As the presidential race is ending, cybercrime revolving around the election is at an all-time high. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint public service announcement (PSA) cautioning the widespread disinformation being spread by threat actors ahead of the U.S. general election. The announcement focused on several tactics being used by foreign adversaries, specifically Russia and Iran. In our effort to spread awareness of the attacks being carried out by cybercriminals, we’re going to cover previous and recent attacks executed by our adversaries. Once the election is over, the cyber-attacks and chaos driven by threat actors are not expected to slow down. Historically, cybercriminals continue their disruptions to cause more unrest and discord. This is something important for U.S. citizens to know when questioning the election, democratic process, and integrity.
Russia
Russian threat groups Storm-1516 and Storm-1679 have been reported using videos to discredit Kamala Harris and her campaign. Storm-1516 disseminated several inauthentic videos that received millions of views. The first one depicted an attack showing Harris supporters attacking a supposed Trump rally attendee, and another one portrayed Kamala Harris involved in a hit-and-run accident. This hit-and-run claimed to have left a woman paralyzed and occurred 13 years ago. It was a deepfake video. Another video in April 2024 depicting a woman “Olesya”, a supposed internet troll in Kyiv, sharing a story falsely claiming involvement to support President Biden. This video was quickly identified to be AI-generated and part of the ongoing disinformation campaign being carried out by Storm-1516. The other Kremlin-aligned threat group, Storm-1679, published false videos that discredited current Vice President Harris and her policies. Vice presidential candidate Tim Walz has been the most recent target of these Russian threat actors. In one recent instance, Russian threat groups were behind the viral disinformation being spread accusing the candidate of sexual misconduct. After researchers investigated the video of Walz, it was concluded it was a deepfake video, and the man in the footage was not who he was claiming to be.
When Donald Trump and Hillary Clinton ran for president in 2016, Russian hackers carried out a diverse interference operation against the U.S. election. The Democratic National Committee (DNC) was hacked and their entire database of research involving candidate Donald Trump was breached as well as email accounts of key figures in candidate Hillary Clinton’s campaign including her campaign chairman, John Podesta. WikiLeaks published over 58,000 messages from Podesta’s hacked account prior to the election. Russia did deny the accusation, however researchers stated to have proof that two Russian adversaries did in fact breach the DNC network. The two identified threat actors were APT29 (aka Cozy Bear) and APT28 (aka Fancy Bear). It would later be reported that Russian president Vladimir Putin promoted the spread of pro-Trump propaganda, including the DNC and Podesta hacking in an effort to create scandal during Hillary Clinton’s campaign.
Iran
In August 2024, the Iranian threat group APT42, also known as Mint Sandstorm, launched a phishing campaign to disrupt the U.S. presidential election. APT42 is associated with Iran’s Islamic Revolutionary Guard Corps (IRGC). This campaign targeted both the Biden and Trump campaigns and has a history of targeting government officials and political campaigns. This is part of their cyber espionage effort to support the political and military goals of Iran. More recently in October, the hacking group reportedly shared stolen emails from Trump’s campaign with a Democratic political operative and various journalists. A Democratic political action committee (PAC) known as American Muckrakers released some of the stolen emails claiming they were of public interest.
In another operation, a left-wing journalist published a nearly 300-page dossier of materials regarding JD Vance stating the campaign has been allegedly hacked by the Iranian government. In this dossier, the moniker “Robert” was used by the cybercriminal and the name provided to the journalist. Following this release, there were a lot of comparisons drawn between the 2016 email hack against Hillary Clinton’s campaign by Russia, covered earlier. The Trump campaign has accused Iran of election interference, which Iran has denied. This is not the first time Iranian threat actors have launched attacks against Donald Trump and the U.S. presidential election. In 2020, the Iranian threat group Phosphorus attacked the personal accounts of individuals associated with Donald Trump’s campaign.
China
State-sponsored Chinese hacking group Salt Typhoon was attributed to a major cyber-attack on the U.S. telecommunications sector recently. The group infiltrated various telecom companies, including Verizon and AT&T, possibly intercepting sensitive data from key political figures. It is believed that Salt Typhoon was targeting the cell phones of the Republican presidential candidate Donald Trump, his running partner, vice-presidential candidate JD Vance and other high-profile people including Eric Trump, Jared Kushner and officials in the Biden administration in an ongoing espionage campaign. It’s currently unknown if their devices were breached or not but the FBI are investigating it. Towards the beginning of October, America First Policy Institute, a group closely aligned to Donald Trump was targeted in an apparent cyber-attack, it is not known who carried out this attack, but it is suspected to be Chinese threat actors. In the 2020 presidential election, the Chinese threat group APT31, also known as Zirconium, targeted individuals associated with the presidential campaign. Joe Biden’s presidential campaign appeared to be unsuccessfully targeted through individual’s non-campaign email accounts.
Non-Nation State
In January 2024, cybersecurity researchers discovered over 1,000 recently registered malicious domains. These domains included phrases ranging from “trump2024”. “vote4”, “voteharris”, and more in a clear attempt to capitalize on the interest surrounding the presidential race. These websites can be used to carry out various malicious operations, including phishing, spreading disinformation, and attacks to influence voter preference. Most of these domains were registered within the United States, suggesting domestic threat actors. A popular fundraising platform for Democratic candidates called ActBlue was one of the sites being impersonated. This revelation of fraudulent fundraising websites is a particular concern and shows financial gain as a possible motive. Users should always verify the legitimacy of donation platforms online and be cautious about any unsolicited emails and messages regarding the election.
Post-Election
The cyberattacks and disinformation are not expected to cease when the election is over. The U.S. community is warning of potential post-election disinformation being spread by foreign adversaries to amplify domestic unrest and doubt regarding the legitimacy of the winning candidate. This would not be the first time foreign adversaries have sowed chaos following the election. In 2020, a website was created titled Enemies of the People that carried out death threats of state election officials and employees. The website blamed the officials for President Donald Trump’s loss. The FBI and CISA released a public statement citing Iranian threat actors behind this malicious website. We have seen a substantial uptick in AI-generated content such as deepfakes being misused by threat actors. We can expect to see other synthetic media to spread false information regarding election results, announcements and more to mislead voters. It’s likely social media will be used to share false narratives and sow distrust among users who are upset with the results of the election.