Iranian hackers ramp up influence operations ahead of 2024 US election

As the 2024 US presidential election approaches, Iranian hackers are stepping up their cyber-influence operations to disrupt the electoral process and undermine voter confidence in the US.

Iran-backed groups, particularly the Islamic Revolutionary Guard Corps (IRGC), have been increasingly active in cyber-enabled influence efforts, focusing on election-related operations that could escalate in the final days before the election day, according to the latest Microsoft Threat Analysis Center (MTAC) report.

The report outlined a series of cyber-enabled influence operations by Iran, including hacking, disinformation campaigns, and online activities aimed at manipulating public sentiment.

“Iran is ramping up its efforts to interfere in the US electoral process, with increasing focus on influence campaigns designed to erode confidence in the integrity of elections,” Microsoft said in a statement.

According to Microsoft, Iranian hackers have been actively targeting US political campaigns, particularly the Trump campaign, in an attempt to destabilize the 2024 election. One of the key incidents involved IRGC-linked hackers stealing non-public information from former President Trump’s campaign and distributing it to individuals tied to President Biden’s campaign and US media outlets.

“This operation is part of Iran’s broader strategy to sow discord and undermine the US electoral process,” Microsoft explained.

The advisory also highlighted a recent indictment by the US Department of Justice (DOJ) against three Iranian cyber actors from the IRGC for their involvement in a “hack-and-leak” operation targeting the Trump-Vance campaign. The DOJ noted that this operation was intended to stoke division and further Iran’s long-standing effort to retaliate for the death of IRGC commander Qasem Soleimani.

Microsoft echoed this sentiment, stating that these activities represent a broader Iranian effort to “weaken US democratic institutions.”

Microsoft also pointed out that Iran’s cyber-influence tactics extend beyond direct attacks on campaigns.

On October 14, an online persona operated by Iran, known as “Bushnell’s Men,” began calling on Americans to boycott the election. The group falsely posed as US citizens and spread messages across social media platforms, including X and Telegram, encouraging election boycotts tied to US support for Israel.

“Bushnell’s Men have been at the forefront of recent efforts to leverage divisive issues, such as the Israel-Palestine conflict, to erode voter participation and trust,” Microsoft stated in the report.

On October 18, the FBI and CISA also issued a similar advisory warning US citizens about “foreign threat actors” trying to spread disinformation during the US election.

Reconnaissance in key US swing states

In addition to influence operations, Iranian cyber actors have been engaged in probing critical US election infrastructure, Microsoft claimed in the report.

Microsoft’s analysis revealed that the IRGC-backed group, Cotton Sandstorm (Emennet Pasargad), performed reconnaissance on election-related websites in US swing states as early as April 2024.

“These reconnaissance efforts indicate that Iranian hackers are preparing for potential influence operations as Election Day draws closer,” the statement added.

This group has a history of similar activities, having targeted US elections in 2020 through operations designed to intimidate voters and create chaos around election results. In 2020, Cotton Sandstorm posed as a member of the right-wing group “Proud Boys,” sending threatening emails to Florida voters in an effort to manipulate the vote.

“Historically, Cotton Sandstorm has targeted elections in a similar fashion through hacking operations aimed at media entities and state election-related websites ahead of the last US presidential election.”

This spring, Cotton Sandstorm extended its operations to media outlets, performing reconnaissance of major US news sites in what could be preparation for additional influence campaigns. The group’s use of hacking to obtain sensitive information and its ability to strategically leak it to the public has made it a potent tool in Iran’s arsenal for election interference.

“Cotton Sandstorm’s springtime cyber operations may represent preparations for the 2024 election, the report said.

While Cotton Sandstorm has not yet launched an aggressive operation ahead of the 2024 election, Microsoft expects the group to increase its activities as Election Day approaches. The regular cadence of its operations — typically every three to ten weeks — suggests that further efforts to disrupt the election could be imminent.

Ongoing disinformation campaigns and social media manipulation

Besides Cotton Sandstorm, Microsoft’s advisory also shed light on other Iran-linked groups that are actively involved in US election-related disinformation.

One such group, Storm-2035, has been running a network of websites that pose as local US news outlets. These sites post divisive content targeting both Democrats and Republicans, with the goal of inflaming partisan tensions.

“Storm-2035 has been consistently posting conspiratorial content designed to deepen divisions among US voters,” Microsoft added in the report.

Additionally, the report detailed the activities of Mint Sandstorm (also known as APT-42), another IRGC-linked group that has been targeting notable US political figures. In one case, Mint Sandstorm compromised the account of a high-profile Republican politician, an effort Microsoft believes was intended to gather intelligence and further influence operations.

“Iranian hackers are expanding their reach by targeting key political figures and using the information they gather to fuel disinformation campaigns,” Microsoft noted.

Election interference by Russia, China

While Microsoft emphasized the significant threat posed by Iranian cyber actors, it also acknowledged the activities of other foreign adversaries.

Russian actors, for instance, have incorporated generative AI into their influence operations, creating deepfake videos of political figures such as Vice President Kamala Harris. Chinese cyber actors, meanwhile, have shifted their focus toward down-ballot candidates, promoting certain congressional candidates while denigrating their opponents.

“Foreign actors from Russia, China, and Iran continue to pose a multifaceted threat to the 2024 US election, with each country leveraging unique tactics to influence voters,” the statement said.

Despite the involvement of multiple foreign adversaries, the report made clear that Iran remains a central player in the election interference landscape.

With just days remaining before the 2024 US presidential election, Microsoft warned of further escalation in cyber-influence activities from Iran. Cotton Sandstorm and other Iranian groups have a history of ramping up operations in the final weeks before election day, and recent reconnaissance efforts indicate that the US election infrastructure remains a prime target.