In 2016, Russian nation-state-linked threat actors infamously compromised the Democratic National Convention (DNC), wedging a divide in the political party by leaking internal emails to Wikileaks that suggested the convention was rigged in favor of one candidate. It was later discovered that the Russia-based cybercriminals infiltrated the DNC’s networks unnoticed as early as March 2016, months before the actual convention. The DNC compromise was just the tip of the iceberg, and the social media disinformation campaign that came in its wake set out to further divide the country along ideological lines. Although this campaign’s effectiveness is still debatable today, the elaborate scheme sounded like it came straight out of a Tom Clancy novel.

With the news cycle primarily dominated by the COVID-19 global pandemic, you might have missed the news that foreign actors are trying to undermine the American election process in 2020, as they did in 2016. Although we might have short-term memories from this year’s roller-coaster news cycle, it should come as no surprise that the United States is, once again, the target of foreign interference in a highly contested election year. With just seven days to the election, attempts to undermine American democracy have already emerged from different corners of the world, and intelligence officials have warned there could be more to come. 

Although we cannot corroborate reports surfacing on attempts at election interference in 2020, in this blog, we wanted to expand on four key takeaways:

  1. The Russian state is one of the most successful operators when it comes to conducting disinformation campaigns, and the well-trained cybercriminals operating on their behalf have already conducted influence operations in 2020. 
  2. In the run-up to the US presidential elections, US government officials have claimed that Iran intends to undermine US democratic institutions and divide the country. It seems that Iranian cybercriminals are likely focusing on online influence operations by leveraging social media disinformation campaigns and promoting anti-American content.
  3. The People’s Republic of China has attempted to sway public opinion through compromised Twitter and YouTube accounts, which were used to spread geopolitical narratives favorable to the Communist Party of China (CCP) and highlight controversial current events in the US.
  4. Intelligence officials have warned that foreign adversaries’ attacks tend to favor the presidential candidate that may better serve their national interests or foreign policy. Threat actors have attempted to further their agenda by conducting cyberattacks, and while not all attempts have been successful, they demonstrate intent to disrupt and influence the election.

A note on disinformation

Before we jump into the nitty-gritty of our analysis on disinformation campaigns and cyber threats affecting the 2020 US election, we want to make sure that we’re all on the same page when distinguishing disinformation from misinformation. 

Misinformation includes all information that’s wrong – from seemingly harmless errors like a mislabeled graph to more insidious and untrue rumors like washing your hands is bad for your immune system. Disinformation is the intentional manipulation of information to exert influence over you, often with false or deliberately misleading information snippets to introduce confusion, reinforce stereotypes, or inflame fears.

The Russian state continues to run sophisticated disinformation campaigns

The Russian state is among the most successful operators of disinformation campaigns. Russia’s attempts at broader political influence overseas have been facilitated by its use of state-owned traditional media, bots, “hack and leak” operations, and cooperation between organized crime groups and Russian government agencies.  In other words, it’s an orchestrated operation that seems to operate without boundaries, and its lead-conspirators revel in attempts at subverting American democracy.  Operations uncovered by US and UK intelligence communities can be linked to Russia’s Foreign Intelligence Service (SVR) and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), two institutions that have a history of anti-democratic actions. However, it’s the well-trained, sophisticated cybercriminals operating on their behalf that push disinformation we might encounter in our social media feeds.

Russian cybercriminals focus on division in the US seems to be the preferred tactic in 2020, and while it also was part of the “Russian playbook” in 2016, political divisions seem to have surpassed those of 2016. These trolls’ disinformation campaigns try to establish authenticity by creating blogs, news stories, and social media accounts and groups that unsuspecting users might gravitate towards. By using popular social media platforms and targeting micro-communities that share common ideologies, disinformation can quickly go viral. 

Peace Data pushed stories that were either misconstrued or completely false

Russia’s Internet Research Agency (IRA), which allegedly takes its direction from the Kremlin, has been primarily responsible for this interconnected “carousel of lies,” as one former member of the IRA described it. In many cases, the fake news stories they spread are more appealing to Americans due to pop culture references, pictures, and cartoons. In September 2020, it was reported that Facebook had taken down groups and accounts that were affiliated with the deceptive news organization, Peace Data, but not before hundreds of stories were shared on Facebook. At its height, Peace Data was known for pushing far-left stories that were either misconstrued or completely false. According to the FBI, people formerly associated with the IRA were responsible for spreading this disinformation. Adding insult to injury, the trolls responsible managed to fool American freelance journalists into writing stories for Peace Data, unknowingly pushing a Russian agenda to divide Americans further.

PeaceData Articles
Figure 1: Peace Data articles promoted by Russian cybercriminals

QAnon found ways to propagate false information and attract followers

Although social media companies have taken down groups and articles spreading disinformation, organizations such as QAnon, a far-right conspiracy group, have found ways to propagate false information and attract many followers. Twitter announced they had taken down “the worst” QAnon accounts in July 2020, but by some estimates, more than 93,000 QAnon-related accounts remain on Twitter.  It wasn’t until October that Facebook and Youtube announced bans on QAnon content. Still, before tech giants attempted to suppress the disinformation, Russian cybercriminals were hard at work, helping to push QAnon conspiracy theories. They used the conspiracies to help fit their narrative of “the US is falling apart, look how much division there is.” Twitter accounts that could be traced to Russia’s IRA reportedly sent a high volume of tweets tagged with #QAnon, and helped propagate misleading or false narratives related to child trafficking and COVID-19, among others. Russian government-backed media outlets, such as RT and Sputnik, also increased coverage of QAnon.  If the disinformation wasn’t alarming enough, the QAnon movement prompted the FBI director to designate QAnon as a domestic terror threat due to its potential to “incite extremist violence.”

Figure 2: Misleading information on COVID-19 from a QAnon Facebook group

Iran ramps up incendiary disinformation

It’s not just Russia that is capitalizing on the runup to the US elections. According to William Evanina, the United States National Counterintelligence and Security Center (NCSC) Director, “Iran seeks to undermine US democratic institutions and divide the country in advance of the 2020 elections”. He even named Iran as a “top three” threat to the election. Iranian cybercriminals are likely focusing on online influence operations, including social media disinformation campaigns and promulgating anti-American content. These operations were evident in a report issued by the United States Department of Justice (DOJ) in early October, confirming that Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted the US from multiple separate domains with Iranian propaganda to influence US domestic and foreign policy. One of the domains, newsstand7[.]com, used the slogan “Awareness Made America Great” and published articles relating to US President Donald Trump, the Black Lives Matter movement, US unemployment, COVID-19, and police brutality.

Figure 3: The website newsstand7.com was propagating disinformation from the IRGC

The People’s Republic of China attempts to sway public opinion through compromised accounts

Cyber threat actors linked to the People’s Republic of China (PRC) have made quite a lot of noise in recent years, and 2020 is no different. Earlier this year, cybersecurity teams at Twitter and Google observed a broad campaign from Chinese cybercriminals that overlapped on several social media platforms, primarily on Twitter and YouTube. On Twitter, the compromised accounts spread geopolitical narratives favorable to the Communist Party of China (CCP) and pushed reports about the political dynamics in Hong Kong. On YouTube, threat actors acquired or hijacked existing accounts and posted spam content, some of it harmless content about animals, music, or food. However, the content on many of the compromised accounts pushed narratives similar to those on the Twitter accounts. Also, it highlighted controversial current events in the US, including protests, the wildfires on the west coast, and COVID-19. Fortunately, the social media platforms’ aggressive approach was able to minimize the impact by removing the accounts while still holding low numbers of followers and low engagement. The campaign demonstrated how sophisticated foreign actors might take an unconventional approach to sway public opinion with disinformation by hijacking seemingly legitimate accounts instead of creating their own.

Videos removed from YouTube
Figure 4: Examples of videos removed from YouTube

Political campaigns are under fire

Intelligence officials have warned that foreign adversaries have an agenda that one presidential candidate may better serve in terms of foreign policy. That is why one tactic in the playbook of nation-state actors is hack and leak operations, which may explain the targeting of the Joe Biden and Donald Trump presidential campaigns. State actors have been observed sending spearphishing emails to the respective campaigns’ employees, attempting to access internal networks and confidential information.  It was observed that Russia’s “Fancy Bear” (aka APT28) attacked more than 200 organizations, including political campaigns, advocacy groups, parties, and political consultants. “Judgement Panda” (aka APT31), a Chinese state-associated APT group, attacked email accounts of some high-profile individuals from the Democratic (Joe Biden) campaign, and “Charming Kitten” (aka APT35), an Iranian state-associated APT group, made multiple attempts to attack the personal accounts of individuals associated with the Republican (Donald Trump) campaign. While not all attempts were successful, these attacks demonstrate intent to disrupt and influence the democratic process. Information obtained can be used in future disinformation campaigns, credential stuffing attacks, extortion attacks, or phishing attacks. Of course, it’s very difficult to establish whether these operations could influence any individual outcome of the election, but they could possibly achieve broad objectives around creating an atmosphere of distrust or otherwise fracturing society. This scenario begs the question, are we on the cusp of a late-October or early-November bombshell report that comes from information obtained during a hack and leak operation? Only time will tell. 

What happens next?

There is a serious concern with the development of cyberattacks and ransomware campaigns that may seek to target networks and machines critical in running US elections, primarily since nation-state attackers have already conducted surveillance operations on infrastructure that could impact the day of the US election. The US government considers ransomware a top threat to the US 2020 elections, as attacks can hold voter information and election results hostage, impacting election systems. A ransomware attack could deny access to voter registration data, election results, and other sensitive information. It could also inhibit access to essential election systems during critical operational periods, such as the date of the election, November 3rd. To highlight the importance of necessary safeguards for the election, the NCSC listed at least 18 different needs to be addressed for election security. 

Potential Attack Vectors
Figure 4: Potential attack vectors for cybercriminals to exploit (Source:Belfer Center)

So what happens when disinformation and legitimate concerns of cyberattacks join forces? In the coming days and weeks, the foreign disinformation campaigns may attempt to play on voters’ fear, uncertainty, and doubt (FUD). Due to the COVID-19 pandemic, more Americans are voting via mail-in ballots and absentee ballots than ever before. As a result, the election results may remain unknown for days or even weeks by some experts’ predictions. Why does this matter? According to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), threat actors could exploit incomplete results on the evening of the election by spreading false information regarding voter suppression and the launching of cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy. This possibility prompted CISA to issue consecutive alerts in September 2020, urging the American people to evaluate election information sources during and after the election critically. CISA also warned malicious actors could use online platforms to falsely suggest that successful cyber operations have compromised election infrastructure and facilitated the “hacking” and “leaking” of US voter registration data.

Final thoughts

If you’re anything like me, maybe you’ll do your best to tune out social media until the election is over, however difficult that may be. I think we’ve all done enough “doom scrolling” (the tendency to continue to surf or scroll through bad news) in 2020 for one lifetime. Plus, do you want to be the person who shares an article created by a cybercriminal in Moscow? Of course not. Instead, you’d probably like to expose your crazy Uncle Bob at a holiday dinner for his outlandish conspiracy theories. But if you do continue to doom scroll right into November 3rd, remember that your state and local election officials are the best sources of accurate information. 

Whoever your candidate is, go vote in 2020, and be safe out there.