Russian, Chinese, and Iranian state-sponsored hackers have been active throughout the 2024 U.S. election campaign, targeting digital accounts linked to various political campaigns, disseminating disinformation, and probing election systems. A recent report released by the Election Infrastructure Information Sharing and Analysis Center (ISAC) cautioned that the threat posed by cybercriminals, particularly ransomware operators, exceeds that of foreign espionage activities.
The report notes an increased confidence among state-sponsored actors following Russia’s interference in the 2016 presidential election. However, it highlights that these actors primarily engage in intelligence-gathering and influence operations rather than launching disruptive attacks, which would be perceived as overt aggression against the U.S. In contrast, actors driven by financial gain or ideological motives tend to focus on causing disruptions, often through ransomware or DDoS attacks.
Acquired by the nonprofit organization Property of the People and seen by WIRED, the report did not receive a response from the U.S. Department of Homeland Security (DHS), which contributed to its findings. The Center for Internet Security, which oversees the Election Infrastructure ISAC, also declined to comment on the matter.
The alert specifically mentions that since the 2022 midterm elections, cybercriminals with financial or ideological motivations have increasingly targeted state and local government networks involved in election processes. While some successful ransomware attacks and DDoS incidents have disrupted operations within affected states, they have not compromised the integrity of the electoral process. The report reveals that nation-state cyber actors have not attempted to disrupt U.S. election infrastructure, although they have engaged in reconnaissance and occasional access to non-voting systems.
According to DHS data highlighted in the report, the vast majority—95 percent—of “cyber threats to elections” have been thwarted attempts by unknown actors. Furthermore, just two percent were unsuccessful efforts by known actors, whereas three percent were successful in breaching systems or causing disruptions. The report underscores the importance of threat intelligence sharing and collaboration among local, state, and federal authorities in enhancing cybersecurity defenses and minimizing the impact of successful breaches.
Although state-backed hackers may create geopolitical tensions through aggressive digital spying, their activities are not necessarily escalatory unless they violate established espionage norms. Conversely, criminal hackers are not bound by such constraints, and overly disruptive attacks risk attracting law enforcement scrutiny.
In considering the tactics employed during these cyber incidents, methods such as initial access through social engineering or exploitation of known vulnerabilities may be evident. Moreover, persistence techniques could involve malware deployment to maintain unauthorized access. Lastly, privilege escalation tactics may be utilized to gain greater control over systems, thereby amplifying the potential impact of these disruptive attacks, particularly in contexts relating to election infrastructure. Overall, a vigilant approach incorporating the MITRE ATT&CK framework can help identify and mitigate evolving cyber threats as election season progresses.
