2024 US Presidential Election Cyber Intrusion: Part 3 - Hostile Nation State Actors

Part 3 of a series that will analyze critical cyber security aspects during the countdown  to the 2024 US Presidential Election, beginning with Covert Influence Operations then Nation State Threat Actors, Hactivism and Cybercrime.


The upcoming US Presidential Election is facing a range of cyber security challenges from nations that oppose the democratic foundation of the Western world.

Based on the ever-evolving nature of this cyber threat landscape, the election period will attract a complex theatre of nation state-level cyber activity involving the deployment of intrusive attack vectors, influence campaigns and hybrid threats combing both methods.

Iran

Based on the highly unstable foreign affairs climate between the US and Iran, several Tehran-aligned threat groups will likely seek to compromise the 2024 US Presidential Election.

Firstly, domains have already started to impersonate US media organisations and think tanks demonstrating overlaps with the malicious infrastructure of Mint Sandstorm - a state-level hacker unit that has demonstrated persistent attacks against Western governments and organisations that deal with Iranian sanctions. These infrastructural similarities relate to naming and registration patterns that are likely designed for credential harvesting attacks .

What should be noted, is that Mint Sandstorm have a track record of interfering with the US political arena - the unit attempted to compromise the 2020 US election by targeting email accounts belonging to US presidential campaign staff . This trend has not changed as throughout the past 6-months, Mint Sandstorm has already launched credential phishing attempts against email accounts of individuals linked with President Joe Biden and former President Donald Trump as well as current and former US government officials, including Vice President and Democratic Party forerunner, Kamala Harris . The disclosure of this intelligence was soon followed up by the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) releasing a joint statement on August 19th, 2024, attributing the recent cyber-attack aimed towards the campaign of former President Donald Trump to hostile Iranian actors . 

Next up, we have UNC2448, an Iranian state-level cyber force that has an extensive history of exploiting zero-day security flaws to compromise Western pollical establishments. Notable to the US Presidential Election is that individual actors operating within this state hacking group have previously been indicted for launching ransomware attacks against US organisations , as well as exploiting the Log4Shell vulnerability (CVE-2021-44228) to compromise a Federal Civilian Executive Branch (FECB) organization in 2022 .

Finally, CISA also disclosed that the Iranian activity group, tracked as Lemon Sandstorm, targeted US federal agencies in 2020 by exploiting VPN vulnerabilities and installing web shells. The group also targeted the 2020 US election by a US city website to report election results, an incident that was reported by the head of US Cyber Command’s Cyber National Mission Force.

More recently, the FBI disclosed  that these state hackers have continued to operate in the interests of the Iranian government by now collaborating with ransomware gangs to target critical infrastructure providers in the US, by forming alliances with high-profile Russian ransomware actors in exchange for a cut of the ransom payments. This collaboration likely reflects the growing strategic cooperation between the Russian Federation and the Iranian regime, as both states continue to be heavily sanctioned by western governments in response to their involvement with international conflicts and nuclear developments.

As a result, we have assessed that Iranian hackers will likely incorporate the finance sector into these operations with the aggressiveness of these attacks likely to be shaped by the outcome of the upcoming US Presidential Election.

For instance, a Republican Party victory in November will cause Iran to come under increased financial strain, with Donald Trump likely to continue to enforce economic sanctions against Tehran relating to the Joint Comprehensive Plan of Action, which is Iran’s nuclear deal that was signed in 2015.

Russia

A combination of disruptive and influence operations will likely be the foundation of Russia’s cyber targeting of the 2024 US Presidential Election which would reflect its “information confrontation doctrine,” combining reconnaissance and disruptive efforts with follow-up psychological operations.

We have observed the implementation of this three-stage protocol in previous campaigns where Moscow state actors have engaged in data theft from target systems, deployed their notorious wiper malware strains, and followed this by advertising the success of their operations by providing evidence of compromise through social media avenues, such as Telegram.

Below is an overview of the Russian cyber units that will likely target the upcoming election with high capability and hostile intent, both directly and indirectly. All of the cyber groups mentioned will likely ramp up the aggressiveness of their efforts as we get closer to November 5th, in retaliation to the US Department of Justice recently indicting individual hackers that were operating under the direction of Unit 29155 of the Russian General Staff Main Intelligence Directorate (also known as its GRU).  

The first threat is Seashell Blizzard , a high impact Russian military intelligence asset that previously attempted to interfere with the US Presidential Election back in 2016 . Linked with Russia’s GRU military intelligence branch, we have assessed that the threat posed by the unit has recently been heightened due to likely collaborated efforts with the recently created “Cyber Army of Russia Reborn” hacktivist persona, allowing for a hybrid approach of disruptive efforts with agile espionage.

Secondly, the Russian State-backed Forret Blizzard, will also likely target the election, with the primary objective of the threat unit to collect intelligence against global targets in support of Russian foreign policy initiatives. This Russian military intelligence activity group has previously engaged in sustained effort to hack into the computer networks of the Democratic Congressional Campaign Committee, the Democratic National Committee, and the presidential campaign, as well as orchestrating a leak campaign as the “DC Leaks” persona back in 2016 .

And finally, Midnight Blizzard , likely has hostile intent to interfere with the 2024 election, with the activity group previously compromising the Democratic National Committee (DNC) ahead of the 2016 US election. The activity group’s campaigns against this year’s US election will likely spillover into the US technology sectors, with the group previously compromising US technology companies and IT service providers to facilitate third party compromises of government and policy organisations. 

China

Chinese offensive efforts leading up to the election will likely involve Beijing state actors using a suite of cyber weapons to scan the country’s networks for security vulnerabilities, to access target systems and extract sensitive dataOperations will involve a combination of espionage and influence campaigns to gather intelligence on the dynamics of US politics and to sow discord amongst US citizens.

The PRC will also likely launch aggressive social media disinformation operations against US businesses and government officials to shape the global information domain in favour of Chinese interests and to portray the US electoral system as chaotic and dysfunctional.

Highlighted below is an overview of the Chinese nation-state hackers that will likely focus on the upcoming US Presidential election:

Firstly, Brass Typhoon poses a significant threat to both the Democratic and Republican parties. This is based on the unit’s track record of conducting widespread vulnerability exploitation that compromised US government entities ahead of the 2020  and 2022  US election proceedings. High ranking US election officials should be particularly vigilant to Brass Typhoon operations as the group is known to create fake profiles to engage in dialogue with high-profile entities to harvest information such as personal or work email addresses. 

Violet Typhoon will also likely be a factor, with the Chinese state group having a track record of engaging in nation-state activity by focussing on former government personnel and think tanks in the US. Notable to the 2024 US Presidential Election is that the hacker unit has demonstrated hostile intent to compromise the US democratic process by conducting phishing operations against US journalists focusing on politics and national security matters. The cyber unit also targeted President Biden’s campaign staff during the 2020 US election process , an event that was followed up in a March 2024 indictment, where the US Department of Justice disclosed that election campaign staff from both the Democratic and Republican parties were targeted throughout this period.

TO BE CONTINUED

Craig Watt is a Threat Intelligence Consultant at Quorum Cyber specializing in strategic and geopolitical intelligence.

Image: gguy44

You Might Also Read: 

2024 US Presidential Election: Hostile Nation State Actors - Part 2:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

 

 

« 2024 US Presidential Election Cyber Intrusion: Part 2 - Covert Influence Operations
A Landmark Ransom Attack On Healthcare »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Second Nature Security (2NS)

Second Nature Security (2NS)

2NS provide vulnerability assessment, penetration testing, security audit, application and network security and secure software development processes.

Cyber Aware

Cyber Aware

Cyber Aware aims to drive behaviour change amongst small businesses and individuals, so that they adopt simple secure online behaviours.

World Wide Technology (WWT)

World Wide Technology (WWT)

WWT is a technology solution provider in the areas of big data, collaboration, computing and cloud, mobility, networking, security and storage.

European Recruitment

European Recruitment

European Recruitment is an award-winning, international recruitment agency specialising in niche technology areas including Cyber Security.

RiskCentric

RiskCentric

RiskCentric is a consultancy specializing in risk management and compliance.

Crosspring

Crosspring

Crosspring is an incubator/accelerator for people who have the ambition to start a successful business or want to extend their existing business in the areas of FinTech, AR, VR, Cybersecurity and SaaS

Police Digital Security Centre (PDSC)

Police Digital Security Centre (PDSC)

PDSC is a not-for-profit organisation, owned by the police, that works across the UK in partnership with industry, government, academia and law enforcement.

Enet 1 Group1

Enet 1 Group1

Enet 1 Group audits, assesses, recommends, and delivers tested solutions for the ever-increasing threats to your critical systems and digital assets

Riskaware

Riskaware

CyberAware, by Riskaware, provides business-critical cyber attack analysis and impact assessments using NIST standards aligned with NCSC guidance.

Pragma Strategy

Pragma Strategy

Pragma is a CREST approved global provider of cybersecurity solutions. We help organisations strengthen cyber resilience and safeguard valuable information assets with a pragmatic approach.

DigitalWell

DigitalWell

DigitalWell provide fully managed IT and communications solutions for a truly innovative end-to-end experience - for your customers and teams.

TeKnowledge

TeKnowledge

TeKnowledge enables governments and enterprises around the world to navigate the challenges with digital transformation today and tomorrow with elite cybersecurity protection and managed services.

SureCloud Cyber Services

SureCloud Cyber Services

Our Cyber Testing capability has been honed since we were founded in 2006 as a disrupter in the penetration testing market.

Miggo Security

Miggo Security

Miggo is the first Application Detection and Response (ADR) platform on a mission to stop application breaches.

Anetac

Anetac

Developed by seasoned cybersecurity experts, the Anetac Identity and Security Platform protects threat surface exploited via service accounts.

Hilltop Technologies

Hilltop Technologies

Hilltop Technologies is a cybersecurity company specialized in managed security services and consulting tailored for all sectors from higher education to publicly traded companies.