www.zerofox.com
Open in
urlscan Pro
2606:4700::6812:5a1e
Public Scan
URL:
https://www.zerofox.com/blog/cyber-threats-to-the-u-s-elections/
Submission: On November 20 via api from IN — Scanned from DE
Submission: On November 20 via api from IN — Scanned from DE
Form analysis 3 forms found in the DOM
<form id="mktoForm_2494" class="mkto_f__Y8jlJ mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate" style="font-family: inherit; font-size: 14px; color: rgb(51, 51, 51); width: 1601px;" data-mkto-ready="true">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="FirstName" name="FirstName" placeholder="First Name" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="LastName" name="LastName" placeholder="Last Name" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructLastName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Work Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Company" id="LblCompany" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Company" name="Company" placeholder="Company Name" maxlength="255" aria-labelledby="LblCompany InstructCompany" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructCompany" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="blogDigestOptIn" id="LblblogDigestOptIn" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Please select desired frequency of blog digest emails
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoRadioList mktoHasWidth mktoRequired" style="width: 150px;"><input name="blogDigestOptIn" id="mktoRadio_25377_0" value="Weekly" aria-required="true"
aria-labelledby="LblblogDigestOptIn LblmktoRadio_25377_0 InstructblogDigestOptIn" type="radio" class="mktoField"><label for="mktoRadio_25377_0" id="LblmktoRadio_25377_0">Weekly</label><input name="blogDigestOptIn" id="mktoRadio_25377_1"
value="Monthly" aria-required="true" aria-labelledby="LblblogDigestOptIn LblmktoRadio_25377_1 InstructblogDigestOptIn" type="radio" class="mktoField"><label for="mktoRadio_25377_1" id="LblmktoRadio_25377_1">Monthly</label></div><span
id="InstructblogDigestOptIn" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap"><label for="instantThreatIntelUpdates" id="LblinstantThreatIntelUpdates" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Would you like to also receive instant threat intelligence updates?
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoRadioList mktoHasWidth" style="width: 150px;"><input name="instantThreatIntelUpdates" id="mktoRadio_25379_0" value="True" aria-labelledby="LblinstantThreatIntelUpdates LblmktoRadio_25379_0 InstructinstantThreatIntelUpdates"
type="radio" class="mktoField"><label for="mktoRadio_25379_0" id="LblmktoRadio_25379_0">Yes</label><input name="instantThreatIntelUpdates" id="mktoRadio_25379_1" value="NULL"
aria-labelledby="LblinstantThreatIntelUpdates LblmktoRadio_25379_1 InstructinstantThreatIntelUpdates" type="radio" class="mktoField"><label for="mktoRadio_25379_1" id="LblmktoRadio_25379_1">No</label></div><span
id="InstructinstantThreatIntelUpdates" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Blog_Opt_In__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="True" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Content__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="fTutmsource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="fTutmmedium" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="fTutmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="fTutmcontent" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="fTutmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="spamCheck" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="CountryCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderConsent_to_Processing__c"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset mktoHasWidth" style="width: 5px;"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth" style="width: 255px;">
<p>By submitting you give your consent with your personal data being processed as described above. You can read more about it on our <a href="https://www.zerofox.com/privacy-policy/" target="_blank">privacy policy</a>.
</p>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">sign up</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="2494"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="143-DHV-007">
</form><form id="mktoForm_2505" class="mkto_f__Y8jlJ"></form><form class="mkto_f__Y8jlJ mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate" style="font-family: inherit; font-size: 14px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
NEW - See and secure external assets | Announcing ZeroFox EASM
* Contact ZeroFox Response
* About Us
* Careers
* Partners
* Talk to an Expert
*
* Search
* Search
MenuOpen main menu
* PlatformPlatform
* back
Start Here
ZeroFox External Attack
Surface Management | NEW
* Tour the Platform
* Unified External Cybersecurity
* ZeroFox Protection
ZeroFox Protection
* back
Stop cyber attackers in their tracks and shut down threats to your
brands, domains, and people the moment they hit your external attack
surface — before lasting damage is done.
ZeroFox Protection
* External Attack Surface Management
Find vulnerabilities and prioritize remediation across your critical
internet-facing assets.
* Domain Protection
Complete, continuous protection against domain-based cyberattacks.
* Brand Protection
Best-in-class coverage to protect against frauds, fakes, and cyber
attackers.
* Social Media Protection
Intelligence and rapid takedowns across brand channels and executive
profiles.
* Executive Protection
Comprehensive digital and physical protection for corporate executives.
* Dark Web Protection
Powerful visibility into data leaks and attack planning on the dark web.
* ZeroFox Intelligence
ZeroFox Intelligence
* back
Identify and monitor relevant threats to your organization with rapid,
actionable, and best-in-class intelligence – so you can proactively stay
a step ahead of attackers.
ZeroFox Intelligence
* Intelligence Services
Enhanced SecOps with threat intelligence experts working for you.
* Threat Intelligence Feeds
Bundled intelligence feeds that can be integrated right into your
security tools.
* Intelligence Search
Vetted collections of raw data, structured data, dark web communications,
and alerts.
* Physical Security Intelligence
24/7 physical monitoring of locations key to your organization.
* On-Demand Investigations
On-demand access to expert analysts for custom investigations and
research.
* Dark Web Operatives
A global team of embedded operatives who navigate the criminal
underground for you.
* Dedicated Analysts
A dedicated intelligence analyst for in-depth investigations and critical
insights.
* ZeroFox Disruption
ZeroFox Disruption
* back
Secure your brands, executives and customers with the industry's #1
platform for taking down, blocking and remediating digital threats.
ZeroFox Disruption
* Takedowns
Remove threats fast and at scale from social media, mobile app stores,
and fake domains – with automated takedown requests and in-house
disruption
* Global Disruption Network
Threat data from hundreds of providers and partners to block emerging
risks.
* PII Removal
Remove risk of PII exposure by automatically removing your executives'
and employees' PII from data broker websites.
* Technology Integrations
Expand your threat coverage with 150+ application integrations break down
silos, augment existing security tools and make smarter decisions with
integrated threat intelligence.
* ZeroFox Response
ZeroFox Response
* back
Reduce your organization's digital risk with ZeroFox's end-to-end
response management.
ZeroFox Response
* Incident Readiness
Assess, test, and improve your security defenses with our expert team by
your side.
* IDX Breach Notifications
Reduce breach risks and costs while creating peace of mind for impacted
individuals.
* Incident Response
Rapid, effective response with elite industry experts.
* Threat Actor Engagement
Go on the offense with a global team of dark web operatives.
* Explore
Technology Integrations
* SolutionsSolutions
* backSolutions
Challenges
Phishing and Fraud
* Account Takeover
* Impersonations
* Compromised Credential Monitoring
* Dark Web Monitoring
* Tailored for You
* By Industry
* back
Financial Services
* Retail & CPG
* Media, Sports & Entertainment
* Public Sector
* Healthcare
* Technology
* Education
* Insurance Partners
* Legal Firms
* By Role
* back
Information Security
* Corporate Security
* Marketing
* ResourcesResources
* back
By Asset
Blog
* Videos & Webinars
* Case Studies
* White Papers & Reports
* Data Sheets
* By Topic
* Search
* Knowledge Hubs
* back
2024 Predictions
* EASM Knowledge Hub
* Anti-Phishing Resource Hub
* Threat Intelligence Hub
* Inside the Dark Web
* About ZeroFox
* back
Who We Are
* Careers
* Investor Relations
* Events
* About ZeroFox
* News & Press
* Glossary
* Why ZeroFox
Contact Security Response
Login
Request Demo
Blog
ZEROFOX ASSESSMENT: CYBER THREATS TO THE U.S. ELECTIONS
OCTOBER 4, 2024 |BY ZEROFOX INTELLIGENCE
28 minute read
Table of Contents
* Pre-Election
* Voting Period
* Post-Election
* Outlook
* ZeroFox Intelligence Recommendations
* Share on Twitter
* Share on Facebook
* Share on Linkedin
* Share by Email
EXECUTIVE SUMMARY
The cyber threats posing risks to the U.S. presidential election to be held on
November 5, 2024, illustrate the increasing interconnectivity of the cyber and
geopolitical domains. There is substantial variance in the types of threat
actors that demonstrate a level of perceived investment in the future U.S.
leader, American political stability, or Western nations’ ability to maintain
their democratic processes.
These threat actors are harnessing a more diverse arsenal than ever
before—placing increasing strain on security teams to ensure the election
remains transparent and trustworthy. Threat actors are using malicious tools to
cause disruption or breach networks and steal data, either as a part of an
espionage campaign or in pursuit of financially or ideologically motivated
objectives. Legitimate tools are also being leveraged, with threat actors using
social media platforms and online forums as vehicles to deliver payloads of
mis-, dis-, and malinformation (MDM).
In the coming weeks, it is very likely that the tempo and potency of cyber
activity that actively targets or otherwise exploits the election will increase.
While this will likely culminate on November 5, malicious cyber activity will
very likely continue for as long as associated elements remain sufficiently
topical for use in malicious activities.
This report should be read in conjunction with ZeroFox’s Intelligence brief
Physical Threats to the U.S. Election (B-2024-10-03c).
THREAT ACTORS TARGETING THE U.S. ELECTION
The run-up to the 2024 U.S. presidential election has drawn active engagement
from the full suite of cyber threat actors, and this trend is expected to
continue up to and beyond voting day. Broadly, these threat actors include:
Adversarial Nation-statesNation-state apparatus engaged in widespread campaigns
to impact the election outcome, undermine democratic processes and institutions,
or pursue state agendasCybercriminalsCollectives that seek to leak sensitive
information or engage in mass-influence campaigns, either for personal gain or
working in conjunction with adversarial entities such as nation-statesThe
Willing InfluencerMembers of the public that actively seek to stoke divisions,
sow discord, influence en-masse, and knowingly spread falsehoodsThe Accidental
InfluencerMembers of the public who may have no intent to spread falsehoods but
want to voice truly-held beliefs, engage in debate, or unwittingly engage with
actors that have more nefarious intentions
Threat actor activity aimed at targeting or leveraging the U.S. election varies
substantially depending on the actor’s motive, capability, and intent. The
election process, outcome, or associated elements may be the primary targets of
activity but can also be a vehicle or means to achieve predefined—and either
adjacent or unrelated—ends. Threat actor motivations can broadly be categorized
into three buckets; these categories are not mutually exclusive, and threat
actors may sit within more than one of them.
* Election Interference - Seeking to directly induce a specific change, such as
determining the winner of the election; obstructing or sabotaging electoral
processes to delay, damage, or otherwise impede their proficiency and output.
* Election Influence - Seeking to undermine or subvert electoral institutions
and organizations; affecting, influencing, or shaping the electorate in order
to change their perception of political candidates or an ongoing foreign
affair.
* Election Opportunism - Seeking to capitalize on or leverage the election to
achieve certain political or financial strategic objectives, albeit often
with indifference to the election itself or its outcome.
The majority of election threats very likely fall within the election influence
category and involve the malicious or inaccurate use of information. The
weaponization of information poses a greater and more nuanced threat today than
ever before. Social media platforms, online forums, alternative media platforms,
synthetic media, and a growing skepticism toward traditional media outlets have
created a fertile ground in which actors can exaggerate, misconstrue, or
synthesize a deliberate narrative that can assist them in achieving a given
end-state. Such activity falls into one of three categories, which—while closely
related and often overlap—carry distinct meaning and threats.
Definition Is the information true or based on truth?Is it spread with intent to
cause harm?MisinformationContent that is false, misleading, or taken out of
context but is shared without the intent to deceive or cause
harm❌❌DisinformationDeliberately false, misleading, manipulated, or biased
content spread with the intent to deceive or cause harm❌✅MalinformationGenuine
information, or information based on reality, spread with the intent to cause
harm✅✅
Definitions of MDM
Source: ZeroFox Intelligence
PRE-ELECTION
The vast majority of cyber activity targeting or leveraging the 2024 U.S.
election will almost certainly take place before November 5 due to the
substantial length of time in which threat actors can conduct planning and
reconnaissance, direct various types of cyberattacks, adjust techniques, and
repeat. Attack techniques utilized during this time period are very likely to
carry a low risk for the threat actor, with the potential for a low to moderate
impact on the election.
DOMESTIC ACTIVITY
Widespread activity very likely consistent with attempts to influence the
election outcome has been identified online and on social media platforms,
including X (formerly Twitter), Facebook, Instagram, and TikTok. ZeroFox has
observed various domestic actors spreading MDM, as well as information that
could not have been verified before it was posted. These are most likely being
published by willing interferers–and promoted by accidental interferers–although
it is likely more organized criminal and nation-state actors are behind some of
the posts. The influence campaigns are varied in nature, although prominent
themes include:
* Claims that the opposing side is seeking to undermine democratic processes
* Stoking discord on socially divisive topics, including immigration, abortion,
gun rights, and foreign affairs
* False or exaggerated claims of celebrity endorsements for candidates
Disinformation on social media platforms by the respective voterbases is
widespread and most often intended to accuse political rivals (such as parties,
individuals, and opposing voter bases) of inappropriate behavior in a bid to
shore support for their affiliated party. This threat is increased when such
information is intentionally shared by those with large followings, such as
celebrities and influential figures, as well as by those whose position or
stature lends credibility to the information.
Posts alleging anti-Republican and anti-Democratic behavior and inciting action
Source: X (formerly Twitter)
In isolation, this type of content poses very little threat to the election,
with the majority of individual posts on social media platform X, for example,
typically garnering relatively small engagement. However, their sheer quantity
can lead to the creation of narratives which, in some cases, become broadly
agreed upon by a large number of people. Additionally, metadata-type tools such
as hashtags (as well as clickbait-type titles, mentions, and tags) can be used
to increase the likelihood of a single post becoming widely seen, as well as
enable the author to reach a specific demographic.
Mis- and disinformation surrounding both presidential candidates is widespread
and is typically focused on garnering domestic support, disparaging political
opponents, or furthering a narrative. Fabricated media poses a significant risk
to the way that voter bases view, share, and use media to formulate their
opinions and inform their voting behavior.
* While synthetic media does not necessarily equate to false or malicious
information, it is often offered as low-effort evidence for a claim (which
may be true or false).
* This can lead to recipients believing the claim due to apparent visual
evidence or resonating more with the claim because of visually appealing
synthetic media, which also increases the likelihood of it being shared.
* AI-generated media almost certainly poses a larger threat to the upcoming
election than any previous one.
Multiple instances of such posts surrounding former U.S. President and current
Republican nominee Donald Trump have been identified during the campaigning
period. During the presidential debate hosted by ABC News in Philadelphia,
Pennsylvania, on September 10, Donald Trump claimed that household pets have
been eaten in Springfield, Ohio, by “the people that came in”—likely referring
to illegal migrants. His claims were shared by James David (JD) Vance, the
Republican Party’s Vice President nominee.
* The claims sparked an online discussion surrounding their authenticity,
characterized by a flurry of AI-generated “memes” depicting Donald Trump
protecting various animals.
* While initially shared by likely Republican-leaning voters in a manner that
supported Donald Trump, they later became synonymous with political
disinformation and shared by those supportive of the Democratic Party.
* The ongoing trend demonstrates how the use of synthetic media alongside a
statement can be used to evoke emotion to both garner support for and
ridicule a political candidate.
AI-generated images depicting Donald Trump as a guardian of a cat and a duck
Source:
hXXps://www.dailymail[.]co[.]uk/news/article-13837875/Pets-Trump-AI-memes-explode-social-media.html
The use of synthetic media and disinformation has also been leveraged to promote
likely fake celebrity endorsements for candidates. While unlikely to directly
impact the election outcome, these examples highlight the ways in which false
information regarding prominent figures or events can be used, intentionally or
otherwise, to influence large numbers of people. AI-generated content related to
both legitimate and fabricated endorsements have been observed throughout 2024.
Instances of seemingly-innocuous information that have been widely shared or
misconstrued—regardless of original intent—have also been observed. During the
August 2024 Democratic National Convention, rumors circulated online that singer
Beyoncé was due to make a surprise appearance during an acceptance speech by
Vice President and presidential nominee Kamala Harris. Representatives of
Beyoncé later confirmed that the singer “was never scheduled to be there.” It is
not clear how the rumors began, but both figures associated with the Democratic
party and media outlets are alleged to have circulated this information.
* Fox News speculated that the Democratic Party and the DNC may have
deliberately espoused false information in a bid to inflate DNC attendance
and associate the party with one of the most popular singers of all time.
* Some X users suggested that the “no-show” is indicative of Beyoncé’s support
for Donald Trump.
Reporting from the prior 2020 U.S. election period suggests that a majority of
Americans think that false news had a major impact on the outcome of the
election. An even higher number claimed that they had come across election news
that they deemed outright false, almost certainly leading to increased
skepticism when ingesting information. However, MDM will almost certainly
contribute to the electorate’s voting patterns—despite growing awareness about
it—due to its widespread reach and increasing difficulty in distinguishing it
from objective truth.
* False information that continues to circulate poses a significant threat to
the truth. According to the “validity effect”, people's familiarity with
information often overrides their rationality.
* Information which is adverse to widely-believed ideas or flagged by online
moderation tools very likely carries its own appeal to people untrusting of
“mainstream” media outlets.
OVERSEAS ACTIVITY
International actors have also been observed leveraging false information
regarding the election. The United States’ geopolitical stature and
international presence ensures that both friendly and opposing states have a
continued interest in the country’s leader, foreign affairs, and domestic
policies. Foreign states view the shaping of U.S. elections as a means by which
to ensure their own security, achieve strategic objectives, and pursue preferred
outcomes to ongoing geopolitical events.
On August 16, 2024, AI research organization OpenAI announced that it had banned
a number of ChatGPT accounts that had been observed using the tool to create
both long-form blog posts and short-form social media comments related to the
elections. The activity is linked to “Storm-2035”, an ongoing Iranian influence
campaign that very likely seeks to sway the opinions of American voters.
According to OpenAI, it enacted similar bans against the collective “Crimson
Sandstorm” earlier this year as well, and none of this content achieved
significant readership before its removal.
Iranian cyber activity targeting this year’s election has very likely been
higher-effort than that observed in previous years, with a likely chance that
such activity is intended to influence American voters in favor of Kamala
Harris. The Donald Trump campaign has attempted to use Iran’s supposed favor of
the Democratic Party to garner support by claiming that “Iran loves the weakness
of Kamala Harris.” While unlikely to be a primary objective, Tehran likely views
such rhetoric as positive and undermining to American political stability.
Storm-2035 social media post and article headline
Source:
hXXps://openai[.]com/index/disrupting-a-covert-iranian-influence-operation/
ZeroFox has also identified malicious cyber activity emanating from China that
is targeting and leveraging the election to pursue strategic state objectives.
Much of this activity is considered a part of “Spamoflage”, an ongoing
disinformation campaign that is almost certainly at the behest of the Chinese
government. Active since as early as 2017, Spamoflage seeks to promote
pro-Chinese Communist Party propaganda, target political dissidents, and
influence public opinion surrounding geopolitical topics important to Beijing.
Anti-NATO/America Spamoflage posts
Source:
hXXps://openai[.]com/index/disrupting-a-covert-iranian-influence-operation/
Many recently-observed Spamoflage operations have taken place on social media
platforms such as X and Meta, where large numbers of fake accounts appear to
impersonate American voters. The accounts do not appear to overtly support
either presidential candidate but, rather, seek to sow division via sharing of
divisive content about immigration, veterans’ welfare, and female reproductive
rights.
While there is a roughly even chance that such material may dissuade some
American citizens from voting, these cyber activities are unlikely to directly
affect the outcome of the election. Instead, they are very likely in line with
Chinese state ambitions to undermine Western democratic processes and
institutions, as well as long-term shaping activity intended to weaken
international opposition surrounding contentions in Taiwan and the South China
Sea. The Spamoflage campaign is very likely to continue past the upcoming
election, increasingly leveraging synthetic media and a growing number of social
media platforms.
Of the foreign states, Russian cyber activity likely poses the greatest threat
to the outcome of the upcoming election. Multi-pronged Kremlin MDM efforts
reflect the prioritization of a relatively short-term objective: the successful
election of Donald Trump in November 2024. As such, information campaigns
seeking to denigrate and undermine both Kamala Harris and the Democratic Party
are almost certain to continue in the coming weeks, with voters in swing states
such as Arizona, Georgia, North Carolina, and Nevada likely to be targeted
specifically.
* The Russian government almost certainly favored Donald Trump in the 2016 and
2020 U.S. presidential elections. His foreign policy preferences and approach
to international relations are very likely a key contributor to this. As well
as having isolationist ambitions, Trump has been overtly skeptical of the
U.S. and NATO approach to the ongoing Russia-Ukraine conflict, as well as
NATO in general. On July 4, 2024, Russian President Vladamir Putin outlined
these topics in relation to pre-conditions to ceasing aggression in Ukraine.
In September 2024, a video went viral on social media platforms that depicted a
woman claiming to have been paralyzed following a 2011 car accident in San
Francisco that involved Kamala Harris. The video had initially been published by
an alleged San Francisco media outlet named “KSBF-TV”, and it was later shared
by a self-professed broadcaster for Russian state media agency Sputnik-Aussie
Cossack. Subsequent research by Microsoft suggested that KSBF-TV and the
incident are entirely fabricated, and the woman featured in the video is a paid
actor. The threat group purportedly responsible is “Storm-1516”, an alleged
Kremlin-aligned troll farm that has also been observed distributing fabricated
media surrounding an alleged attack by Kamala Harris supporters at a Donald
Trump rally.
KBSF-TV video depicting alleged victim
Source: hXXps://twitter[.]com/krassenstein/status/1831065332410446093
Other activity has stemmed from Russian state media outlets such as Russia Today
(RT) and Tass, as well as fabricated news sites that attempt to spoof the
domains of legitimate U.S. media outlets in order to lure unsuspected visitors
before presenting them with disinformation. One such website published an audio
file titled “Top Democrats Are Behind the Assassination Attempt on Trump; Obama
Knows About the Details”, as well as an article claiming that a Ukrainian troll
farm seeks to disrupt the U.S. elections.
* Many of these domains were allegedly seized following a press release by the
U.S. Department of State outlining RT’s “global covert activities”, accusing
the platform of being involved in information operations, covert influence,
and military procurement targeting countries around the world.
* Earlier in September 2024, the U.S. Justice, State, and Treasury Departments
announced sanctions targeting Russian state media executives amid accusations
of election interference.
Espionage-focused operations are very likely heightened in the pre-election
period, as opposing states seek to understand the implications of potential
outcomes, gain insight into future policy, and understand how it impacts their
strategic objectives, geopolitical interests, and domestic security.
Additionally, the expanded communications, election infrastructure, and
databases lead to a growth in attack surface, which is more likely to consist of
short-term, hastily assembled security protocols. While instances of
intelligence-gathering activity have been observed, there is a likely chance
that additional operations are ongoing and remain covert.
Throughout 2024, likely Iranian state-affiliated cyber threat actors have been
observed leveraging spear phishing, account takeover, and password spraying in
attacks against Donald Trump’s election campaign. Alleged network breaches
resulted in the theft of internal communications, which in the following weeks
were reportedly sent to senior figures within the then-Joe Biden election
campaign, as well as select media outlets. While the primary intent of this
campaign was likely election interference, the allegedly successful leveraging
of social engineering to breach victim networks demonstrates a notable risk to
potentially sensitive information.
* As of the writing of this report, three Iranian nationals have allegedly been
indicted in relation to this activity.
DEEP AND DARK WEB ACTORS
ZeroFox has observed numerous incidents of deep and dark web (DDW) actors
monetizing the election by selling malicious services designed to target the
voter base, as well as illicitly obtained personally identifiable information
(PII) and personal financial information (PFI).
Robi Good’s xss advertisement
Source: ZeroFox Intelligence
The service is priced at USD 1,260 and reportedly comes with numerous
customization options. Robi Good specified that escrow services are available,
increasing the credibility of the actor and the service. Sales and further
enquiries are to be made via an advertised Telegram channel, where buyers also
receive a demonstration.
Phishing page targeting Donald Trump supporters
Source: ZeroFox IntelligencePhishing page targeting Kamala Harris supporters
Source: ZeroFox Intelligence
The finding accentuates both the propensity for financially motivated DDW actors
to opportunistically leverage high-profile events for personal gain and the
bipartisan stance taken by threat actors that are likely to be based in or
associated with Russia. Services such as these are very likely to be popular
among DDW forum users and will likely pose a threat to American voters. If
phishing scams such as these are widely successful, there is also a roughly even
chance that imitated official entities will suffer from both reputational damage
and less overall financial donations.
On August 19, 2024, the likely Morocco-based hacktivist group “Mr Hamza” made an
announcement in its Telegram channel claiming responsibility for an alleged
network breach that targeted the official government website of the state of New
Jersey, nj[.]gov. Mr Hamza, known for targeting U.S. government entities,
claimed that “all data” from the website “has been removed” and “pulled.” A ZIP
file was attached, named nj[.]gov[.]zip, comprising five CSV files that
allegedly contain PII pertaining to New Jersey mayors—including names, term
dates, municipal codes, address, and contact details from between 2016 and
2020.
* The announcement appeared to be presented as a part of a larger campaign
targeting U.S.-based victims, using the hashtag #Ops_USA.
* It is unclear when the alleged breach took place or whether data pertaining
to website visitors is also compromised.
* If Mr Hamza’s claims are legitimate, there is a very likely chance that
implicated New Jersey officials face a significantly higher risk from social
engineering activity, even if parts of the information are up to eight years
old. The activity poses a low overall threat to the upcoming election,
however.
Telegram advertisement by Mr Hamza
Source: ZeroFox Intelligence
On April 14, 2024, an announcement was made on the Telegram channel
Pro-Palestine Hackers Movement claiming that the “NTB CYBER TEAM”, also known as
“TERSAKITI”, had hacked the Colorado Secretary of State’s official website,
sos.state[.]co[.]us. The channel posted a CSV file allegedly containing 637
records pertaining to business listings and registered entities within the
region.
* TERSAKITI is a politically motivated hacktivist collective very likely linked
to Indonesia. Its activity is usually aligned to pro-Palestinian causes,
targeting perceived opponents of Palestine or Islam.
Telegram advertisement by TERSAKITI
Source: ZeroFox Intelligence
This data, if legitimate, is very unlikely to pose a threat to the upcoming
election but could be leveraged to conduct social engineering campaigns, target
specific businesses, and undermine Colorado government institutions. This
activity highlights the threat posed from ideologically motivated hacktivist
groups that have no stake in the outcome of the election but likely view the
election period as a lucrative time to conduct malicious activity.
VOTING PERIOD
Due to a shortened time frame demanding more direct and decisive action from
malicious actors that seek to have an effect, cyber threats during the voting
period of the election are more likely intended to directly impact the outcome
or obstruct and delay electoral processes. The voting period and the
pre-election period overlap to some extent, as early in–person voting and
mail-in voting began in some states in early September 2024.
At this stage, there is a high threat from attacks seeking to prevent votes from
being effectively cast. To achieve this, both domestic and international threat
actors will likely leverage MDM to sow confusion regarding election protocols.
* In January 2024, some members of the public located in New Hampshire received
a phone call alleging to be from Joe Biden stating, “your vote makes a
difference in November, not this Tuesday” (January 23). While the audio
mimicked Joe Biden, the phone call was fabricated and likely leveraged
synthetic media in an effort to discourage residents from voting in the New
Hampshire presidential primary election. Similar incidents were identified
prior to the 2020 U.S. election.
On or close to November 5, ZeroFox anticipates a heightened threat from overt
and aggressive last-minute smear campaigns, most likely targeting prominent
politicians within a political party or associated influential individuals, such
as political family members, donors, or endorsers. This does not necessarily
need to be MDM to have an effect, as even objective or proven information
surrounding a negative incident that is reinvigorated at a critical point in the
election process can cause significant reputational damage.
* In the days prior to the November 3, 2020, U.S. presidential election, a
series of articles were published regarding allegations made against Hunter
Biden. Many attributed this to an attempt to sway voters away from his
father, Democratic candidate Joe Biden.
There is also a low-risk but potentially very high-impact threat posed to voting
machinery and digital infrastructure used by balloting authorities to scan,
store, tally, and tabulate votes. A range of cyber threat actors (from
ideologically-motivated hacktivist collectives to foreign state intelligence
services) almost certainly deem direct interference with this digital
infrastructure as a high pay-off means of either altering election results or
delaying the outcome by causing disruption.
* In 2018, the U.S. Department of Justice charged 12 Russian intelligence
officers with a range of offenses linked to attempted election disruption.
Among the accusations was that the actors had obtained illicit access to
electronic voting equipment to gain information surrounding software and
hardware solutions.
The security of digital voting infrastructure almost certainly increases each
election cycle in response to the increasingly complex cyber threat landscape
and growing number of threat actors that perceive a benefit from targeting U.S.
elections. Guidance for digital security is issued by both the Cybersecurity &
Infrastructure Security Agency (CISA) and the U.S. Election Assistance
Commission, and resources are provided surrounding registered manufacturers and
test laboratories.
As security protocol is deliberated at the state level, this guidance is
voluntary. However, a successful network breach is very unlikely to occur if:
* Networks remain air-gapped, segmented, and disconnected from any external
networks such as the internet.
* Hardware and software is sourced from recommended suppliers.
* Login credentials are kept secure.
* Security patches are kept up to date.
* Appropriate user guidance is readily available, and incident response plans
are in place and rehearsed.
Excerpt from U.S. Election Assistance Commission security pamphlet
Source: ZeroFox Intelligence
Failure to enact proper security protocols in election equipment and associated
networks will significantly raise the threat of illicit network access by
malicious cyber actors, potentially resulting in distributed-denial-of-service
(DDoS) attacks, inaccurate counts, or delayed results. Any successful
compromise—even if overstated or exaggerated—also significantly increases the
risk of claims from the voter base, political parties, or prominent individuals
that proper procedures were not followed and results may not be accurate.
Narratives such as these can then be leveraged as justification for undermining
electoral institutions or the new government administration.
POST-ELECTION
Post-election cyber threats will almost certainly revolve mostly around the
continued use of information campaigns to drive narratives aimed at undermining
democratic procedures, questioning the authenticity of the electoral processes
and results, and maintaining political relevance by denigrating opposition
parties. In 2024, there is almost no chance that this would result in a direct
threat to the election outcome, but it would very likely lead to instability
that can be capitalized upon by those willing to perpetuate the threat.
With the closure of polling offices across the United States between
approximately 7:00 PM and 9:00 PM (local times) on November 5, 2024, the
greatest threat will likely be from prominent figures seeking to establish an
early narrative that can later be used to garner support and incite unrest or
discontent should final voting counts lead to outcomes considered unfavorable.
Some likely claims include:
* Votes were not properly counted, and a recount should take place. This is
most likely to occur in swing states that will have a disproportionate impact
on the outcome of the election.
* Votes in certain states have been “rigged” or otherwise tampered with. This
is most likely to occur in states within which pre-election polls had
indicated alternative results.
* Voters have been misled or confused by changes made to voting methods, rules,
times and dates, or legislation.
* Significant domestic or international events, such as natural disasters or
epidemics, have led to mass confusion and disarray.
* Earlier examples of interference, disruption, or malpractice associated with
election procedures are reinvigorated and used to explain unexpected
outcomes, even if such activity has already been accounted for or rectified.
Comments from prominent politicians have already indicated in 2024 that the
outcome of the upcoming election would only be accepted if “everything is
honest.” The danger posed by comments such as these is two-fold:
* It espouses and normalizes a sentiment that an element of uncertainty exists
and that election outcomes may not be as they seem. This could be construed
as justification for recourse action by a large number of voters, which is
innately undermining of Western democratic procedures.
* It raises questions surrounding the lack of any arbiter of election
integrity, as well as a lack of protocol should an adverse situation arise.
Prolonged information campaigns that question election integrity are almost
certainly perceived as undermining democracy and strategically beneficial to
opposing states such as Russia, China, and Iran. Such action could be used as
justification for promoting alternative governing styles and as leverage in
diplomatic affairs. Furthermore, it offers a more volatile, partisan, and
divided U.S. social and political landscape for influence campaigns targeting
upcoming events, such as future elections or international affairs. Opposing
nation-states will very likely continue to evolve novel methods of creating,
perpetuating, and exacerbating these situations.
Unbound by the electoral timeline, DDW actors will continue to pose a
significant threat following the election. The spike in activity observed by DDW
actors leveraging the election to target voters, associated personnel, and
digital infrastructure will very likely result in an increase of exploitation in
the coming months that will mostly impact those implicated in cyberattacks
resulting in the theft of personal information.
PII leaked in data breaches will continue to be sold and procured in DDW forums
and marketplaces, often staying in circulation for long periods of time and
bought repeatedly. This significantly increases the threat from activity such as
social engineering, malware, and digital extortion.
OUTLOOK
Safeguarding the 2024 U.S. election requires an understanding of the threat
posed by a cyber threat election landscape that is likely more diverse and
complex than ever before. Within this landscape, actors with a full spectrum of
intents, motives, and capabilities perceive a vested interest in the outcome of
the election and its associated future policy, the efficacy of its underpinned
procedures and institutions, or the successful showcasing of democratic
procedure on a global stage.
MDM poses a greater threat than ever before thanks to an ever-growing array of
platforms granting it viewership and circulation, a populace increasingly
distrustful of mainstream media outlets, and prominent figures espousing
often-uninformed views while creating permissible digital norms. This is further
exacerbated by the rise in synthetic media and the proliferation of tools that
enable its creation, which is often unimpeded in its use due to its relative
novelty and a subsequent lack of vigilance among users of social media platforms
and alternative media outlets. This information is almost certainly already
swaying voter opinions and will very likely have an effect on the election
result, the extent of which cannot be easily quantified.
Activity emanating from state-associated actors—such as the spurring of
misinformation campaigns, espionage, or “hack and leak” discrediting
attacks—will likely continue over the coming weeks and reduce in tempo following
November 5, 2024. This activity is unlikely to directly affect the outcome of
the election but will likely be considered a success in terms of contribution to
strategic objectives. Following the election, these actors will almost certainly
continue to pursue the same objectives, leveraging alternative vectors.
Individuals and organizations must proactively adopt responsible security
practices, including verifying information consumed and monitoring for sensitive
data disclosures online. Tools and resources are available that can assist in
verifying the legitimacy of online content, and digital risk protection services
can assist in identifying and mitigating the spread of sensitive information
should such disclosures occur.
ZEROFOX INTELLIGENCE RECOMMENDATIONS
COUNTERING MIS-, DIS-, AND MALINFORMATION
* Question the credibility of information sources, such as the date the content
was published, and identify any potential source biases. Consider content in
its entirety, not just the headline.
* Use fact-checking websites like FactCheck[.]org, the News Literacy Project,
and NewsGuard.
* Conduct training on how MDM works to boost defenses to, and recognition of,
false claims.
* For organizations that find themselves a victim of MDM, have a crisis
response plan in place to evaluate the content and formulate an approach to
neutralize and contain the malicious information.
* Ensure a thorough understanding of the exposure of key individuals and
organizations in open and closed sources.
PROTECTING NETWORKS
* Deploy a holistic patch management process, and ensure all IT assets are
patched with the latest software updates as quickly as possible.
* Adopt a Zero-Trust cybersecurity architecture based upon a principle of least
privilege.
* Implement network segmentation to separate resources by sensitivity and/or
function.
* Ensure critical, proprietary, or sensitive data is always backed up to
secure, off-site, or cloud servers at least once per year—and ideally more
frequently.
* Implement secure password policies, phishing-resistant multi-factor
authentication (MFA), and unique credentials.
VOTING SECURITY
* Proactively seek and identify disinformation spreading on social media
platforms regarding voting dates, times, locations, and protocols. Official
information is published by the U.S. Election Assistance Commission.
* hXXps://www.eac[.]gov/voters/register-and-vote-in-your-state?field_state_target_id=18406
* Minimize the chance of human error (very likely the greatest threat to voting
systems) by ensuring staff receive cyber hygiene training, appropriate user
guidance is readily available, and incident response plans are in place and
rehearsed.
* Enact prudent physical security measures, scrutinizing access to individuals,
unfamiliar IT equipment, and portable storage devices.
* Ensure that digital voting equipment and associated networks are secure and
certified. Guidance is issued by the U.S. Election Assistance Commission.
* https://www.eac.gov/election-technology
* Utilize recommendations and training resources offered by CISA designed to
reduce the threat from phishing, ransomware, and DDoS activity.
* hXXps://www.cisa[.]gov/cybersecurity-toolkit-and-resources-protect-elections
ZEROFOX INTELLIGENCE
Tags: Threat Intelligence
SUBSCRIBE TO OUR BLOG
Best practices, the latest research, and breaking news, delivered right to your
inbox.
*
*
*
*
*
Please select desired frequency of blog digest emails
WeeklyMonthly
*
Would you like to also receive instant threat intelligence updates?
YesNo
By submitting you give your consent with your personal data being processed as
described above. You can read more about it on our privacy policy.
sign up
SEE ZEROFOX IN ACTION
Protect Today.Predict Tomorrow.
Contact Us
Follow us on LinkedInFollow us on FacebookShare on XFollow us on YoutubeFollow
us on InstagramFollow us on Github
PlatformZeroFox ProtectionExternal Attack Surface ManagementDomain
ProtectionBrand ProtectionSocial Media ProtectionExecutive ProtectionDark Web
MonitoringZeroFox IntelligenceCyber Threat IntelligenceManaged Intelligence
ServicesThreat Intelligence FeedsPhysical Security IntelligenceOn Demand
InvestigationsDark Web OperativesDedicated AnalystsZeroFox DisruptionGlobal
Disruption NetworkSocial Media TakedownsDomain TakedownsTechnology
IntegrationsZeroFox ResponseIncident ReadinessIDX Breach NotificationsIncident
ResponseThreat Actor Engagement
SolutionsBy ChallengePhishing & FraudAccount TakeoverImpersonationsData
LeakagePhysical SecurityBy IndustryFinancial ServicesRetail & CPGMedia, Sports &
EntertainmentPublic SectorHealthcareTechnologyEducationInsurance PartnersLegal
FirmsBy RoleInformation SecurityCorporate SecurityMarketing
PartnersGlobal Partner ProgramTechnology IntegrationsPartner ProgramsTechnology
Integration PartnersValue Added Resellers (VARs)Managed Security Service
Providers (MSSPs)Original Equipment Manufacturers (OEMs)Partner PortalAccess
Portal
ResourcesBlogResearch ReportsWhite PapersCase StudiesVideos &
WebinarsGlossaryEASM Knowledge HubAnti-Phishing Resource HubCompanyAbout
UsIndustry RecognitionCareersPress Releases & News
© 2024 by ZeroFox. All Rights Reserved.
Privacy PolicyTerms and Transparency
This website uses cookies to ensure you get the best experience on our
website.Privacy Policy
OK