From Spear-Phishing to AI: The Evolving Threat Landscape of the 2024 U.S. Presidential Election

In the lead-up to the 2024 U.S. elections, the Microsoft Threat Analysis Center (MTAC) in their intelligence series tracking the United States election, released crucial findings on foreign cyber operations targeting the 2024 U.S. election, primarily from Iran, Russia, and China. These actors have shown varied yet sustained attempts to affect election outcomes, with a recent emphasis on Iranian operations, which have intensified closer to the election season, unlike the ongoing Russian campaigns. According to MTAC, "Iran’s operations have been notable and distinguishable from Russian campaigns for appearing later in the election season and employing cyberattacks more geared toward election conduct than swaying voters. Recent activity suggests the Iranian regime—along with the Kremlin—may be equally engaged in election 2024."

MTAC's report highlights the role of artificial intelligence (AI) in these influence operations. It notes that while all major actors have experimented with generative AI to craft their messages, the impact has been minimal. "MTAC identifies a Russian and a Chinese actor that have employed generative AI—but with limited to no impact." Concerns for AI implementation are very much in an experimental phase, with adversaries falling back on more traditional techniques focusing on areas for digital manipulation and mischaracterizations, which have historically proven more effective.

Iranian threat actors like Sefid Flood and Mint Sandstorm (aka. APT35, Charming Kitten, ITG18, Magic Hound) have been particularly active. Sefid Flood is preparing for potential influence operations by creating online personas and websites, aiming to stoke chaos and undermine trust in electoral processes. On the extreme end, MTAC assesses Sefid Flood's "operations may go as far as intimidation, doxing, or violent incitement targeting political figures or social/political groups." Meanwhile, Mint Sandstorm has engaged in more direct cyber activities, including spear-phishing campaigns targeting U.S. presidential campaigns to gather intelligence and potentially disrupt the electoral process. Another group, Peach Sandstorm (aka. APT33, Elfin, HOLMIUM), has been involved in operations that, while less clearly tied to the election, have targeted government organizations in key geopolitical areas. Threat actors strategically focus on divisive issues that are currently top of mind for voters and pivotal in public discourse in the United States.

MTAC also highlights the activities of Storm-2035, an Iranian network operating covert news sites targeting U.S. voter groups with polarizing content. These sites play a role in Iran's strategy to influence U.S. domestic politics by amplifying divisive issues. Russian and Chinese activities also continue, with Russia using complex disinformation campaigns and China engaging in subtler, platform-specific influence operations aimed at shaping political discourse in the U.S.

The ongoing insights from MTAC underscore the complex nature of threats facing the 2024 U.S. election, highlighting both technological and human vulnerabilities at a critical juncture