In democratic societies, elections are the mechanism for choosing
heads of state and policymakers. There are strong incentives for
adversary nations to understand the intentions and preferences of the
people and parties that will shape a country's future path and to
reduce uncertainty about likely winners. Mandiant
Intelligence regularly observes cyber espionage operations we
believe to be seeking election-related information targeting
governments, civil society, media, and technology organizations around
the globe. We have also seen disruptive and destructive cyber attacks
and propaganda campaigns seeking to undermine targeted governments and
influence the outcomes of electoral contests.
The 2020 U.S. elections are currently drawing attention to election
cyber risks, but 2020 has already hosted dozens of elections
worldwide, with more to come. In the Asia-Pacific region these
included elections in Taiwan, India, South Korea, and Singapore to
name a few, with regional elections scheduled for Indonesia in December.
Given the prevalence of such activity worldwide and Mandiant's
unique visibility into threat actor activity, we believe it is
worthwhile to examine trends in adversary targeting of elections in a
variety of regional contexts because the tactics, techniques, and
procedures (TTPs) used in one region today may soon be deployed or
mimicked in other regions.
Mandiant Threat Intelligence tracked numerous elections-related
incidents in the Asia-Pacific region in recent years. During this
time, the most prolific regional actor was China, which we observed in
more than 20 elections-related campaigns most frequently affecting
Hong Kong and Taiwan. We believe that China's primary motives for
elections targeting includes monitoring political developments,
internal stability, and supporting Belt and Road Initiative (BRI) investments.
Examples of Chinese cyber espionage targeting electoral support
organizations include:
Specifically, Mandiant has observed multiple instances in which
organizations such as electoral boards and commissions that support or
help administer elections have been targeted. Both Russian and Chinese
cyber espionage operations have targeted election administrators and
government officials since at least 2014. Observed TTPs include
phishing and strategic website compromise (SWC), also known as
watering hole attacks.
For example, in the November 2019 activity targeting Hong Kong
(previously referenced), Mandiant Threat Intelligence believes that
candidates or related staff associated with the Hong Kong District
Council elections were targeted with a malicious macro document just
prior to the elections based on geolocation information, the
spear-phishing lure, and other data.
Figure 1: Decoy content from phishing email
As our readers will know, Mandiant takes a specific approach to
deconstructing attacks against elections, which we detailed in a
blog post.
Our approach examines threats through the lens of risk posed at
various levels of the elections ecosystem. We break the elections
threat landscape into distinct attack surfaces to better allow our
customers and partners to take action. These include the following:
Figure 2: Attack surfaces associated with
the electoral process
Using our ecosystem taxonomy, based on activity observed from 2016
to 2019, Mandiant Threat Intelligence assesses that actors
concentrated on "platforms affecting public opinion" much
more often than "core election systems" such as voting
machines, or "electoral support organizations" such as
election commissions.
Figure 3: Electoral platforms affecting
public opinions are most frequently targeted
Globally, we assess that actors continue to deploy disinformation in
the form of fabricated news and hoaxes spread primarily via social
media and counterfeit websites designed to mimic legitimate news
organizations, which may be picked up by legitimate news
organizations. In the last several years, we have seen influence
operations use increasingly creative methods to blend their
inauthentic messaging with legitimate speech (e.g., by interviewing,
impersonating, and hiring legitimate journalists or experts, and
sending letters to the editor to real publications).
Malicious actors create and spread disinformation with the intent to
mislead an electorate by causing reputational damage to an individual
or political party, or by casting doubt regarding a particular issue
or political process. Influence campaigns also seek to exacerbate
existing societal divisions.
In the Asia-Pacific region, Mandiant Threat Intelligence observed
pro-China threat actors spoof Taiwanese media outlet TVBS (官方網站) to
promote narratives in line with the People's Republic of China's
(PRC's) political interests in a coordinated, inauthentic manner. The
accounts use a variety of tactics in order to pose as Western media
outlets, including the use of identical or near-identical usernames,
display names, and profile photos as the accounts of the outlets they imitate.
Figure 4: @TVSBnews quote-tweets People's
Daily video citing alleged U.S. interference in foreign elections
Public exposure of high-profile information operations, such as
Russia's interference in the 2016 U.S. presidential election, has
strengthened perceptions that such operations are effective. It also
demonstrates the difficulty that open societies face in countering
this threat, encouraging current and aspiring information operation
sponsors to grow their efforts. We anticipate that influence
operations conducted in support of the political interests of
nation-states will increase in sophistication, volume, and diversity
of actors through 2020 and beyond.
In the last 12 months, Mandiant Threat Intelligence observed and
reported on information operations conducted in support of the
political interests of numerous countries. During Singapore's 2020
general elections, the country's first "digital" election,
Mandiant Threat Intelligence identified multiple inauthentic accounts.
These accounts did not, however, appear to be acting in a coordinated manner.
We expect that threat actors will continue to target entities
associated with elections worldwide for the foreseeable future and may
expand the scope of this activity as long as the potential rewards of
these operations outweigh the risks. State-sponsored actors almost
certainly view targeting the electoral process as an effective means
of projecting power and collecting intelligence.
Furthermore, the continuous expansion of the social media landscape
will likely encourage various actors to pursue information operations
by promoting preferred narratives, including the use of propagating
inauthentic or deceptive information. We have already seen tactics
evolve to avoid detection and incorporate emerging technologies, such
as "deepfake" or multimedia manipulation technology, to
advance more believable and impactful information operations, and we
expect these innovations to continue. Lower tech methods, such as
outsourcing propaganda activities to real people hired specifically to
spread false and misleading content, can hinder attribution efforts
and potentially increase the effectiveness of operations if those
people have a more specialized understanding of the information environment.
To battle election threats, there is an urgent need to increase
public awareness of the threat and inculcate behaviors that reduce the
risk of compromise or disruption. These include everything from
rigorously securing email to implementing policy around notification
of cyber incidents in the supply chain. In addition, governments can
consider mandating digital imprint requirements for election
campaigning, increasing fines for electoral fraud, and increasing
transparency around digital political advertisements. Investment in
news verification and screening methodologies on search and social
media platforms as well as public education efforts equipping voters
and students to distinguish trustworthy information from suspicions
may also reduce the impact of influence operations.