If history has anything to tell us, the most significant cyber threat to this year’s elections won’t be a leak, a distributed denial-of-service (DDoS) attack, or a fake news video. Instead, it will be some combination of these or more.
In cyberspace’s salad days, hackers caused all kinds of fuss using simple, direct methods: hiding viruses in advertisements, hacking websites with easily guessed passwords, and so on. While that still happens, attackers often have to get more creative by chaining multiple tactics together in order to achieve their goals, thanks to greater cybersecurity awareness and protections.
So too with elections. In 2006, aides to Joe Lieberman’s presidential campaign had to resort to their personal emails when a DoS attack froze their IT systems. A decade later, famously, came the Podesta email leak. Now, according to Mandiant, part of Google Cloud, the most potent threats to the democratic process are chained attacks.
“In the most significant cyber incidents targeting elections that Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnifies the others,” the firm wrote in a new report.
Combination Election Attacks
One case study Mandiant pointed to occurred in 2014 when Ukraine’s presidential elections were interrupted by a Russian cyber onslaught, following the ouster of its pro-Russian president Viktor Yanukovich, and Russia’s invasion of Crimea.
A week before election day, Russian actors hiding behind the hacktivist moniker “Cyber Berkut” struck websites relating to NATO and Ukrainian media outlets with DDoS attacks. That set the stage for when, with four days to go, the same fake hacktivist group broke into the country’s central election computers and deleted files and rendered the vote tallying system inoperable.
A day later, they added to the chaos by breaking more election infrastructure, then leaking the emails and documents stored there to the wider Internet. Lastly, just 40 minutes before election results were to be broadcast to the public, the country’s Central Election Commission reportedly removed some kind of virus that was designed to present fake results in favor of the far-right, ultra-nationalist candidate.
This extreme brand of combination cyber warfare might have only happened in a country experiencing such upheaval, but other chained cyberattacks have struck more-stable democracies since.
In 2020, two 20-something Iranian nationals carried out a campaign against multiple US states’ voting-related websites. They managed to obtain confidential voter information from at least one of them, which they used to send intimidating and misleading emails, including by spreading a video with disinformation about election infrastructure vulnerabilities. They also breached one media company, which, as the Department of Justice noted, could have provided them another channel through which to disseminate their false claims.
“Leaks are particularly powerful. Potentially more powerful when boosted through the compromise of legitimate media,” says John Hultquist, chief analyst with Mandiant Intelligence at Google Cloud.
The breach/fake news ploy is a potent concoction. “These disinformation efforts are often orchestrated by state-backed entities from nations such as China, Russia, and Iran,” warns Madison Horn, herself a 2024 candidate running for a congressional seat in Oklahoma’s 5th district. “Their impact is undeniable, as seen in instances like Russia’s involvement in the 2016 US election and China’s ongoing global influence operations, which starkly demonstrate their capacity to sway public opinion and disrupt electoral integrity.”
The Threat From Cybercrime
It’s not only state-sponsored actors that pose a threat to the democratic process, Mandiant noted. Insiders, hacktivists, and cybercriminals all muddy the waters in their own ways.
In most cases, “The avenues for these campaigns are popular social media platforms — X, Telegram, Facebook — and YouTube, making the digital battlefield as accessible as it is dangerous,” Horn warns.
From January 2023 to March 2024, the cybersecurity firm BrandShield tracked suspicious new social media accounts and web domains relating to Joe Biden’s and Donald Trump’s presidential campaigns. It found hundreds of imposter accounts across social media sites, as well as 2,335 suspect websites claiming some sort of affiliation with the president and 9,639 for the former president (helped by a 197% boost following his arrest in August).
Fake Trump site. Source: BrandShield
Fake sites and accounts are useful for spreading scams or malware and for stealing funds that voters intended to go to candidates, or they can be used in concert with other tactics to achieve greater ends.
“They can be used to get people’s information, and maybe try to influence their views by distributing fake news,” says BrandShield CEO Yoav Keren, formerly an adviser in the Israeli Knesset. “I would even think that they can use these platforms to interact with real people from the campaigns, to infiltrate their systems. These impersonations can be used in a lot of different ways.”
“I don’t want to give too many good ideas to the bad guys,” he says, “but they usually come up with them before I do.”
https://lh7-us.googleusercontent.com/K4P5wR3PlJKScoGEmlyzSW4BtfLJUOW2BGQsFHlsh69OkB2Gi_rHg-U96Up9lu6RDsR7wKmrBleqnuJGjKkU8jfs1Y0QewcgvmalyOYUlkK9b_X4Du5j_BPRL9tTgXebVrGqYvP5ubR0FmXJnVoyfTI?width=700&auto=webp&quality=80&disable=upscale
