Could an email leak upset UK election?


Following hacked email leaks during election campaigns in France and the US, is a British intelligence storm on the horizon? 

The shadowy Russia-based hacking group dubbed APT28 – also known as Pawn Storm, Fancy Bear and other aliases – was allegedly behind the cyber meddling in the US and French elections and it is quite possible that the UK will experience its own information spill in the weeks leading up to the general election on June 8. 

UK polls have been targeted before. During the 2015 general election, British intelligence agency GCHQ reportedly thwarted an APT28 plot to attack every Whitehall server as well as a  raft of leading TV broadcasters. In the same year, Germany’s parliament was targeted by cyber criminals. The attack was attributed to Russian military intelligence services as well as APT28.  

Could hackers organise a successful attack this time around? 

How might attack play out? 

Events in France and the US provide evidence for how a successful cyber attack on the UK might play out.  

There is a tendency to target the “establishment” candidate, which by extension boosts the “anti-establishment” party’s campaign. As a result, Prime Minister Theresa May has the most to be worried about.   

It would most likely involve a large file dump on a publically accessible website such as Wikileaks or Pastebin and consist of thousands of unsorted emails transmitted on private servers – including correspondence between ministers and staffers.  

In the leak that targeted Emmanuel Macron, this cache could be peppered with fake emails to further confuse and discredit its target.  

Email servers can be infiltrated through the use of phishing sites disguised to trick personnel into providing their log-in credentials. In addition, malware also could be implanted to avoid detection.  


“Russian hacking groups – such as APT28 – are well funded and organised,” said Simon Edwards, cyber security expert at Trend Micro. “One team will select a target, another performs the phishing, another maintains the attack and another extracts the data and exploits it.” 

The attack timeline is more difficult to predict. The attack on the Democratic Party’s campaign headquarters in the US took place in early 2016 but were not leaked until October 7 – one month before the US presidential election on November 8. As a result the emails dominated media coverage in the crucial final weeks leading up to the vote.

“If the election had been on October 27, I'd be your president,” Hillary Clinton told a charity lunch this month.  

In France, the leak occurred less than 48 hours before polls opened, possibly to rob Macron’s campaign of the chance to counter its accusations. However, two days did not allow the media enough time dissect the tens of thousands of emails and a nationwide gagging order was imposed so the leak did not significantly impact the election.  

It is reasonable to assume, therefore, that any British leak will occur between one month and one week ahead of June 8. 

How the UK might respond 

Following the attack on the Democratic Party’s campaign headquarters, US intelligence agencies determined that the hack involved the Russian government, and the White House announced – under the leadership of then-president Barack Obama – sanctions against Russian officials and companies and expelled over 30 diplomats. The Kremlin denied all involvement.  

The British government could try and enforce a media embargo similar to the pre-election shutdown in France but the legal mechanics of trying to enforce this measure are unclear. Could the UK respond with a cyber attack of its own?   

Defence Secretary Michael Fallon has said that if the UK faces Russian cyber subversion a counter cyber offensive could be justified. “Nato must defend itself as effectively in the cybersphere as it does in the air, on land, and at sea, so adversaries know there is a price to pay if they use cyber weapons,” he said in February.  


Analysts at GCHQ are actively monitoring cyber threats to the election

There remains the possibility that cyber attacks have already been executed with malware hiding in servers months before the information is exploited. 

“There are things that can be done to minimise the risks such as applying isolating untested programs in a restricted environment – a process known as sandboxing – to monitor when attacks are launched,” said Edwards. 

In addition, staff can be trained to spot and report any unusual online behaviour that could suggest a phishing attack.  

“Cyber security teams should consider publicising the attack as soon as possible so that other analysts can isolate and analyse the risk,” said Ben Nimmo, senior fellow at the Atlantic Council’s Digital Forensic Research Lab. 

The fact the UK election is a snap election called less than two months earlier may make it a less likely target for foreign interests who might want to influence the outcome. 

In addition, foreign governments are now wiser to the risks following the cyber attacks in France and the US.

“It’s like a bank robber coming back and stealing from the same bank again – it’s been done,” says Edwards. “However, we’ve all had our backs turned by the WannaCry global ransomware attack recently so maybe something will emerge that we just haven’t noticed.”