The invasion of the US Capitol Building by pro-Trump rioters poses significant cybersecurity risks, industry experts have warned.
On 6 January, rioters stormed the Capitol Building in Washington DC in an attempt to disrupt Congress certifying president-elect Joe Biden’s election.
Pro-trump rioters successfully broke through police lines, gaining access to the Capitol Building and putting it into lockdown, with four individuals killed during the incident.
This followed a pro-Trump rally in which the 45th President told supporters “you’ll never take back our country with weakness, you have to show strength and you have to be strong”.
Once the building was secured, lawmakers later returned and certified the results of the 2020 presidential election.
Capitol riots: A potential cybersecurity catastrophe
With the world reeling from what President-elect Joe Biden described as “unlike anything we’ve seen in modern times”, the incident has raised a host of cybersecurity concerns.
Rioters were able to gain entry to the Senate Chamber as well as lawmakers’ offices, with attempts made to enter the House chamber and Speakers’ Lobby, leaving many to speculate that devices and networks could have easily been breached.
With lawmakers and other government employees rushed to safety leaving machines unattended, those in the cybersecurity community have voiced concerns that malicious devices could have been planted, sensitive data accessed or malware downloaded onto machines.
A now-deleted tweet from Elijah Schaffer, a reporter for right-wing publication The Blaze, showed an image of Speaker of the House Nancy Pelosi’s unlocked computer screen, with emails visible. Images showing rioters posing in Pelosi’s office have also circulated.
“Pictures posted on social media last night showed several computers that were left turned on and logged into while the rioters had access to the building and to those computers,” Brian Honan, CEO of BH Consulting told Verdict.
“This poses the threats that data stored on those devices could have been accessed by the rioters, or anyone else who had physical access. That data could have been viewed or indeed copied onto USB devices or emailed to external parties. Aside from the threat that confidential data may have been compromised, anyone with physical access to the computers could also have installed malicious software on them to facilitate future cyberattacks. Finally, there is also the risk that some of these devices could have been physically removed or stolen from the offices and are now in the possession of unauthorised people.”
“It’s almost impossible to understate the risk”
Although there is currently no evidence that a cybersecurity incident has occurred as a result of yesterday’s events, John Feminella, principal technologist at ThoughtWorks, told Verdict that it is “impossible to understate the risk” posed by unauthorised individuals gaining access to government machines and networks.
“A significant majority of cybersecurity defences ultimately rely on software that assumes that you are in physical control of your hardware and its surroundings. If you aren’t, all bets are off. As a small example, imagine that someone gains access to your office and plants a camera: it doesn’t matter how good your password is if someone can just watch you enter it and look at your keyboard and monitor.”
It is likely that devices within the building are equipped with additional layers of security designed to protect against physical attacks, with The Independent reporting that USB ports of all government employee devices are automatically disabled following the Edward Snowden leaks.
However, Honan also noted that while the chaotic scenes of the Capitol riots indicate that the risk that a sophisticated cyber incident took place is low, it cannot be discounted:
“While this happened in the midst of a riot the likelihood of someone planning to compromise the security of systems within Capitol Hill is low, there is always the risk that someone would take the opportunity presented by the situation. Given that USB devices and drives are easy to carry and many have them, indeed you can connect your phone via USB cable to be an external storage device, this is a risk that cannot be discounted. In cybersecurity if you have lost control of a device that could have been physically access by an unauthorised third party then you must assume the device is compromised and treat it accordingly.”
Playing into the hands of threat actors
As with any major incident, malicious actors around the world will be playing close attention.
Volodymyr Diachenko, Cyber Threat Intelligence Director at SecurityDiscovery.com, said that the incident could prove beneficial to those looking to carry out phishing or spam campaigns or gain a better understanding of internal systems:
“I would consider the likelihood of the breach to be of the highest level possible. ‘Harmless’ pictures of open laptops with Outlook posted online are posing threats not only for the owners of those accounts but anyone from their contact lists – starting from the phishing and spam attacks and up to accounts takeover and beyond. Even if the materials inside the offices are open-sourced and of non-classified nature, they could add to the full picture and help malicious actors to complete the profiles / structure of the internal systems and potentially escalate the risks.”
Jake Moore, Cybersecurity Specialist at ESET believes that the event “plays directly into the hands of threat actors”:
“There is always a risk of someone getting access to an endpoint when they gain entry to a building without authorisation.
“However, it is also possible that this could have been used as misdirection to soak up officials’ attention whilst a genuine cyberattack could have taken place. As a security professional, I would have been placing all entry points under scrutiny, physically and digitally, over this period. It took them by surprise – which plays directly into the hands of threat actors.”
Others have speculated that attackers may see the current volatile situation as an opportune moment to launch attacks against Washington.
This follows the ongoing SolarWinds incident which saw fewer than ten US government agencies compromised after actors successfully inserted malicious code into a software update for SolarWinds’s Orion product, which was then installed by a number of companies.
Moving forward, experts agree that assessing the cybersecurity risk and ensuring that the Capitol Building and its networks are secure is of paramount importance .
Feminella noted that will be an extensive operation which may even warrant hardware being completely replaced:
“Broadly, unless there’s some way to conclusively prove there wasn’t physical tampering, then at a minimum there probably needs to be complete physical sweeps of the building and surrounding structures, and bottom-up rebuilds of hardware and software images, if not just shredding most of the hardware and replacing it wholesale.”
Honan said that it is also important to be prepared for the occurrence of similar security incidents in the future:
“The first steps needs to be recovering from a cybersecurity point of view to this incident. This will entail doing an inventory to ensure all devices that should be there are there, in other words that no devices were stolen during the riot. This inventory should also identify any devices that should not be there, such as devices left behind by individuals to facilitate further cyberattacks. All devices should then be forensically examined to ensure they have not been compromised, if they have been any details of that compromise will need to be acted upon and dealt with accordingly. Finally, to err on the side of caution the devices should be wiped and restored to ensure they are not compromised.
“Moving forward, those response for securing the devices need to look at how to facilitate computing devices are secured in the event of a major incident, such as another incursion, fire, or terrorist attack. This could be ensuring systems are logged out automatically after a short period of inactivity, or can be centrally forced to log out or shut down remotely.”