Skip to content

SC-055: Election Infrastructure Attack

Scenario Overview

The nation-state threat actor "IRON COMPASS" conducts a multi-phase attack against election infrastructure in the fictional state of New Columbia. The operation begins 90 days before the general election with targeted spearphishing of county election officials. After compromising VPN credentials, the attackers access the statewide voter registration database and subtly manipulate voter records in key precincts — changing addresses, marking active voters as inactive, and altering polling place assignments. On election day, thousands of voters encounter check-in failures at their assigned polling locations. Simultaneously, IRON COMPASS launches a volumetric DDoS attack against the state's election night reporting system, delaying results publication for 6 hours and amplifying public uncertainty. The combined effect is designed to undermine confidence in the democratic process rather than change vote tallies directly.

Environment: New Columbia State Election Infrastructure; voter registration DB at 10.60.0.0/16; election night reporting at reporting.elections.newcolumbia.example.com Initial Access: Spearphishing county election officials (T1566.001) → VPN credential theft Impact: 12,400 voters affected by record manipulation; 6-hour reporting delay; public confidence crisis Difficulty: Advanced Sector: Government / Election Infrastructure

Threat Actor Profile

Attribute Details
Name IRON COMPASS
Type Nation-state sponsored APT
Motivation Undermine democratic processes and public confidence in elections
Capability Advanced — custom tooling, operational patience, coordinated multi-phase operations
Target Sector Election infrastructure, government agencies, political organizations
Active Since 2023 (attributed to 7 election interference campaigns globally)
Attribution Confidence High — based on infrastructure reuse and SIGINT reporting

Attack Timeline

Timestamp (UTC) Phase Action
2026-08-01 (Day -92) Reconnaissance IRON COMPASS maps New Columbia election infrastructure via OSINT; identifies county election officials from public records
2026-08-10 (Day -82) Initial Access Spearphishing emails sent to 45 county election directors; 3 compromised
2026-08-10 14:22:00 Credential Harvest Phishing page at elections-update.example.com harvests VPN credentials
2026-08-12 02:00:00 Initial Access Attacker logs into state election VPN using stolen credentials from Lincoln County director
2026-08-12 02:30:00 Discovery Enumerate internal network; identify voter registration database server (10.60.10.20)
2026-08-15 (Day -77) Persistence Deploy lightweight backdoor on VPN-accessible jump server (10.60.5.10)
2026-08-20 (Day -72) Credential Access Extract database credentials from election application config files
2026-09-01 (Day -60) Data Manipulation Begin voter record modifications — low-volume, targeting swing precincts
2026-09-01 - 2026-10-15 Data Manipulation 12,400 voter records altered across 8 counties over 45 days
2026-10-20 (Day -12) Staging Pre-position DDoS botnet infrastructure targeting reporting.elections.newcolumbia.example.com
2026-11-01 06:00:00 Impact — Election Day Voters begin reporting check-in failures at polling locations
2026-11-01 20:00:00 Impact — DDoS Volumetric DDoS attack against election night reporting (180 Gbps)
2026-11-01 20:15:00 Detection State IT detects DDoS; voter record anomalies identified through helpline surge
2026-11-02 02:00:00 Recovery Reporting restored after DDoS mitigation; voter record audit initiated

Technical Analysis

Phase 1: Spearphishing Election Officials

IRON COMPASS crafts highly targeted phishing emails impersonating the Election Assistance Commission (EAC).

# Phishing email (reconstructed from mail gateway logs)
From: security-updates@eac-portal.example.com
To: director@lincoln-county-elections.example.com
Subject: [ACTION REQUIRED] Critical Security Update for Election Systems
Date: Mon, 10 Aug 2026 14:22:00 +0000
Reply-To: support@eac-portal.example.com

# Email body (reconstructed):
# "Dear Election Director,
#  The EAC has identified a critical vulnerability in state election VPN systems.
#  All county election directors must update their VPN credentials immediately.
#  Click here to update: https://elections-update.example.com/vpn-reset
#  Failure to update within 48 hours will result in VPN access suspension.
#  — Election Assistance Commission Cybersecurity Division"

# Phishing infrastructure:
# Domain: elections-update.example.com
# IP: 198.51.100.30
# SSL: Let's Encrypt certificate (valid, no browser warnings)
# Credential harvesting page: cloned state VPN login portal
# Captured credentials forwarded to attacker via Telegram bot

# Results: 45 emails sent, 8 clicked, 3 entered credentials
# Compromised: Lincoln County, Franklin County, Jefferson County directors

Phase 2: VPN Access and Network Discovery

Using stolen credentials, IRON COMPASS accesses the state election network during off-hours.

# VPN authentication logs (from state VPN concentrator at 10.60.1.1)
# 2026-08-12 02:00:14 | user: lcounty-director | src_ip: 203.0.113.70
# | auth: SUCCESS | reason: "username/password" | MFA: NOT_CONFIGURED
# | assigned_ip: 10.60.100.55
# | duration: 3h 42m
# | bytes_in: 847MB | bytes_out: 12MB

# NOTE: No MFA configured for county VPN accounts
# NOTE: Login at 02:00 UTC (9:00 PM local) — outside business hours
# NOTE: Source IP 203.0.113.70 geolocated outside United States

# Network discovery from VPN session (reconstructed):
# nmap -sV 10.60.0.0/16 -p 22,80,443,1433,3306,3389,5432

# Key discoveries:
# 10.60.5.10   — Jump server (Windows Server 2019, RDP enabled)
# 10.60.10.10  — Election management system (EMS)
# 10.60.10.20  — Voter registration database (PostgreSQL 14)
# 10.60.10.30  — Election night reporting server
# 10.60.20.10  — Email server (Exchange)
# 10.60.20.20  — File server (election documents, procedures)

Phase 3: Voter Registration Database Access

The attacker extracts database credentials and begins querying voter registration data.

-- Database credentials found in application config (10.60.10.10):
-- File: C:\ElectionMgmt\config\database.properties
-- db.host=10.60.10.20
-- db.port=5432
-- db.name=voter_registration
-- db.user=ems_app
-- db.password=REDACTED

-- Attacker's initial reconnaissance queries (from PostgreSQL audit log):
-- Source: 10.60.100.55 (attacker VPN IP)
-- Timestamp: 2026-08-20 03:14:22 UTC

SELECT count(*) FROM voters WHERE status = 'ACTIVE';
-- Result: 4,218,500 active voters

SELECT county, count(*) FROM voters
  WHERE status = 'ACTIVE'
  GROUP BY county ORDER BY count DESC;
-- Returns voter counts by county

SELECT precinct_id, count(*) FROM voters
  WHERE county = 'Lincoln'
  AND status = 'ACTIVE'
  GROUP BY precinct_id;
-- Enumerating precinct-level voter counts

-- Attacker identifies 23 swing precincts with narrow margins
-- These precincts are targeted for record manipulation

Phase 4: Voter Record Manipulation

Over 45 days, IRON COMPASS subtly modifies voter records to cause election day disruptions.

-- Voter record manipulation (reconstructed from database WAL analysis)
-- Modifications designed to cause check-in failures at polling locations

-- Type 1: Address changes (causes precinct mismatch)
-- 4,800 records modified
UPDATE voters SET
  street_address = street_address || ' APT 2',
  last_modified = now(),
  modified_by = 'ems_app'  -- Disguised as application update
WHERE voter_id IN (SELECT voter_id FROM voters
  WHERE precinct_id IN ('LC-014', 'LC-022', 'FC-008', 'JC-031')
  AND status = 'ACTIVE'
  ORDER BY random() LIMIT 150)
-- Executed in small batches over 45 days to avoid detection

-- Type 2: Status changes (marks active voters as inactive)
-- 3,200 records modified
UPDATE voters SET
  status = 'INACTIVE',
  status_reason = 'NCOA_RETURN',  -- Disguised as USPS address update
  last_modified = now(),
  modified_by = 'ncoa_batch'  -- Mimics legitimate NCOA process
WHERE voter_id IN (/* targeted voter IDs in swing precincts */)

-- Type 3: Polling place reassignment (sends voters to wrong location)
-- 4,400 records modified
UPDATE voters SET
  polling_place_id = (SELECT polling_place_id FROM polling_places
    WHERE county = voters.county
    AND polling_place_id != voters.polling_place_id
    ORDER BY random() LIMIT 1),
  last_modified = now(),
  modified_by = 'redistricting_update'
WHERE voter_id IN (/* targeted voter IDs */)

-- Total: 12,400 voter records manipulated across 8 counties
-- Modification rate: ~275 records/day (below alert thresholds)
-- All modifications attributed to legitimate-looking system processes

Phase 5: Election Day DDoS Attack

On election night, IRON COMPASS launches a volumetric DDoS attack against the results reporting system.

# DDoS attack details (from network flow analysis)
# Target: reporting.elections.newcolumbia.example.com (10.60.10.30)
# Attack start: 2026-11-01 20:00:00 UTC (polls close)
# Attack peak: 180 Gbps (UDP amplification + SYN flood)
# Duration: 6 hours 15 minutes

# Attack vectors observed:
# 1. DNS amplification: 120 Gbps
#    - Spoofed source: 10.60.10.30
#    - Reflectors: ~45,000 open DNS resolvers
#    - Amplification factor: ~54x
#
# 2. NTP amplification: 40 Gbps
#    - MONLIST queries to ~12,000 NTP servers
#    - Amplification factor: ~556x
#
# 3. SYN flood: 20 Gbps
#    - Source: botnet (~85,000 compromised IoT devices)
#    - Target ports: 80, 443
#    - Rate: ~15M packets/sec

# Impact:
# - Election night reporting website offline for 6 hours
# - Media unable to access results API
# - Public redirected to phone hotline (overwhelmed in 30 minutes)
# - Social media disinformation amplifies "results are being manipulated" narrative

# State IT uplink capacity: 10 Gbps (overwhelmed 18x)
# No cloud-based DDoS mitigation service configured

Detection Opportunities

KQL — Off-Hours VPN Access from Anomalous Locations

// Detect VPN logins from unusual locations or during off-hours
SigninLogs
| where TimeGenerated > ago(30d)
| where AppDisplayName == "State Election VPN"
| where ResultType == 0  // Successful logins
| extend HourOfDay = hourofday(TimeGenerated)
| extend Country = LocationDetails.countryOrRegion
| where HourOfDay < 6 or HourOfDay > 20  // Off-hours
    or Country != "US"  // Non-domestic access
| summarize
    LoginCount = count(),
    UniqueIPs = dcount(IPAddress),
    IPs = make_set(IPAddress),
    Countries = make_set(Country),
    Hours = make_set(HourOfDay)
    by UserPrincipalName, bin(TimeGenerated, 1d)
| sort by LoginCount desc

KQL — Bulk Voter Record Modifications

// Detect unusual volume of voter record changes
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "UPDATE"
| where TargetResources has "voter_registration"
| summarize
    ModCount = count(),
    UniqueVoters = dcount(TargetId),
    ModTypes = make_set(ModifiedProperties),
    Sources = make_set(InitiatedBy)
    by bin(TimeGenerated, 1h)
| where ModCount > 50
| sort by ModCount desc

KQL — Database Query Anomalies on Voter Registration

// Detect unusual database queries against voter registration tables
AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceType == "POSTGRESQL"
| where query_s has_any ("voters", "voter_registration", "polling_place")
| where client_ip_s startswith "10.60.100."  // VPN-assigned IPs
| summarize
    QueryCount = count(),
    UniqueQueries = dcount(query_s),
    DataVolume = sum(response_rows_d)
    by client_ip_s, usename_s, bin(TimeGenerated, 1h)
| where QueryCount > 20 or DataVolume > 10000
| sort by QueryCount desc

SPL — Suspicious VPN Authentication Patterns

index=vpn sourcetype="vpn_auth"
  action="success"
| iplocation src_ip
| where Country != "United States"
    OR (date_hour < 6 OR date_hour > 20)
| stats count as logins
        dc(src_ip) as unique_ips
        values(src_ip) as ips
        values(Country) as countries
        by user
| where logins > 0
| sort -logins

SPL — Voter Record Modification Anomalies

index=database sourcetype="postgresql_audit"
  query="UPDATE*voters*"
| rex field=query "modified_by\s*=\s*'(?<modifier>[^']+)'"
| stats count as modifications
        dc(query) as unique_queries
        values(modifier) as modified_by_values
        by src_ip date_hour
| where modifications > 50
| where date_hour < 6 OR date_hour > 20
| sort -modifications

SPL — DDoS Traffic Pattern Detection

index=network sourcetype="netflow"
  dest_ip="10.60.10.30"
| timechart span=5m
    sum(bytes) as total_bytes
    dc(src_ip) as unique_sources
    count as flow_count
| where total_bytes > 1000000000
| where unique_sources > 1000
| eval attack_type = case(
    total_bytes > 10000000000, "VOLUMETRIC",
    unique_sources > 10000, "DISTRIBUTED",
    flow_count > 100000, "FLOOD",
    true(), "UNKNOWN")
| where attack_type != "UNKNOWN"

KQL — Credential Phishing Page Detection

// Detect access to known phishing domains mimicking election infrastructure
DnsEvents
| where TimeGenerated > ago(30d)
| where Name has_any ("election", "eac", "voting", "ballot")
| where Name !endswith ".gov"
| where Name !endswith ".example.com" or Name has_any ("update", "reset", "verify", "portal")
| summarize
    QueryCount = count(),
    UniqueClients = dcount(ClientIP),
    Clients = make_set(ClientIP)
    by Name
| where QueryCount > 0
| sort by UniqueClients desc

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Scenario Phase
Reconnaissance T1598.003 Phishing for Information: Spearphishing Link Credential harvesting phishing
Initial Access T1566.001 Phishing: Spearphishing Attachment Phishing election officials
Initial Access T1078 Valid Accounts Stolen VPN credentials
Persistence T1505.003 Server Software Component: Web Shell Backdoor on jump server
Credential Access T1552.001 Unsecured Credentials: Credentials in Files DB credentials from config files
Discovery T1046 Network Service Scanning Internal network enumeration
Impact T1565.001 Data Manipulation: Stored Data Manipulation Voter record modifications
Impact T1498 Network Denial of Service DDoS on election night reporting
Impact T1498.001 Network DoS: Direct Network Flood SYN flood component of DDoS

Impact Assessment

Impact Category Assessment
Democratic Process Critical — 12,400 voters affected; undermined election confidence
Operational Election night reporting offline for 6 hours
Public Trust Severe — social media amplified disinformation about "rigged" results
National Security Strategic objective achieved — democratic legitimacy questioned
Legal/Regulatory Federal investigation (FBI, CISA); potential sanctions against sponsoring nation
Financial $14M emergency response + infrastructure upgrades

Remediation & Hardening

Immediate Actions

  1. Restore voter records from pre-compromise backup — verified against paper voter registration cards
  2. Provision provisional ballots for all affected voters immediately
  3. Engage DDoS mitigation service — route election reporting through cloud-based scrubbing
  4. Revoke all compromised VPN credentials — force password reset for all county election staff
  5. Activate CISA election security support — federal incident response assistance
  6. Public communication — transparent disclosure to maintain public trust

Long-Term Hardening

  1. Mandatory MFA for all election system access — FIDO2 hardware keys for election officials
  2. Database integrity monitoring — real-time alerts on voter record modifications with change auditing
  3. Network segmentation — isolate voter registration database from general-purpose VPN
  4. DDoS protection — cloud-based DDoS mitigation for all public-facing election systems
  5. Pre-election database audits — compare voter rolls against baseline 72 hours before election day
  6. Phishing-resistant authentication — eliminate password-only access to election infrastructure
  7. Election security tabletop exercises — bi-annual exercises with county, state, and federal participation

Discussion Questions

  1. How can election infrastructure be hardened against insider-access attacks when county-level officials require legitimate database access?
  2. What technical controls would have detected the slow-drip voter record manipulation (275 records/day) without generating excessive false positives?
  3. How should states balance transparency about election security incidents with the risk of amplifying attacker narratives?
  4. What role should federal agencies (CISA, EAC) play in mandating minimum cybersecurity standards for state and county election systems?
  5. How can election night reporting systems be made resilient to DDoS attacks without introducing single points of failure?
  6. What is the appropriate public communication strategy when election infrastructure is confirmed compromised but vote tallies are verified as unaffected?

Cross-References