Main Logo Expert commentary on tech and security

Cyber threats to European elections: beyond the headlines

Jamie Collier 28 May 2024
Share On:
Sensationalism will have voters believe that the main election threats are vote tampering and deepfakes, but comprehensive threat analysis shows that political parties, campaigns and voters themselves are more likely targets
Main Top Image
Image created with the assistance of Midjourney

After UK Prime Minister Rishi Sunak announced in late May that general elections will take place on July 4, UK voters will be among the two billion people heading to the polls in 2024. Europeans have several elections ahead besides the United Kingdom: the European Parliament, Austria, Belgium, Croatia, Iceland, Romania, Lithuania, and Moldova.

Election reporting can easily distort our understanding of threats. The conversation within Europe is often dominated by a small subset of issues that are prone to sensationalism, such as cyber-enabled vote tampering or the role of deepfakes. Concerns around these topics are reasonable and valid, yet other types of attacks and targets may present a greater threat. We have yet to see compromises of voting machines in the wild, and there are only limited indications that election system manufacturers are being targeted.

Instead, the cyber threat landscape for the European elections involves a variety of targets, tactics, and threat actors. This can quickly feel overwhelming. Zooming out to acknowledge the wider spectrum of election threats and applying historical knowledge can help build level-headed analysis.

Ministries, political parties and campaigns

Ministries, government functions, election administrators, political parties, campaigns, media outlets, and even voters are more likely targets than cyber-enabled vote tampering. Advanced Persistent Threat 29 (APT29), a cyber actor linked to Russia’s Foreign Intelligence Service, has a track record of targeting foreign ministries. In February 2024, APT29 took its attacks further: at Google Threat Intelligence, we saw it target German political parties for the first time.

This is a warning signal to other political parties and civil society groups across Europe that they are now on the menu for cyber espionage campaigns. Across this broader election ecosystem, many entities are particularly vulnerable, such as grassroots campaigns that typically lack robust cyber security.

Hybrid threats

The two primary types of threats associated with elections are network intrusions targeting high-value political entities and information operations targeting the wider public. Each of these topics is important to prepare for in its own right, yet the security community often fails to consider how they come together. Threat actors are now deliberately layering attacks through hybrid operations. Each tactic magnifies the others.

Hack-and-leak operations are a longstanding example of this concept in action: sensitive information stolen through a network intrusion boosts the effectiveness of subsequent information operations. By leveraging authentic documents, an adversary can maximise societal disruption. In one instance, the then-UK opposition leader Jeremy Corbyn in 2019 cited authentic UK healthcare service documents that were initially leaked by Russia. In another instance, a Brexit leak website was linked to Russia in 2022. Various disruptive cyber operations, including DDOS, website defacements and the deployment of wiper malware, also now contain a clear psychological component.

More adversaries

Russia represents the most serious threat to European elections. It is the main perpetrator of hybrid operations. Russia-nexus groups, such as APT44 (AKA Sandworm), have a track record of combining espionage campaigns, destructive operations, and spreading disinformation. The group has a longstanding record of interfering in democratic processes and has been behind some of the most high-profile incidents in Ukraine, France, Georgia, and the United States.

Although not directly election-related, the Russia-Ukraine conflict also provides important context on how Russian actors could target democratic processes through hybrid operations. After deploying wiper malware on Ukrainian entities, the Russian Chief Intelligence Directorate (GRU) routinely uses Telegram channels and assumes hacktivist identities to claim responsibility for cyberattacks. They also leak stolen documents and post proof of compromise from their targets that way. This ensures that victims are publicly outed, even if they decide not to publicise an attack.

A political party or campaign might be able to recover from a denial-of-service attack or recover systems after wiper malware. However, when such an incident is publicised by an adversary, it can easily create a perception among the public that democratic institutions are under threat in the run-up to an election. This blended approach is baked into Russia’s ‘information confrontation’ approach to cyber conflict.

Russia is not the only threat to European elections. For instance, uncategorised (UNC) threat group 1151 (UNC1151) is tied to the Belarusian government. The group has previously targeted European governments and provided technical support to information operations such as GHOSTWRITER, which has promoted narratives critical of NATO. Unlike Russia’s interest across Europe, UNC1151’s operations have typically targeted countries neighbouring Belarus, and many of the information operations it has supported are directed at Eastern Europe.

Other players could also threaten European elections. Chinese information operations have typically focused on the United States and local and near-abroad issues like Xinjiang, Hong Kong, and Taiwan. However, these operations have expanded in scope and scale in recent years, including operations conducted in European languages and targeting private sector companies.

China-nexus groups also spy on European democracies. In March, the United Kingdom called out China for targeting the UK’s Electoral Commission and parliamentarians in 2021 and 2022.

Beyond state threats, the Russia-Ukraine and Israel-Hamas conflicts have precipitated a resurgence in hacktivism that has targeted European countries. For example, the Russia-aligned hacktivist group Killnet targeted the European Parliament website in late 2022, shortly after members voted to declare Russia a state sponsor of terrorism.

Cybercriminal groups could also target election infrastructure. Although they are not interested in elections, their methods include targeting organisations during high-pressure moments. For instance, ransomware groups target the education sector ahead of a new academic year or retail companies in the run-up to the holiday period.

Level-headed responses

Despite the variety of potential threats, calm and level-headed responses are more needed than ever. Understanding relevant threats can empower the policymaking and network defence communities to build more proactive strategies. Moreover, information operations and disruptive cyber campaigns thrive when their impacts are built up. At a time when there is no shortage of sensationalism and doom-mongering on election-related cyber threats, objective analysis will be more important than ever.

avatar
Jamie Collier

Related

Featured image
Binding Edge
Learning to supply cyber capabilities
Joseph Jarnecki 10 June 2024
Read more arrow
Featured image
Binding Edge
Pell Mell or Pas Mal? Governing commercial cyber intrusion capabilities
James Shires 11 November 2024
Read more arrow
Featured image
Binding Edge
The magic of sophisticated cyber attacks
Max Smeets 4 December 2023
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.