On 5 March Italian citizens will vanno alle urne to vote in a general election, following the dissolution of the Italian Parliament by President Sergio Mattarella on 28 December 2017. Italy has been led by a caretaker government under the leadership of Democratic Party (PD) foreign minister Paolo Gentiloni since the resignation of former Prime Minister Matteo Renzi. Renzi stepped down following the loss of a referendum on constitutional reforms in December 2016.

This March will see the use of a new electoral system, one designed to favor coalitions by requiring the governing party to gain over 40% of the vote, thus making it harder for a single party to win a majority in Italy’s notoriously divided parliament. No party has yet polled above 40%, with a centre-right alliance formed by Silvio Berlusconi currently polling at approximately 35%.

Under the growing cloud cast by reports of network intrusions against political parties during the 2016 United States presidential election, as well as claims of a Kremlin-backed influence campaign in favour of the Front National in the French elections, political events are coming under more and more scrutiny for nefarious activity. In this blog we will assess the confirmed examples of cyber attacks that we have observed, and look back at activity seen during previous elections to forecast the type of activity we can expect. This includes hacktivism, network intrusions, data leaks and disinformation.

 

1. Hacktivism

Hacktivist actors are most often motivated by public attention, either for themselves, or the issues they claim to represent. Hacktivist attacks generally take the form of denial of service (DoS) attempts, website defacements, and the curation of open source data to appear like a data leak. The Anonymous collective has had an ongoing #OpItaly campaign since January 2017, when Italian law enforcement arrested two individuals charged with cyber espionage against politicians, public institutions, and commercial entities. The activities of the group have not yet targeted political parties, but may use the publicity surrounding the elections as a platform to gain public attention.

Further factions of the collective, such as the Italian hacktivist group AnonPlus, have specifically targeted the elections, releasing personally identifiable information of regional PD members and defacing PD websites. However, their impact so far has been limited, and is unlikely to have any lasting impact on the elections themselves: the ‘leaked’ was already available on open sources, and their websites defacements did not cause any persistent disruption.

More sophisticated threat actors have targeted the Rousseau platform used by far-right party Movimento5Stelle (M5S). #Hack5Stelle is a campaign focused on leaking names, passwords, and datasets associated to the platform, and motivated by both financial and political motives.

 

Figure 1: Twitter account offering allegedly hacked Movimento5Stelle database for sale

 

Figure 2: Landing page for the Rousseau platform

 

2. Network Intrusions

Actors may seek to target political parties or government organizations in order to exfiltrate sensitive data for use in political campaigns. Given alleged Russian involvement in the network intrusions against the Democratic party in the US, and the signing of a collaboration agreement between far-right party Lega Nord and Vladimir Putin’s United Russia party, it is plausible that a similar threat may be present during the Italian elections. Fraught current relations between Russia, NATO, and the EU, combined with the Lega Nord’s anti-EU platform means that the Italian elections are likely to present a target for Russian espionage campaigns. Furthermore, large financial institutions may be targeted given the focus on the economy and currency in this year’s election.

Social engineering and spear phishing remain the most successful attack vectors for network intrusions, and this is unlikely to change for the Italian elections.

 

3. Data leaks

While a number of activist groups have leaked open source databases of local political parties, a more sophisticated threat actor could release sensitive or confidential information in order to bias political opinion. Such information can be obtained in a number of ways and be used by a variety of threat actors, including both ideologically motivated individuals and nation state groups. Phishing and social engineering attempts, network intrusions, and document theft from insiders are all ways in which threat actors may seek to obtain such data. We detected no data leak campaigns relating to the Italian elections at the time of writing.

 

4. Disinformation

False media reporting, also known as the fake news phenomenon, is being increasingly used by threat actors to sway or alter public political opinion. Such activity uses a wide variety of platforms, including legitimate or spoof social media accounts such as Facebook and Twitter, and interweaves both legitimate and exaggerated or false reporting. During the French elections, we observed a claim of plagiarism, as a spoofed websites of legitimate Belgian newspaper LeSoir published articles alleging that Saudi Arabia was financing Emmanuel Macron’s campaign. We outlined the easy availability of such tools in our previous report, The Business of Disinformation.

Although no legitimate newspapers have claimed plagiarism during the Italian elections, a number of Twitter accounts related to Wikileaks Italy (@Wikileaks_Ita – to which the main Wikileaks account has denied any official association), have been tweeting news relating to the current Eni bribery investigations. The account uses a combination of real news reports and rumours to allege former Prime Minister Renzi’s involvement with criminal activities. Although Renzi is not standing in this election, such an allegation has a reputational impact for the PD, Renzi’s party.

 

Figure 3: Twitter account impersonating WikiLeaks used to spread articles on corruption investigations

 

Furthermore, fake accounts on Twitter and Facebook used in the referendum campaign in 2016 have been reanimated in support of Matteo Salvini, leader of the Lega Nord. A number of automated accounts have been linked to the party’s official Twitter feed, @LegaSalvini. Although these bots have not been used to publicize fake news, they have been used to bias or promote political opinions by artificially inflating the support and publicity accorded to Salvini.

 

   

Figure 4: Examples of Twitter bots all used to publish the same posts in support of Matteo Salvini

E allora?

Despite ongoing concern surrounding elections, it is unlikely that outside threat actors will seek to interfere in an already chaotic process. Unlike elections in France and Germany in 2017, the Italian electoral process is much more obscure, and the proliferation of smaller parties makes it difficult to definitively outline where an influence campaign could add value. Similarly, it is difficult to understand which party any external threat actor would seek to influence, as none are likely to gain a clear lead, and all have made varying conflicting and public statements about the parties with whom they would be willing to cooperate.

The most likely threat comes from internal hacktivist campaigns: in addition to defacement attacks, groups may seek to conduct DDoS attacks against election infrastructure or to deface official websites, hindering the voting process.

While the scenarios above remain unclear, organizations can help protect themselves against many of the techniques and threats described above. Mitigation measures include:

  • Providing adequate training for staff regarding the threat from spear phishing and social engineering attacks. This will mitigate against the most likely, but not the only, attack vectors for network intrusion and public data leaks.
  • Properly securing public facing applications and tracking activist campaigns.
  • Enforcing strong password security practices to reduce the likelihood of account takeovers.
  • Remaining skeptical about reported statistics and stories.

Subscribe to our weekly newsletter to get the threat intelligence and research by Digital Shadows (now ReliaQuest).