What to Expect From Disinformation Campaigns During the 2022 U.S. Midterms, Part 2
11 MIN READOct 18, 2022 | 21:22 GMT
Editor's Note: As the November 2022 U.S. midterm elections approach, state-sponsored cyber threat groups, hacktivists and cybercriminals will ramp up new or capitalize upon existing disinformation campaigns for various malign ends. Although social media platforms are preparing for the onslaught of disinformation, their efforts will likely fail to mitigate the full extent of cyberthreats, heightening societal and physical security risks. In the second part of this series, we explore the risk of external meddling in next month's vote from actors like Russia, China, Iran and North Korea. The first part can be found here.
Russia is the foreign state most likely and capable of spreading influential disinformation targeting the November 2022 U.S. midterm elections. As has been widely reported, for the last few decades, Russia has greatly advanced its cyber capabilities, including information warfare, and has a strong motivation to undermine U.S. interests. Relations between Russia and the United States are at their worst since the Cold War, and Russia has long utilized asymmetric tools like cyber to achieve its foreign policy objectives. In 2020, for example, Russia engaged in a number of covert and overt influence operations in an attempt to weaken voter support for then-candidate U.S. presidential candidate Joe Biden and bolster support for then-President Donald Trump. To this end, Russian attempts to influence the upcoming midterm elections were noted as early as August 2021, when President Biden claimed that classified intelligence showed that Russia was already trying to undermine the elections through disinformation campaigns. While some observers posit that Russia may be less able or interested in conducting disinformation campaigns targeting the 2022 midterm elections, as Russia is investing significant resources in its ongoing war in Ukraine, others reject this belief. For instance, when asked in July if the ongoing war would dampen Russian election meddling, FBI Director Christopher Wray stated, ''I am quite confident the Russians can walk and chew gum.''
In September 2022, Meta announced that it had disrupted the largest and most complex Russian disinformation operation seen since Russia invaded Ukraine. The operation involved more than 60 websites attempting to impersonate legitimate European news organizations, including the United Kingdom's The Guardian and Daily Mail, Germany's Der Spiegel and Bild, and Italian news agency Agenzia Nazionale Stampa Associata. The fake sites contained articles in multiple languages promoting pro-Russian narratives, including accusations that the Ukrainian government and military were corrupt and warnings that European sanctions on Russia would result in severe consequences. According to Ben Nimmo, Meta's global threat intelligence lead, the websites were built with extensive care, indicating the sophistication of the operation; for instance, Russian hackers carefully copied the layout of media outlets' legitimate sites and imitated their web addresses, at times even using photos of real journalists to obfuscate the operation.
The operation also included a number of fake social media profiles on Western platforms, including 1,633 Facebook accounts, 703 Facebook pages and 29 group Instagram accounts. Meta reported that approximately 4,000 accounts followed one or more of the Facebook pages within the disinformation network, while around 1,500 Instagram accounts followed one or more of the Instagram accounts.
As Russia faces setbacks on the battleground in Ukraine, its motivations to retaliate against the United States and the West more broadly will grow even higher, which will incentivize some level of disinformation campaigns and drive hacktivist operations that could further promote disinformation. According to a senior FBI official who spoke to AP on Oct. 3 under the condition of anonymity, Russia has already been amplifying divisive topics on the internet to exacerbate doubts about the integrity of the U.S. election process. Aside from the Russian state-backed threat, several Russian-aligned hacktivist groups — including Conti, Cuba and Killnet — have been highly active in recent months in carrying out a number of operations against Western targets. In May, U.S. cybersecurity company Mandiant published a report detailing how Russian-aligned threat actors, including hacktivists, were conducting multiple disinformation operations in an attempt to undermine the Ukrainian war effort and Western cohesion. Specifically, Mandiant's report detailed how these actors were using false social media accounts to post on various platforms and forums to spread disinformation. In one example, threat actors claimed that a Polish criminal ring was harvesting organs from Ukrainian refugees to illegally traffic in the European Union.
Killnet has repeatedly conducted distributed denial of service (DDoS) attacks, which seek to overwhelm the target's servers by flooding them with internet traffic, against Western governments and private sector targets, including those in Japan, Lithuania, Poland and Estonia. Killnet has also targeted several U.S. institutions in the past few weeks, including a DDoS campaign launched on Oct. 5 against a number of U.S. state government websites (including the Colorado, Kentucky and Mississippi state websites), rendering them inaccessible. The attack also took down Kentucky's board of elections website, which contains information on how to register to vote. While the websites were quickly brought back online and although the campaign did not appear to be specifically targeting the U.S. midterm elections, the attack demonstrates how hacktivist activities can affect citizens' access to important resources that may pertain to the election.
Killnet has also warned of additional attacks in the coming weeks targeting various U.S. state government websites, including Alabama, Alaska, Connecticut, Colorado, Delaware, Florida, Hawaii, Idaho, Indiana, Kansas, Kentucky and Mississippi. On Oct. 10, Killnet targeted a number of U.S. airport websites in a DDoS campaign, affecting the Los Angeles International Airport (LAX), Chicago O'Hare International Airport and the Hartsfield-Jackson Atlanta International Airport, among others. While these attacks attracted a fair amount of media attention, they did not disrupt any flights or airport operations.
Alternatively, while China has long engaged in cyber espionage, Beijing has historically avoided election meddling through large-scale social media disinformation campaigns, though there are small signs it may slowly be changing its strategy. Although China possesses significant cyber capabilities, compared with Russia it has struggled to overcome cultural, linguistic and other tradecraft barriers to effectively and widely spread disinformation. China has also been much more risk-averse than Russia and has generally tended to focus on spreading pro-Beijing narratives throughout Asia rather than seeking to directly target U.S. elections, which would bring even greater scrutiny and risk blowback. For instance, a March 2021 declassified U.S. intelligence report outlining foreign actors' attempts to influence the 2020 U.S. presidential election found that China considered engaging in influence campaigns but ultimately decided against doing so. That being said, since the outbreak of the global COVID-19 pandemic, China has begun to adopt more aggressive tactics to proliferate pandemic disinformation, driving the narrative that the virus was manufactured and weaponized by the U.S. military. Its disinformation campaigns have also attempted to undermine the U.S. pandemic response by highlighting the shortcomings of its efforts compared with China's supposedly more successful lockdowns. Moreover, as tensions between Beijing and Washington continue to deteriorate, China's motivation to proliferate disinformation during the midterm elections may be increasing, and recent reports suggest that China is already engaging in some disinformation efforts, though with questionable effectiveness.
At an Oct. 3 media briefing, FBI officials stated that Russian and Chinese government-affiliated operatives and organizations are promoting disinformation about the integrity of U.S. elections. At the briefing, one FBI official specifically claimed that Chinese operatives are engaging in more ''Russian-style influence activities'' to exacerbate American divisions, citing Meta's recent takedown of an influence operation originating from China that ran across multiple social media platforms and reportedly targeted U.S. domestic politics.
Meta's takedown occurred in tandem with its larger takedown of the Russian-aligned operation and, in comparison, the Chinese operation was much smaller and less sophisticated. The Chinese operation consisted of four smaller campaigns that ran intermittently between fall 2021 and September 2022 on social media platforms like Facebook, Instagram and Twitter and targeted a U.S. audience on both sides of the political spectrum; the campaign also targeted the Czech Republic with anti-government rhetoric, criticizing the government's support of Ukraine and warning against antagonizing China. The campaign was largely ineffective, given its smaller scale and the fact that most fabricated accounts associated with the campaign would post during Chinese working hours rather than when target audiences were awake, limiting user engagement.
A third actor, Iran, has also previously targeted U.S. elections with disinformation campaigns, but ongoing civil unrest within the country may undermine its ability to do so this year. Iran has engaged in myriad disinformation campaigns targeting the U.S. populace, including during the 2020 presidential election, when Iranian hackers aimed to heighten political polarization. Specifically, two Iranian nationals were indicted in November 2021 for engaging in various attempts to undermine the 2020 election; the individuals pretended to be Proud Boy members and sent Facebook messages to Republican lawmakers claiming that the Democratic Party was planning to exploit security vulnerabilities in state voter registration websites to edit mail-in ballots and register nonexistent voters. While the operation was not considered to be particularly sophisticated, it nevertheless demonstrated Iran's interest in exploiting partisanship. Since then, Iran has sponsored a number of other disinformation campaigns, including after several major events such as U.S. President Joe Biden's announcement that the United States would resume nuclear talks with Iran and the U.S. withdrawal from Afghanistan.
Broadly, Tehran has numerous motivations to spread false narratives, especially as U.S.-Iran nuclear talks flounder and Washington ramps up sanctions pressure. However, its ability to do so effectively — specifically during the upcoming elections — may be constrained by the continuation of nationwide protests in Iran following the suspicious death of a 22-year-old named Mahsa Amini, who died on Sept. 16 while in the custody of Iran's morality police after they detained her for improperly wearing her headscarf. As the Iranian government struggles to maintain domestic order through internet blackouts and widespread police crackdowns, Iranian officials will likely be preoccupied with managing the narratives on domestic platforms.
Since the protests began, hacktivists have pledged their support to Iranian citizens; among other groups, Anonymous declared on Sept. 20 the start of ''Operation Iran'' (#OpIran) and later that day hacked a number of Iranian government websites, including those of the Iranian president, the government-affiliated Fars News Agency and various other public service websites. Anonymous also targeted Iran's central bank on Sept. 26 and launched a data theft and leak operation against the Iranian parliament, releasing the phone numbers and addresses of all lawmakers on Sept. 25.
As of Oct. 18, nationwide protests across Iran are now in their second month, despite lethal crackdowns by law enforcement officials. Although they initially began with a focus on women's rights, they have since broadened to encompass general anti-government anger. While anti-government protests in Iran are relatively common, the current demonstrations are larger, deadlier and more geographically spread, challenging government efforts to stymie protests.
Finally, while North Korea continues to be a capable cyber actor, Pyongyang has largely avoided disinformation campaigns, a trend that is likely to continue in the U.S. midterm elections. The bulk of North Korean-aligned cyber activity is financially-motivated, as North Korean cybercriminals are seeking payouts and the government is looking to bolster its weak economy through illicit means. Although recent North Korean missile tests have put many people on edge, these tensions are unlikely to translate into effective or extensive disinformation campaigns targeting the U.S. midterm elections. North Korea has not shown serious intent or ability to conduct such campaigns during prior elections — nor is there any evidence so far of it spreading disinformation on Western social media platforms this year — and, should Pyongyang choose to do so, there would be significant tradecraft barriers it would need to overcome. That said, while North Korean threat actors may not engage in disinformation campaigns, they will likely still look to exploit the election through targeted scams or other fraudulent online activity for financial gain.
This year, North Korean-aligned threat actors, such as Lazarus, have engaged in a number of financially-motivated cryptocurrency theft operations, including stealing approximately $615 million from online game Axie Infinity in March and another $100 million from blockchain startup Harmony in June. As these operations indicate, North Korea's primary objectives in cyberspace continue to be financially motivated.
