Sinister forces have abused the internet to assert their agenda on electoral processes. Here are some of the discovered stunts…

Cybercriminals and bad actors can create chaos in state and local voting and election systems—from disqualifying legitimate voters to corrupting data to launching denial-of-service attacks.

Many government election commissions and agencies could be much better prepared to deal with election security threats. To develop solutions and security programs to counter cyber threats to elections, government agencies should engage with industry experts with frontline experience to stop cyber criminals and bad actors.

In the new year, cybersecurity specialist FireEye has concluded that state-sponsored and other threat actors will not only continue to target entities associated with elections worldwide, but will also expand their targets headed into next year’s elections.

To provide a quick overview, the company has put together a summary that details the different election security targets, categorizes their role, and also dives into the methods used by threat actors to infiltrate these systems.

Types of threats

With respect to election security, FireEye has observed threat activity that include:  

  • Attacks on critical election infrastructure to tamper with or alter votes
  • Disinformation campaigns using stolen data, fabricated content, or compromised access
  • Cyber espionage, spearphishing and social engineering of political campaigns, election administrators and other influencers
  • Attacks on critical election infrastructure to tamper with or alter votes

Future threat scenarios could predominantly include disruptive attacks that use ransomware to target election administrators. Such attacks could provide threat actors a deniable means to affect public perception around the security of these election administrators—without having to impact core electoral systems.

Election cyber-attacks in recent history

The FireEye Election Security ebook maps out the history of cyber and ransomware attacks on elections around the world from 2016 to date, and explores the threat actors’ preferred methods with each incident.


  • MARCH: PHILIPPINES – Anonymous Philippines defaces the Philippines Commission on Elections (COMELEC) website and leaks 340 GB of genuine data.
  • JUNE: UNITED STATES – Russia-affiliated actors APT28 and APT29 compromise a Democratic National Committee (DNC) server in mid-2015 and maintain that access until at least June 2016. Russian threat actor Sandworm Team is suspected of having targeted several states’ election infrastructure. Separately, we observed a broad network of social media accounts use material from the DNC leaks as springboards to promote a variety of false or misleading narratives. These activities are consistent with known tactics, techniques, and procedures (TTPs) associated with the Russian Internet Research Agency (IRA).


  • MAY: FRANCE – Suspected Sandworm Team activity targets the French political party, “En-Marche!”
  • AUGUST: KENYA – Discovery of several news websites created to mimic legitimate Kenyan and international news websites—a subset of which appear to have been created in coordination with each other to damage the reputation of an opposition party candidate.
  • NOVEMBER: RUSSIA – Observations of numerous concerted anti-opposition messages in various IRA-linked YouTube videos, the Russian social media platform VK, and on Russian blogs.
  • DECEMBER: CATALONIA – As part of the #OpCatalunya campaign, a Spanish hacktivist group publishes a blog post claiming to have gained unauthorized access to “iPARTICIPA”, a cloud-hosted system belonging to the administrator of the electronic voting system used in the Catalonian elections.


  • JANUARY: HONDURAS – Anonymous-affiliated hacktivists launch the #OpHonduras campaign in protest of the recent inauguration of Honduran President Juan Orlando Hernández.  
  • JUNE: CAMBODIA – APT40 compromises the website of Cambodia’s National Election Commission using AIRBREAK malware.
  • MARCH: MALAYSIA – Suspected Chinese threat actors leverage a series of lure documents related to the Malaysian election against multiple government agencies.
  • JULY: MEXICO – Multiple websites and Facebook groups observed disseminating fabricated content in support of and against presidential candidates.
  • OCTOBER: HONG KONG – Chinese cyber espionage actors leverage EVILNEST malware in a campaign targeting Hong Kong entities in October 2018.
  • NOVEMBER: TAIWAN – Suspected Chinese threat actors target Taiwanese government entities with election-themed lures, utilizing TAIDOOR malware.


  • NOVEMBER: THE UNITED STATES – Discovery of multiple Twitter accounts appearing to impersonate US Republican congressional candidates as part a network of English-language social media accounts that appeared to be tied to actors supporting Iranian interests.
  • UNNAMED EUROPEAN COUNTRY – Spearphishing of an election administrator and a media organization by unknown threat actors.

Interested readers can find out more here.