stages.
Cyber actors affiliated with Russia's Main Intelligence Directorate of the General Staff, better known by its acronym GRU, launched the social media campaign in favor of then-Republican candidate Donald Trump, hacked then-Democratic Party candidate Hillary Clinton's campaign and leaked stolen documents to discredit Clinton. These activities were conducted by GRU's subdivision military unit 26165.
Other Russian military intelligence agents affiliated with military unit 74455, meanwhile, persistently and systematically attacked the election boards and related entities and individuals. Military unit 74455 is the one also responsible for the cyberattack on the 2018 PyeongChang Winter Olympics Opening Ceremony.
Special Counsel Robert Mueller investigated Russia's social media campaign and the cyberattacks against the Clinton campaign. Russian cyber actors' intrusions of the election boards and related entities were investigated by the FBI and DHS.
The U.S. Senate concluded that Russia's interference didn't alter the election outcome.
Contrary to the NEC's claim, there is no electoral system that is completely safe from election interference, so long as technology is involved in any stage of the electoral process.
Chuck Brooks, president of Brooks Consulting International, warned of the consequences of a purported cyber intrusion by North Korea or any other foreign state actors on Korean elections.
“There is a real possibility that a spear-phishing attack on election board officials could compromise actual voter databases or interfere with tabulations,” he said in a recent email interview with The Korea Times. “There is a variety of cybersecurity procedures and tools that can help mitigate attacks and it would be prudent to assume that elections could be breached and lead to stolen votes.
Brooks advised South Korea to fix the vulnerabilities.
“Since the election is next year, there is time to fix voting systems,” he said.