In a joint advisory issued on September 18, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) reported that Iranian actors have increased their activity attempting to influence the 2024 US election by sending information stolen from the Trump campaign to Democratic Party officials.
Trustwave SpiderLabs has been tracking how outside groups are attempting to influence the election and notes the basic security practices that work to secure any organization can work for political organizations.
"Iranian malicious cyber actors in late June and early July sent unsolicited emails to individuals then associated with President Biden's campaign that contained an excerpt taken from stolen, non-public material from former President Trump's campaign as text in the emails," the advisory said. "There is currently no information indicating those recipients replied. Furthermore, Iranian malicious cyber actors have continued their efforts since June to send stolen, non-public material associated with former President Trump's campaign to U.S. media organizations."
Trustwave SpiderLabs Vice President of Security Research, Ziv Mador, noted that the theft of campaign materials is not unique, but it is rare. Mador pointed to incidents that occurred in 2005 to 2014 in Latin America as one example of hackers being used to push an election in a specific direction.
"Along with a growing interest in the results of the elections in major democracies, the US presidential election being the most prominent right now, foreign nations are using multiple techniques to increase their level of interference," Mador said. "Luckily, even though they are carried out by relatively sophisticated actors, normal cybersecurity measures can be effective in minimizing the risk of successful breaches."
"Campaigns can protect their servers and content using normal security measures such as multifactor authentication, database security, encryption email security protocols, and teaching employees and volunteers to not click on phishing," Mador said. "Trustwave would also suggest requiring strong passwords for everyone with access to campaign materials, meticulously patching systems and proper security training."
However, the new Iranian activity goes beyond a recent ODNI, FBI, and CISA warning regarding actions by Iran, Russia, and China that have been taking place to impact the US election. Previous Iranian activity, according to the ODNI, was less direct, with Iran using its vast webs of online personas and propaganda mills to spread disinformation and has notably been active in exacerbating tensions over the Israel-Gaza conflict. These include extensive networks of digital personas and propaganda operations and have been particularly active in heightening tensions surrounding the Israel-Gaza situation.
Iran is not a newcomer to election interference. Earlier this year, the same federal agencies, and Microsoft's Threat Analysis Center (MTAC) noted that Iranian cyber-enabled influence operations have been consistent in the last three US election cycles. In a recent blog,Trustwave SpiderLabs Senior Consultant Jose Luis Riveros discussed how historically Iran's operations differ from Russian campaigns.
Riveros noted they tend to appear later in the election season and employ cyberattacks geared more toward election conduct than swaying voters. Iranian actors are expected to employ cyberattacks against institutions and candidates, MTAC reported, while simultaneously intensifying their efforts to amplify existing divisive issues within the US, like racial tensions, economic disparities, and gender-related issues.
In a recent report, Distributed Denial of Truth (DDoT): The Mechanics of Influence Operations and The Weaponization of Social Media, Trustwave SpiderLabs Senior Security Researcher Jose Tozo went into detail discussing the concept of social media weaponization and its use in asymmetrically manipulating public opinion through bots, automation, AI, and shady new tools.
Influence operations and Coordinated Inauthentic Behavior (CIB) involve the strategic use of fake social media profiles and impersonated news outlets to manipulate perceptions, behaviors, and decisions. These tactics, which can be legal or illegal, often include various forms of disinformation or manipulation.
Actors seeking influence have several tools at hand to not only create content, but to build a case that it is legitimate. These include:
CIB is also playing a role in attempting to influence the election. Trustwave SpiderLabs noted that in Meta's Q2 2024 report, one of the six CIBs mentioned was a covert influence operation leveraging social media to spread political propaganda under the guise of the Patriots Run Project (PRP). The operation has created 96 Facebook accounts, 16 pages, 12 groups, and three Instagram accounts. In addition to several domains including "patriotsrunproject[.]com." an X presence through "PRPNational" has been constructed. The accounts originated in Bangladesh and were used to craft a false narrative of widespread support for PRP, which claimed to be a political advocacy group with chapters in several US states.
To enhance the legitimacy of these accounts, operators used AI to create profile pictures, which were later replaced with more personalized images effectively employing the astroturf technique.
These fictitious personas pretended to reside in key US states such as Arizona and Michigan, sharing content that blended local interests, like sports and restaurant check-ins, with political memes. The PRP campaign also utilized these fake accounts to amplify content, spending about $50,000 on Facebook ads and attracting thousands of followers and group members across its assets.
The campaign effectively evaded detection by copying authentic social media posts and maintaining operational security through proxy IPs while spreading negative content about specific individuals and institutions.
Threat actors are, as expected, using the election, political themes, and candidate names as part of their social engineering practices to convince recipients to open their emails, according to another Trustwave SpiderLabs report. Emails that are not intended to sway a vote, but to steal information from the recipient.
In two –months of monitoring of SEG Cloud and Spam Traps, Trustwave SpiderLabs has spotted more than 11,000 spam messages that mention the name or political parties of the candidates as part of their lure. As July passed, the amount of spam increased and eventually reached its peak.
Former President and Republican presidential candidate Donald Trump is the most used name in the subject lines of these spam mails – with 29%. He is followed by the Incumbent VP and Democratic candidate Kamala Harris with 5.7%.
Safeguarding the US election from cyber threats is crucial to protecting the integrity of the democratic process. The recent advisory from the ODNI, FBI, and CISA highlighting Iranian cyber activity underscores the need for robust cybersecurity measures within political organizations. By adopting basic security practices such as multifactor authentication, database security, encryption protocols, and employee training, campaigns can significantly reduce the risk of cyber breaches.