State-backed Russian, Chinese and Iranian hackers have been active during the 2024 US campaign season, compromising digital accounts associated with political campaigns, spreading disinformation and investigating election systems. But in a report in early October, the threat sharing and coordination group known as Election Infrastructure ISAC warned that cybercriminals, such as ransomware attackers, pose a much greater risk of launching disruptive attacks than foreign espionage actors.
While state-backed actors were emboldened by Russia’s meddling in the 2016 US presidential election, the report notes that they favor intelligence gathering and influence operations over disruptive attacks, which would be seen as direct hostility. against the American government. On the other hand, ideologically and financially motivated actors generally aim to cause disruption with hacks such as ransomware or DDoS attacks.
The document was first obtained by national security transparency nonprofit Property of the People and viewed by WIRED. The U.S. Department of Homeland Security, which contributed to the report and distributed it, did not respond to WIRED’s requests for comment. The Center for Internet Security, which runs the ISAC Election Infrastructure, declined to comment.
“Since the 2022 midterm elections, financially and ideologically motivated cybercriminals have attacked the networks of US state and local government entities that manage or support electoral processes,” the alert states. “In some cases, successful ransomware attacks and a distributed denial of service (DDoS) attack on such infrastructure delayed election-related operations in the affected state or locality, but did not compromise the integrity of voting processes. …Cyber actors affiliated with nation-states have not attempted to disrupt US electoral infrastructure, despite conducting reconnaissance and occasionally acquiring access to non-electoral infrastructure.”
According to DHS statistics highlighted in the report, 95 percent of “cyber threats to elections” were failed attempts by unknown actors. Two percent were failed attempts by known actors and 3 percent were successful attempts to “gain access or cause disruption.” The report emphasizes that threat intelligence sharing and collaboration between local, state and federal authorities helps prevent breaches and mitigate the consequences of successful attacks.
In general, government-backed hackers can stoke geopolitical tension by engaging in particularly aggressive digital espionage, but their activity is not inherently escalatory as long as they respect espionage rules. Criminal hackers are not subject to such restrictions, although they may attract too much attention if their attacks are too disruptive and they risk being cracked down by authorities.