Threat Research

Guarding Democracy: Assessing Cyber Threats to 2024 Worldwide Elections

SekoiaIO

Global election security analyses identify four operation categories used in cyber campaigns against elections: hack-and-leak, information and cyber influence campaigns, cyber disruption of voting, and lucrative campaigns affecting electoral processes. Sekoia.io predicts that information campaigns will be most common in 2024, with Moldova at risk of disruption and the US, European Parliament elections, Moldova, and India among likely targets. #DCLeaks #MacronLeaks #RussianMilitaryIntelligence #SekoiaIo #Elections2024

Keypoints

  • Electoral events in 2024 are viewed as strategic targets due to their potential geopolitical impact.
  • Sekoia.io categorizes cyber threat operations into four types: hack-and-leak, information/cyber influence campaigns, cyber disruption of voting, and lucrative campaigns affecting elections.
  • Hack-and-leak involves long-term intrusions aimed at harvesting compromising documents to undermine candidates, with DCleaks and MacronLeaks cited as principal examples from 2016–2017.
  • Information and cyber influence campaigns are now more common than hack-and-leak because they require less sophisticated intrusions while remaining effective.
  • Cyber disruption of the voting process is possible but historically not frequently successful, though its impact could be politically significant for certain elections (e.g., Moldova).
  • Lucrative cybercrime campaigns have affected electoral processes in some cases, even when the intent isn’t to alter outcomes.
  • Predicted 2024 targets include the US presidential election, European Parliament elections, Moldova’s presidency with a EU referendum, and India’s parliamentary elections, with influence campaigns dominating the threat landscape in most cases.

MITRE Techniques

  • [T1041] Exfiltration – Hack-and-leak operations involve long-term intrusion to exfiltrate compromising documents used to undermine a candidate. ‘Hack-and-leak operations” involve planning a long-term cyber intrusion looking for compromising documents published to fuel narrative undermining a candidate.’
  • [T1083] File and Directory Discovery – Long-term intrusions are described as seeking compromising documents to fuel political narratives, implying discovery of target files and information.
  • [T1583] Acquire Infrastructure – Information and cyber influence campaigns are described as often not requiring sophisticated cyber intrusion, suggesting use of readily available or easily established infrastructure for campaigns. ‘Information and cyber influence campaigns are nowadays more likely to be used than hack-and-leak… as they do not require sophisticated cyber intrusion yet are still efficient.’
  • [T1566] Phishing – Influence operations and campaigns may utilize low-barrier techniques to reach audiences, aligning with guidance that campaigns can be effective without deep intrusion (phishing-like approaches). ‘Cyber influence campaigns… do not require sophisticated cyber intrusion yet are still efficient.’

Indicators of Compromise

  • [IOC Type] None mentioned – N/A

Read more: https://blog.sekoia.io/guarding-democracy-assessing-cyber-threats-to-2024-worldwide-elections/