If history has anything to tell us, the most significant cyber threat to this year’s election won’t be a leak, a distributed denial of service (DDoS) attack, or a fake news video. Instead, it will be a combination of these or more.
In the days of cyberspace, hackers caused all kinds of mayhem using simple and straightforward methods: hiding viruses in advertisements, hacking websites with easily guessable passwords, and so on. While this still happens, attackers often have to get more creative by chaining multiple tactics together to achieve their goals, thanks to increased cybersecurity awareness and protection.
The same goes for elections. In 2006, Joe Lieberman’s presidential campaign aides had to resort to their personal emails when a DoS attack froze their IT systems. A decade later, famously, it arrived Podesta’s email leak. Now, according to Mandiant, part of Google Cloud, the most potent threats to the democratic process are chained attacks.
“In the most significant election-targeting cyber incidents that Mandiant has tracked, threat actors deliberately layered multiple tactics into hybrid operations such that the effect of each component amplified the others,” the company wrote in a new relationship.
Combined electoral attacks
One case study Mandiant points to occurred in 2014, when the Ukrainian presidential election was disrupted by a Russian cyberattack, following the ouster of pro-Russian President Viktor Yanukovych and Russia’s invasion of Crimea.
A week before election day, Russian actors hiding behind the hacktivist nickname “Cyber Berkut” hit NATO-related websites and Ukrainian media with DDoS attacks. This set the stage for when, with four days to go, the same fake hacktivist group broke into the country’s central election computers and deleted file after file. rendered the vote counting system unusable.
The next day, they compounded the chaos by destroying more election infrastructure and then leaking the archived emails and documents onto the Internet. Finally, just 40 minutes before the election results were broadcast to the public, the country’s Central Election Commission allegedly removed some sort of virus designed to present false results in favor of the far-right ultranationalist candidate.
This extreme type of combined cyber warfare could only have happened in a country going through such upheaval, but other chained cyber attacks have since hit more stable democracies.
In 2020, two Iranian citizens in their 20s campaigned against voting-related websites in several US states. They managed to obtain confidential voter information from at least one of them, which they had done in the past send intimidating and misleading emails, including by spreading a disinformation video about electoral infrastructure vulnerabilities. They also hacked a media company that, the Justice Department noted, could have provided them with another channel through which to spread their false claims.
“Leaks are particularly powerful. Potentially more powerful if enhanced through the compromise of legitimate media,” says John Hultquist, lead Mandiant Intelligence analyst at Google Cloud.
The fake news hack ploy is a potent mix. “These disinformation efforts are often orchestrated by state-backed entities from nations like China, Russia, and Iran,” warns Madison Horn, herself a 2024 candidate for a congressional seat in Oklahoma’s 5th district. “Their impact is undeniable, as seen in cases such as Russia’s involvement in the 2016 US elections and China’s ongoing global influence operations, which clearly demonstrate their ability to influence public opinion and disrupt electoral integrity”.
The threat of cybercrime
It’s not just state-sponsored actors that pose a threat to the democratic process, Mandiant noted. Insiders, hacktivists and cyber criminals all muddy the waters in their own ways.
In most cases, “The avenues for these campaigns are the popular social media platforms – X, Telegram, Facebook – and YouTube, which make the digital battlefield as accessible as it is dangerous,” warns Horn.
From January 2023 to March 2024, cybersecurity firm BrandShield monitored new social media accounts and suspicious web domains related to the presidential campaigns of Joe Biden and Donald Trump. It found hundreds of impostor accounts on social media sites, as well as 2,335 suspicious websites claiming some sort of affiliation with the president and 9,639 with the former president (helped by a 197% increase after his arrest in August).
Fake Trump site. Source: BrandShield
Fake sites and accounts are useful for spreading scams or malware and for stealing funds that voters intended for candidates, or they can be used in conjunction with other tactics to achieve more ambitious goals.
“They can be used to get information from people and perhaps try to influence their opinions by distributing fake news,” says BrandShield CEO Yoav Keren, former councilor of the Israeli Knesset. “I even think they can use these platforms to interact with real people involved in campaigns, to infiltrate their systems. These imitations can be used in many different ways.”
“I don’t want to give the bad guys too many good ideas,” he says, “but they usually come up with them before I do.”