As law enforcement, cybersecurity professionals, and polling officials prep for an already acrimonious U.S. presidential election during a pandemic, a team of ethical hackers and security executives demonstrated how easy it is to sow chaos, spread disinformation, and essentially grind democracy to a halt.

Cybereason, an endpoint threat detection and response vendor, has hosted several of these election security tabletop exercises with the public and private sector to test resilience to possible disruptions since 2018. It’s similar to how companies prepare (or, at least should prepare) cyber-incident readiness plans and the military plays war games in times of peace to prepare for the real events. Last week, Cybereason invited reporters to join in and watch the fun.

The group set some ground rules in advance. It explicitly excluded targeting election equipment — the focus wasn’t on the integrity of voting machines but rather on hackers’ abilities to undermine democratic institutions and systems of governance. Also: no actual hacking happened during the security exercise.

Three teams participated. The FBI, U.S. Cybersecurity and Infrastructure Security Agency (CISA), and other law enforcement and government officials comprised the blue team. The ethical hackers, which included Maggie MacAlpine who cofounded the Defcon voting machine hacker village, played the roles of bad guys, Kill Organized Systems (K-OS, pronounced “chaos”) hacktivist group, on the red team. And Cybereason was the control team, which provided government support options and clarifications as needed, decided how each teams’ actions affected the simulation, and ultimately adjudicated the event.

The event took place in a fictional city called Adversaria in the weeks leading up to a typical election day. COVID-19 was also in play, so social distancing, long lines at the polls, and counting all the mail-in votes, which were expected to be the majority of ballots cast, were key concerns. Turns in the simulation lasted 15 minutes of real time, modeling 3 weeks from the election, 2 weeks from the election, 1 week from the election, and the day of the election. Each team performed two actions and one development per turn.

Each team had its own Zoom room, and while they couldn’t visit the opposing team’s room, reporters could bounce back and forth between the red and blue teams’ rooms. I primarily hung out in the red team’s room, as did most of the other reporters on the video call, because I found it confusing to jump between the two and try to keep up with what was happening both attack and defense wise. And also eavesdropping on attacks seemed more fun.

It also proved slightly terrifying because, as Cybereason CTO and red team leader Yonatan Striem Amit pointed out, the attacks performed were simple to carry out and really only required motivation and a little knowledge. “These are extremely cheap attacks,” he said. “Nation-states easily have resources to use them,” as do other less organized groups that just want to create chaos. “Everything we have done is in the realm of easily doable right now.”

Here’s what the attackers did. The red team targeted their attacks against areas of Adversaria with more registered Democrats. Three weeks from election day they hacked into U.S. Postal Service clients like Amazon, eBay, and Easyship to modify mail-in ballot pre-printed address labels. So instead of being sent to their intended Democratic recipients, the ballots would instead go to Republican areas of the city.

Two weeks from election day the red team attacked a COVID-19 test reporting facility so that the testing facility would falsely report a massive spike in positive cases, thus stoking fears about going to the polls to vote. They amplified media reports about COVID-19 spreading from contact with surfaces and objects (like voting machines). And they mailed massive amounts of envelopes containing glue to ballot sorting facilities so that the glue would cause physical damage to the sorting machines.

One week before the election, hackers redirected 5% of all small Amazon packages to polling places and used another 1% of packages to contain barcodes that reset handheld sorting devices. They also hacked social media accounts for local municipalities and news organizations to spread misinformation through supposedly legitimate channels. This included fake news stories about people voting illegally using registered Republicans’ names and ballots.

On election day the red team also used these compromised social media accounts to report that several polling places in heavily Democratic areas of the city were closed doe to COVID-19 and redirect these likely Democrat votes to District 1 located across the river and in a Republican area of town. They also posted fake images of long lines at the polls and ICE agents outside the polling places to discourage people from voting.

And finally, they sent out robocalls and text messages telling Democrats that their vote had already been received and reminding them that it is a felony to vote twice — more measures to keep voters away from the polls. The red team considered creating a deep fake video showing the Democratic candidate delivering a concession speech, but because of the only-two-attacks-per-round rule, they decided against that one.

In the end these robocalls were generally discounted by non-mail-in voters. While citizens from several districts were re-routed to District 1, the majority voted from home, and this more or less cancelled out that attack. A strong police presence in all districts and District 1 in particular quelled red-team induced violence and riots. Additionally, the blue team ensured that the mayor, governor, and police chief were seen at all the polls and that traditional and social media broadcast these images.

The Democratic presidential candidate won a marginal victory by a coin toss. And 30% of right-wing Adversarians questioned the outcome of the election for a year.

Ultimately the blue team won. “K-Os, you did very well, but I feel like you have undermined the election a little bit more in the end,” said Cybereason CSO Sam Curry after the simulation ended. The defenders ensured public safety and maintained open and coordinated communications between law enforcement, city officials, and cyber centers.

But even through the good guys technically came out on top, “it’s not a zero-sum game,” Curry said. “It’s possible that you both could do very well at this.” In other words, the act of voting on election day does not guarantee that chaos won’t undermine trust in elections, both the process and the outcome, on Nov. 3.