Key Points
- Advanced persistent threat (APT) groups will likely attempt to disrupt the US election through hack-and-leak operations, disinformation campaigns, and attacks on electoral infrastructure, posing significant risks to organizational security.
- Research across our customer base has revealed that cybercriminals are sending electorally themed phishing emails embedded with “SocGholish” malware. This trend likely means that phishing will probably be the main initial access vector for cybercriminals looking to hamper the upcoming election.
- Cybercriminals are exploiting the election period by registering typosquatting domains to run cryptocurrency scams. These fraudulent sites lure users into fake donation and investment schemes, risking financial losses and reputational damage for organizations.
- Organizations should use GreyMatter Hunt Packages and the recommended automated response measures for optimized detection and mitigation.
As the 2024 US presidential election approaches, US businesses face significant cyber risks alongside general election threats. ReliaQuest anticipates that election-related targeting from nation-state–associated groups, hacktivists, and cybercriminals will pose substantial threats to businesses through phishing, distributed denial of service (DDoS), and data theft, aiming to disrupt operations, cause financial loss, and exploit heightened public interest. This report focuses specifically on the major cyber threats to businesses during the election period, offering critical insights for corporate leaders and CISOs. We analyze nation-state activity, election-themed phishing, typosquatting, search engine optimization (SEO) poisoning, and drive-by compromise, exploring how artificial intelligence (AI) enhances these risks.
To mitigate these business-specific risks, we recommend adopting a defense-in-depth strategy that includes robust cybersecurity measures, continuous monitoring, and comprehensive employee training. Advanced web filtering and threat detection systems are crucial for identifying and blocking malicious websites before employees can access them. Furthermore, implementing multifactor authentication (MFA) and ReliaQuest automated incident response can help contain and block malicious activity, even in the event of credential compromise. By integrating these layers of defense, businesses can enhance their protection against the evolving cyber threats associated with the 2024 US election, thereby ensuring the security and integrity of their networks and data.
Nation-State Threats
The election will likely draw significant interest from well-resourced, state-sponsored threat actors, such as Russia-linked “APT28,” China-linked “APT41,” Iran-linked “APT33,” and North Korea-linked “Lazarus Group.” These groups use traditional cyber methods to conduct disruptive attacks and sophisticated information operations, often employing hacktivist tactics to amplify their impact. Their campaigns aim to undermine democratic institutions, sow societal discord, and advance strategic interests.
We analyzed the impacts of these advanced persistent threat (APT) groups on past global elections to identify the cyber operations they might use to disrupt the 2024 US election. These include hack-and-leak operations, disinformation and cyber influence, and cyberattacks on critical electoral infrastructure. The tactics are listed below from the most to least likely.
Hack-and-Leak Operations
Hack-and-leak operations involve threat actors accessing and leaking sensitive information to disrupt or influence voter perceptions. APT groups have infiltrated the email servers of major political parties and often use phishing as a method to gain unauthorized access. They release selected sensitive communications to create scandals or sow discord, often timed to coincide with key election moments for maximum effect.
For the 2024 US election, we expect these operations to target political party databases, campaign communications, and personal email accounts of candidates and staff. The US government recently attributed a successful hack-and-leak operation targeting Donald Trump’s campaign to Iran, as well as an unsuccessful attempt on the Biden-Harris campaign.
Hack-and-leak operations effectively combine traditional cyber intrusion with information warfare. These operations are augmented through state and social media campaigns that use bots, troll farms, and sympathetic outlets to spread the data widely. For instance, a Russia-linked APT group could leak incriminating information about a candidate, which could then be followed by Russia-backed media amplifying the story to portray the US electoral system as corrupt.
Generative AI can intensify these threats by creating highly persuasive fake documents, emails, or voice recordings that add credibility to the leaked data. This technology enables the automation and scaling of disinformation campaigns, increasing their reach and impact with minimal human intervention. Moreover, AI-driven bots can amplify these false narratives more efficiently to create an echo chamber that further polarizes public discourse. Threat actors could use AI to tailor disinformation to specific demographics or individuals, further enhancing the effectiveness of these operations.
Democratic National Committee Hacks
During the 2016 US presidential election campaign, Russia-linked APT groups APT28 and “APT29” exfiltrated approximately 19,000 internal emails from the Democratic National Committee (DNC).
Subsequent reporting alleged that this operation aimed to undermine the Democrat candidate, Hilary Clinton, and erode public trust in the electoral process.
Impact on Enterprises
Businesses, especially those with government ties, should be aware of the risks from hack-and-leak operations. Critical infrastructure sectors such as defense, energy, and health care are likely particularly vulnerable due to the sensitive nature of their data and the potential impact on national security, public safety, and public health.
Furthermore, organizations perceived to be aligned with a candidate in the presidential elections may become targets for hack-and-leak operations, as illustrated by the recent cyber attack conducted by “SiegedSec” on the Republican Party-aligned think tank The Heritage Foundation. This conservative think tank was targeted due to its Project 2025 proposals, which aim to provide policy recommendations for Donald Trump should he win the upcoming election. The Heritage Foundation’s breach exposed names, email addresses, passwords, and usernames of individuals associated with the think tank, which illustrates the potential for reputational damage and loss of trust. Such incidents highlight the risks that politically engaged organizations face, providing an important case study for CISOs looking to fortify their organizations’ security in the run-up to the elections.
APTs often use phishing and spearphishing to gain unauthorized access to sensitive communications. To protect against these tactics, organizations are advised to deploy advanced email security solutions that use machine learning to detect and block phishing attempts. For enhanced protection, the security solution should also conduct threat simulations and red team exercises to identify and mitigate weaknesses. Security teams should provide contextual awareness training that incorporates real-world scenarios and recent case studies such as the Heritage Foundation breach. These measures will help enhance the security of sensitive data and communications, especially during critical periods such as elections.
Disinformation and Cyber Influence Operations
APT groups will likely employ disinformation and cyber influence operations to impact the election. Adversarial nation-state actors have previously conducted sophisticated disinformation campaigns across various platforms to spread false or misleading information. By flooding news spaces with conflicting narratives, they seek to confuse voters, polarize public discourse, and create mistrust and uncertainty.
APT groups use tactics like creating fake social media profiles, bot networks, and troll farms to disseminate false information rapidly and widely. They may establish fake websites to induce readers to trust and repost foreign disinformation that appears to originate from a domestic source. On September 4, 2024, the US government charged two employees of the Russian state media network Russia Today (RT). They were accused of using shell companies and fake personas to pay a Tennessee company $10 million to produce AI-generated videos aimed at amplifying political divisions in the US.
Adversarial countries may also use loosely affiliated hacktivist groups to carry out disinformation and influence operations, distancing themselves from direct involvement and complicating attribution.
Operation Doppelganger
In September 2024, the US government seized more than 30 domains it claimed were part of an ongoing, covert effort from Russia to influence the 2024 election and American public opinion. The domains were allegedly used to create fake local news websites and social media profiles to spread pro-Russia narratives. The disinformation campaign focused on candidates, voting, or hotly debated subjects in the US, such as immigration, crime, or the Gaza conflict.
Impact on Enterprises
During election periods, disinformation and cyber influence operations by APT groups can significantly impact businesses, especially those with government ties or politically sensitive roles. Such businesses can become collateral damage as false narratives erode public trust, create confusion among stakeholders, and polarize public discourse. For example, a business might be falsely portrayed as endorsing a controversial policy or candidate, leading to public backlash and a loss of customers.
These operations can exploit social media platforms to rapidly disseminate misleading information using fake profiles, bot networks, and troll farms to broaden their reach. A business could find its brand hijacked in fake news articles or manipulated social media posts, causing significant reputational damage.
ReliaQuest can provide substantial improvement in visibility and understanding of relevant threats. Through GreyMatter Digital Risk Protection (DRP), organizations can better identify, monitor, and mitigate cyber threats across digital channels. By continuously scanning the internet, dark web, and other sources, GreyMatter DRP enhances the visibility of potential brand abuse. The tool can monitor mentions of your organization in cybercriminal forums and identify suspicious activity related to your digital assets. This enhanced visibility allows for timely threat intelligence and proactive defense measures, thereby reducing the risk of being affected by disinformation and cyber influence operations.
Cyber Attacks on Critical Electoral Infrastructure
APT groups from adversarial countries will likely target systems involved in voter registration, vote tallying, and the reporting of election results. They may exploit vulnerabilities in outdated or poorly secured systems to gain access and deploy ransomware to lock down critical electoral infrastructure and significantly delay the voting process. For instance, in April 2024, a ransomware attack forced Coffee County, Georgia to sever its connection to the state’s voter registration system as a precautionary measure.
While a ransomware attack is highly unlikely to fully disrupt the 2024 US election, it could cause significant localized disruptions. Such attacks would have minimal impact on the nationwide election process, but threat actors may launch disinformation campaigns claiming that ransomware has compromised the entire election system to undermine public trust in the electoral process.
APT and loosely affiliated hacktivist groups will likely use DDoS attacks to overwhelm election websites and services, rendering them temporarily inaccessible to voters and officials. These groups may also use these attacks as a pretext to spread false narratives about the integrity of the election, further eroding public confidence. For example, after a successful DDoS attack, state-sponsored media outlets and social media bots could amplify claims of election disruption, regardless of the actual impact of the attack.
Impact on Enterprises
APT groups targeting electoral systems may compromise sensitive information, disrupt business operations, and cause financial and reputational damage. For instance, media outlets are vulnerable to DDoS attacks, which would hinder the dissemination of accurate election information and amplify false narratives. These attacks can temporarily disable websites and services, making it difficult for media organizations to provide real-time updates and reliable information during critical periods.
Ransomware, AI, and Election Integrity
Nation-state actors could use AI to manipulate voter behavior by analyzing social media and public sentiment, creating more effective disinformation campaigns. AI could simulate fake voting patterns to cause public confusion and uncertainty. Additionally, AI tools could automate the reconnaissance phase of cyberattacks, identifying and exploiting new vulnerabilities. This adaptability makes it harder for cybersecurity teams to counteract attacks, as AI-driven tools continuously evolve to overcome new defensive measures.
To mitigate these risks companies can seek to implement the following best practices:
- Implement a DDoS mitigation strategy: Utilize cloud-based services, content delivery networks (CDNs), or an anti-DDoS solution from a reputable provider to protect against traffic surges. Employ load balancers and web application firewalls (WAFs) with dynamic blocking based on rate-based rules to distribute traffic and mitigate DDoS attack risks.
- Enhance network security: Use proxies, dedicated Domain Name System (DNS) servers, and other services to restrict communication only to their respective ports or protocols. This approach helps to enhance network security by controlling the flow of data.
Cybercriminal Threats
Cybercriminal groups will likely exploit the 2024 US election period for financial gain, leveraging the increased public interest to launch scams and malicious campaigns. The heightened urgency and curiosity create an ideal environment for various tactics, including electoral-themed phishing attacks, SEO poisoning and drive-by downloads, and typosquatting domains running cryptocurrency scams. In contrast to the nation-state threats, these tactics pose a much more significant threat to businesses.
Expected Surge in Electoral-Themed Phishing Attacks
As the election draws near, businesses and individuals will likely see a significant increase in election-themed phishing emails. We anticipate cybercriminals will craft emails pretending to be from legitimate political campaigns, election authorities, or news outlets. These emails typically contain urgent calls to action like donation requests or critical voting procedure updates to deceive recipients into clicking malicious links or downloading harmful attachments. We have seen election-related customer incidents involving both traditional, external phishing with malicious links and using internal spearphishing to exploit trusted relationships within organizations.
Case Study: SocGholish Electoral Phishing Email Campaign
In July and August 2024, we investigated an extensive and coordinated election-related phishing campaign in which the email address moveon-help[at]list.moveon[.]org was identified in multiple true-positive phishing incidents. These attacks culminated in the deployment of the SocGholish remote access trojan (RAT) and represent a well-orchestrated effort by cybercriminals to exploit election-themed topics to infiltrate organizations in various sectors.
In one incident, a detection rule flagged an email titled “Will you sign the petition to demand that Fox News address and STOP racism and sexism in their election reporting against Kamala Harris NOW?,” sent by moveon-help[at]list.moveon[.]org and containing the suspicious URL hxxps://act.moveon[.]org/go/194643. The URL redirected to hxxps://www.higherheightsforamericapac[.]org/by-the-numbers/, a domain associated with SocGholish activity and known for hosting exploit kits and drive-by download content. Such domains were frequently used for political disinformation and malware distribution. Although firewall logs showed allowed traffic to the suspicious domain prior to the email’s delivery, ReliaQuest found no evidence of malicious downloads or activity typically linked with SocGholish domains. While our investigation did not reveal any signs of the customer’s account being compromised, this campaign underscores the persistent threat posed by election-themed phishing emails containing malicious URLs.
Cybercriminals are likely using election-themed phishing to target companies in multiple industries, recognizing the relevance and urgency of election-related content. By crafting emails that appear to come from legitimate sources and touch on sensitive political issues, adversaries increase the likelihood of recipients engaging with the malicious links, enhancing their chances of harvesting valuable information such as login credentials, personal data, and financial details. The consistent use of election-themed phishing emails across different sectors highlights the adaptability and persistence of cybercriminals in exploiting current events to achieve their malicious objectives.
Advancements in AI will likely enable cybercriminals to create more personalized and convincing phishing emails by analyzing user behavior, preferences, and social media activity. Advanced AI algorithms can generate realistic and contextually relevant content, mimicking the writing style and tone of legitimate sources such as electoral bodies or campaigns, making it harder for recipients to detect fraud.
Impact on Enterprises
Cybercriminals frequently use phishing emails to harvest credentials and gain unauthorized access to corporate networks and sensitive data. With legitimate account credentials in hand, attackers can infiltrate networks, steal confidential information, and disrupt operations. Phishing emails may also contain malware, which can spread throughout the corporate network. Our research indicates that phishing was the most prevalent initial access method used by threat actors to breach targeted networks in 2023, accounting for an astonishing 71.1% of all tactics, techniques, and procedures (TTPs) observed in true-positive incidents among ReliaQuest customers.
Threat actors might exploit InterPlanetary File System (IPFS) and dynamic web-app hosting to send electorally themed phishing emails to companies. By embedding fraudulent forms in HTML files on IPFS, attackers could use the distributed network to host malicious content that is accessible via IPFS gateways, potentially making scams harder to detect. Similarly, platforms like Cloudflare R2 might enable attackers to quickly deploy credential-harvesting pages that appear as legitimate election information portals. This combination of stealth and authenticity, along with cost-effective and scalable infrastructure, could help cybercriminals distribute phishing links and bypass security filters. These tactics might deceive employees into revealing sensitive information under the guise of election-related communications.
To mitigate these threats, we recommend implementing advanced email security measures like GreyMatter Phishing Analyzer, which can analyze suspicious emails, take automated remedial actions, and promptly alert your security operations team. In addition to this, we offer the following inexhaustive list of best practices, which would help organizations defend against electorally themed phishing emails:
- Monitor and control web access: Block access to lesser-known dynamic web application hosting domains like r2.dev or netlify.app if they are not essential for business operations. This limits the effectiveness of phishing attacks that utilize these platforms to host malicious content.
- Employ advanced threat detection: Configure detection systems to identify and flag emails containing URLs that match patterns typically used by IPFS gateways. To prevent phishing attacks leveraging this distributed network, consider blocking IPFS services entirely if they are not necessary for the organization.
- Implement MFA: Ensure all accounts use MFA for an additional layer of security, as this can significantly reduce the risk of unauthorized access even if credentials are compromised.
- Educate and train users: Regularly educate and train employees to recognize phishing attempts, particularly those related to current events or containing urgent keywords like “election,” “vote,” “results,” or the names of presidential candidates.
What ReliaQuest Is Doing
ReliaQuest’s Threat Research team continuously tracks phishing trends across cybercriminal forums and customer environments to stay ahead of emerging threats. To spot phishing emails, ReliaQuest offers detection rules that help defenders identify suspicious emails and take swift action to contain threats. Customizing these rules to fit your organization’s environment ensures higher accuracy and fewer false positives.
We also provide the containment and response playbooks for corresponding detection rules. These response playbooks can be executed automatically or manually to tackle threats like true-positive phishing incidents. By enabling GreyMatter automated response, you can significantly improve your mean time to contain (MTTC) threats, reducing the risk of a full-blown attack and ongoing compromise.
SEO Poisoning & Drive-by Downloads
Ahead of the 2024 US election, we expect a significant surge in SEO poisoning and drive-by downloads targeting individuals and organizations. Cybercriminals will exploit the heightened internet search traffic related to election news by optimizing malicious websites to appear in top search engine results. This SEO poisoning tactic lures users to visit fake or compromised sites where malware is automatically installed on systems in drive-by downloads without users’ knowledge.
Case Study: 2018 US Midterm Election
During the 2018 US midterm election, cybercriminals hacked over 10,000 websites, primarily by exploiting a WordPress vulnerability, to promote 15,000 different keywords. These compromised pages displayed different content based on the visitor. Search engine spiders saw optimized content to manipulate search results, while regular users were redirected through a series of links leading to scam sites, adult content, unwanted browser extensions, or exploit kits.
Impact on Enterprises
Employees searching for election-related information using corporate IT devices may exhibit less cautious user behavior, increasing the likelihood of clicking on malicious links and inadvertently downloading malware that harvests employee credentials. This could allow attackers to access an organization’s network, steal confidential information, and disrupt operations. Additionally, drive-by downloads can spread ransomware, leading to financial loss and reputational damage for the affected company.
Cybercriminals employ TTPs such as creating malicious websites that rank high in search engine results (SEO poisoning), embedding harmful code within seemingly legitimate files (like JavaScript, VBS, .ISO, .MSI, or .IMG), and using drive-by download techniques that automatically download and execute malware when users visit compromised sites.
To defend against SEO poisoning and drive-by downloads leading up to the US presidential election, we offer the following inexhaustive list of best practices:
- Create and implement application allow lists: Establish application allow lists to restrict the execution of unauthorized applications and reduce the risk of malware infections from SEO poisoning schemes.
- Block active content in browsers: Since SEO poisoning domains change rapidly, blocking active content within browsers can prevent redirections and lure overlays and minimize the risk of drive-by downloads.
- Modify group policy settings: Remove the default file association of JavaScript and VBS files with the Windows script interpreter wscript.exe through group policy changes to prevent the automatic execution of potentially malicious scripts.
What ReliaQuest Is Doing
Relying solely on detections to mitigate SEO poisoning is insufficient, as they are effective only for known malicious IP addresses, domains, or URLs. Threat actors rapidly create new malicious domains faster than detections can be developed, especially with the aid of AI, which allows for the automated generation and optimization of malicious sites. Given this dynamic threat landscape, a defense-in-depth strategy—implementing multiple layers of security measures to detect, prevent, and respond to threats—should be employed to provide comprehensive protection. Integrating the following rules can help enhance protection against known malicious sites.
- RQ- Emergency IP Threat IOC – Outbound: Communication from an internal host to a threat-associated IP address could indicate the host is compromised and part of a known threat campaign. This alert detects any traffic to IP addresses on the Emergency IP Threat IOC list.
- RQ- Emergency Domain Threat IOC: Communication from an internal host to a threat-associated IP address could indicate the host is compromised and part of a known threat campaign. This alert detects any traffic to IP addresses on the Emergency Domain Threat IOC list.
- RQ- Emergency URL Threat IOC: Detects any communications from an internal host to a URL associated with the threat, as communication could indicate the internal source is compromised as part of a threat campaign.
Threat Hunting Packages
Customers can also leverage GreyMatter Hunt Packages to proactively identify potential threats and, in turn, enhance their overall security posture. To mitigate against SEO poisoning or drive-by-download attacks, customers should use the Web Proxy Hunt Package to actively monitor web proxy traffic for sites classified as Malware, Phishing, or newly registered domains—categories often associated with compromised or malicious sites involved in such attacks. By analyzing web proxy logs, organizations can baseline normal web activity and identify anomalies indicative of command-and-control (C2) communication, malware downloads, or data exfiltration. This enables security teams to detect and respond to threats more effectively. Additionally, customers can use insights gained from hunts to adjust their security controls, such as automatically blocking access to high-risk websites, thereby improving overall security posture and hygiene.
For faster remediation, the following automated responses can swiftly contain or block malicious activity from drive-by downloads. For example, if an employee clicks a malicious link related to the 2024 US election, triggering a drive-by download, GreyMatter detects the threat and initiates several plays. These plays can block malicious IP addresses, domains, and URLs across all networks and isolate the affected host, restricting its communications to the technology console to prevent further spread.
Increase in Typosquatting Domains Running Crypto Scams
Using our GreyMatter DRP platform, we detected over 500 typosquatting domains related to Kamala Harris and Donald Trump ahead of the 2024 US election. Many of these domains impersonate official websites and host cryptocurrency scams. Open-source research also revealed numerous other election-related typosquatting domains, some of which warrant deeper investigation.
Cybercriminals register domains with slight misspellings or variations of legitimate election-related websites to deceive users into visiting these fraudulent sites. Once on these sites, users might be lured into fake cryptocurrency donation requests, prompting them to enter sensitive information such as wallet keys or personal details. This threat is particularly critical for the Trump campaign, which accepts cryptocurrency donations via Coinbase Payments. However, we found that cybercriminals have set up mirror websites that mimic the donation pages on the legitimate campaign site, with many direct impersonations of campaign resources.
For example, doonaldjtrump[.]com [see Figure 2] mirrors almost exactly the actual Trump campaign page [see Figure 1] in content and design. However, while the legitimate Donald Trump campaign site redirects to a legitimate CoinBase website for donations, the impersonating website leads users to a fraudulent domain: hxxps://pay[.]coingaete.com.
Figure 1: Real Donald Trump campaign donation page
Figure 2: Fake Donald Trump campaign donation page
Although the Kamala Harris campaign does not accept cryptocurrency donations, cybercriminals have still created relatively convincing cryptocurrency scam pages to deceive users who are unaware of this fact. For instance, the fraudulent domain hxxps://kamaladharris[.]xyz [see Figure 3] uses urgent language to pressure users into donating.
Figure 3: Fake Kamala Harris campaign donation page
Impact on Enterprises
The proliferation of typosquatting domains related to Kamala Harris and Donald Trump campaigns ahead of the 2024 US election will likely pose a risk for certain sectors. For instance, companies involved in political campaigns, government contractors, and financial institutions are at heightened risk. These fraudulent domains impersonate official websites and host cryptocurrency scams, deceiving users into entering sensitive information, potentially leading to data breaches and financial losses.
For political campaign organizations and government contractors, the dual threat is significant: employees might inadvertently visit these sites, compromising sensitive campaign data or government-related information. Additionally, these sectors are prime targets for cybercriminals who can set up mirror websites mimicking legitimate campaign donation pages, diverting funds and eroding public trust in online transactions.
Given the heightened threat of typosquatting websites, where victims may unknowingly enter sensitive information such as financial details or credentials, organizations in the sectors should prioritize educating employees on the tactics used in electorally themed typosquatting and phishing scams. Regularly conducting simulated phishing exercises that replicate these specific threats can help employees better recognize and respond to suspicious emails and websites, thereby reducing the likelihood of accidental data breaches.
What ReliaQuest Is Doing
Like SEO poisoning and drive-by downloads, a defense-in-depth strategy is the most effective approach to protecting corporate networks from cryptocurrency scams. This strategy involves establishing multiple layers of security measures, ensuring that if one layer is breached, others will still provide protection. If corporate credentials are harvested using a credential stealer, robust detection mechanisms are crucial. ReliaQuest offers detection rules to identify and mitigate the abuse of stolen credentials. These rules detect unusual activity, such as remote logins from high-risk countries or multiple logins from different locations in a short time, signaling potential credential compromise.
When combined with automated response organizations can rapidly contain or block malicious activity. Leveraging AI and automation, these automated response playbooks make intelligent recommendations and execute actions across multiple security tools with one click, improving MTTC and minimizing potential damage.
Conclusion
As the 2024 US election approaches, we anticipate increased activity from nation-state threat actors and cybercriminals exploiting heightened public interest. While nation-state groups will almost certainly target the US government, companies with government contracts may also be at risk due to their likely access to sensitive data related to government agencies or electoral candidates. Meanwhile, non-state–affiliated cybercriminals are also likely to capitalize on this period to target individuals and organizations using methods such as SEO poisoning and typosquatting for financial gain. Therefore, it is crucial for organizations to maintain a robust security operations program to significantly reduce their risk of compromise and safeguard their sensitive information and critical assets.