2024 US Election: Top Cyber Threats & Organizational Impacts
Oct 3, 2024
Key Points
• Nation-state actors such as APT28, Cozy Bear, Berserk Bear, Storm-1852, RaHdit, and others are significant threats to the 2024 US election.
• Data Breach operations, including recent leaks like Trump’s 270-page dossier, continue to undermine political campaigns.
• Disinformation and cyber influence operations led by sophisticated APT groups threaten the democratic process.
• Critical electoral infrastructure remains vulnerable, with cyberattacks on key systems posing significant risks.
• SEO poisoning and drive-by downloads are evolving threats targeting election-related infrastructure and voters.
1. Nation-State Threats
Nation-state actors are at the forefront of cyberattacks aimed at disrupting electoral processes and undermining trust in democratic institutions. These actors leverage sophisticated tactics to infiltrate political campaigns, target electoral systems, and spread disinformation.
Key Nation-State Threat Groups:
• APT28 (Fancy Bear): This Russian group, linked to GRU, remains a prominent threat with a history of election interference, including the 2016 DNC hack.
• Cozy Bear (APT29): Associated with the Russian SVR, Cozy Bear is known for stealthy cyber espionage operations targeting government institutions.
• Berserk Bear (Energetic Bear/Dragonfly): A Russian group known for targeting critical infrastructure, including energy and election systems, potentially disrupting operations.
• Storm-1852 (aka Ruza Flood): A sophisticated Russian group with expertise in supply chain attacks and targeting voting systems through third-party vendors.
• TeamSpy: A Russian-speaking group associated with espionage, specializing in collecting sensitive information from political campaigns.
• Havex (Dragonfly): Known for targeting industrial control systems and critical infrastructure, Havex can disrupt voting systems and manipulate data.
• RaHdit: A pro-Russian hacktivist group linked to information warfare operations, capable of large-scale disinformation campaigns and cyber espionage.
• Zarya: A Russian-based group focused on financial and government-related cyber operations, including targeting high-level political figures.
• Beregini: A pro-Russian collective known for conducting influence operations through social media, aiming to sway voter sentiment.
• NoName057: An emerging Russian threat group specializing in cyber sabotage and malware deployment targeting US electoral systems.
• Crouching Yeti (aka Energetic Bear): Known for cyber espionage, Crouching Yeti has been targeting election-related infrastructure and spreading misinformation.
• Storm-1679: An evolving Russian APT with capabilities in disrupting data systems and executing highly targeted attacks.
• Volga Flood: Known for infrastructure sabotage, this group has been observed probing voter databases and electoral systems in recent years.
• Cyber Army of Russia: A collective of pro-Russian hacktivists involved in various election-targeted disinformation and cyberattack campaigns.
• Koala: A Chinese-affiliated group specializing in phishing and spear-phishing campaigns targeting high-level political figures, potentially influencing election outcomes.
2. Data Breach Operations
Data Breach operations have become a staple of election-related cyberattacks, with the intention of undermining trust in candidates and disrupting campaign strategies. These operations typically involve the theft of sensitive data, which is later leaked to the public to influence voters.
Recent Examples:
• Trump 270-Page Dossier Leak (August 2024): In August 2024, a 270-page dossier detailing President Donald Trump's political strategies and internal communications was leaked online. While the source of the breach is still under investigation, it is suspected that Iranian-backed hackers played a role in the leak, aiming to disrupt his re-election campaign.
• Democratic National Committee (DNC) Hacks: In 2016, APT28 (Fancy Bear) infiltrated the DNC, leaking internal emails that sparked widespread controversy and influenced public opinion. The DNC hack remains a textbook example of how hack and leak operations can sway election outcomes.
• Iranian Influence: In recent years, Iranian groups have targeted both Republican and Democratic campaigns in an effort to create discord. The US government has publicly accused Iran of attempting to hack the 2020 and 2024 US elections to manipulate public opinion.
3. Fake News, Disinformation, and Cyber Influence Operations
Disinformation campaigns are a growing concern, especially during election periods, where they have the power to sway public opinion, amplify divisions, and undermine the legitimacy of the electoral process. APT groups have been increasingly involved in such campaigns, using deepfakes, forged news outlets, and coordinated social media manipulation.
Recent Influence Campaigns:
During the 2024 US election, several advanced persistent threat (APT) groups launched influence campaigns that disrupted political discourse and spread false information. Storm-1516 and Volga Flood were particularly active in these operations.
Notable Influence Operations:
• Storm-1516 created fake videos that garnered millions of views on forged media platforms. These videos targeted the Harris campaign, aiming to inflame political and racial tensions in the U.S. One video showed alleged Harris supporters attacking a Trump rally attendee. Another fabricated story, using an on-screen actor, falsely claimed that Harris was involved in a 2011 hit-and-run accident that left a young girl paralyzed. These videos were distributed through a website pretending to be a local San Francisco media outlet, which had only been created days before the release of the videos. Microsoft later attributed these campaigns to Russian operatives.
• Volga Flood, another APT group, collaborated with cyber proxies to disrupt the election by spreading disinformation through social media channels. Masquerading as "grassroots military bloggers," they targeted younger audiences with fake investigations and promotional hack-and-leak materials. Volga Flood, leveraging AI to scale its operations, produced "eye-catching visuals" and sophisticated regional analytics, mapping, and language expertise to manipulate social discourse.
• Storm-1852, another active player, adopted a "hands-on, interactive approach," engaging with users through reposting content, replying to comments, and conducting polls. Following the assassination attempt on former President Trump, Storm-1852 quickly produced and reposted edited short-form videos from news footage, pushing a narrative that Democrats were behind the attack.
• Doppelganger Campaigns: In 2023, cyber actors were caught creating fake news outlets that mimicked legitimate news websites, spreading false information about political candidates. These "doppelganger" websites were highly convincing, tricking users into believing the information came from trusted sources.
• Recent Arrests: In 2022, the US Department of Justice charged several individuals affiliated with Russian disinformation networks, accusing them of attempting to influence the outcome of the 2020 US election through cyber influence campaigns.
4. Cyber Attacks on Critical Electoral Infrastructure
Critical infrastructure, such as voting machines, voter databases, and election result transmission systems, is a prime target for cyberattacks. A successful attack on these systems can undermine public trust in the election process and potentially alter results.
Past Incidents:
• APT28 & APT29 Attacks: Russian actors have targeted US electoral systems in multiple elections, including the hacking of voter registration databases in several states in 2016 and 2020. These attacks, although unsuccessful in altering votes, raised concerns about the vulnerabilities of the US electoral system.
• Iran and China Attacks: Iranian and Chinese groups have both been implicated in cyberattacks against US election infrastructure. In 2020, Iranian hackers were caught attempting to breach voter databases in key battleground states, while Chinese groups were observed scanning election systems for vulnerabilities.
Conclusion
The 2024 US election might face an unprecedented array of cyber threats, ranging from nation-state actors like APT28, Berserk Bear, and NoName057 to evolving tactics such as SEO poisoning. Organizations and governments must be proactive in strengthening their cybersecurity measures, particularly around disinformation, electoral infrastructure, and hack and leak operations. By doing so, they can better protect the democratic process and ensure a free and fair election.