{ "id": "d475278e-f33a-4778-8da0-eae724c7aa38", "created_at": "2026-04-06T00:08:57.490911Z", "updated_at": "2026-04-10T13:11:52.2164Z", "deleted_at": null, "sha1_hash": "b8d7843317f679ebe51e95b3a3a2105d68a227ac", "title": "European Election Security At Risk: A Detailed Analysis of State-Sponsored, eCrime, and Hacktivist Threats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65811, "plain_text": "European Election Security At Risk: A Detailed Analysis of State-Sponsored, eCrime, and Hacktivist Threats\r\nBy Alixia Clarisse Rutayisire\r\nPublished: 2024-06-05 · Archived: 2026-04-02 12:12:31 UTC\r\nAs the European Elections approach, concerns about election integrity intensify within an ever-evolving\r\nand increasingly polarized threat landscape.\r\nThis blog post will provide a detailed exploration of the diverse and complex threats facing these pivotal elections.\r\nThrough expert analysis, we aim to unravel the multifaceted nature of these cyber threats, enhancing\r\nunderstanding and preparedness among stakeholders.\r\nQuoIntelligence’s analysis shows that state-sponsored operations are the main threats to European election\r\nsecurity, with political entities and media as primary targets.\r\nRussian state-sponsored activity is the most likely to affect election security, with a high likelihood of\r\ncyberattacks and hybrid warfare operations involving physical and cyber aspects.\r\nPolitical figures and parties, government entities, and media platforms are most likely to be targeted by\r\nsuch operations.\r\nRansomware and supply chain attacks can alter the smooth running of the elections but do not threaten\r\ntheir outcome.\r\nFinancially motivated threat actors are unlikely to intentionally disrupt the electoral process.\r\nPro-Russia hacktivist groups will likely launch short-lived DDoS attacks targeting European entities amid\r\nthe elections, causing limited impact.\r\nState-backed activity poses HIGH RISK to the EU Parliamentary election security\r\n(high likelihood, medium impact)\r\nRussian and Chinese state-sponsored threat actors are the foreign actors most likely to interfere in the EU’s\r\nparliamentary elections in June.\r\nRussian State-sponsored Activity Will Highly Likely Attempt To Disrupt European Parliamentary\r\nElections.\r\nSince the beginning of the Russian invasion of Ukraine in February 2022, tensions between the EU and Moscow\r\nhave grown significantly. On the threat landscape, this materializes through the intensification of Russian hybrid\r\nwarfare operations. Notably, since April, the North Atlantic Alliance and other European security services have\r\npublicly warned of Russian information and espionage operations, as well as physical sabotage.\r\nHigh Risk of Cyberattacks: In May, Germany denounced cyberattacks conducted by APT28 against the Social\r\nDemocratic Party (SPD).1 More, recently, the Polish government reported that the country’s state news agency’s\r\nhttps://quointelligence.eu/2024/06/european-election-at-risk-analysis/\r\nPage 1 of 4\n\nwebsite was the target of a cyberattack which resulted in the publication of a false story about military\r\nmobilization to fight in Ukraine. The authorities suspect this to be a Russian state-sponsored attack to destabilize\r\nthe EU ahead of the European Parliamentary elections. Further cyberattacks are likely ahead and after the\r\nEuropean elections. They can serve several purposes: disruption, influence, and espionage.Among Russian APTs,\r\nwe assess that APT28 and APT44 (aka Sandworm), both affiliated with the Russian General Staff Main\r\nIntelligence Directorate (GRU), are most likely to take part in cyber operations aiming to disrupt the elections as\r\nthey have engaged in similar campaigns by the past. Notably, APT28 was involved in attempts to influence the US\r\npresidential election in 2016 and the French presidential election in 2017.\r\nHigh Risk of Hybrid Influence Operations: Over the last months, Russia has intensified its efforts to sow\r\ndivision in the EU through covert hybrid influence operations. French intelligence service reportedly identified the\r\nFSB Fifth Service behind the tagging of stars of David in the streets of Paris in November 2023. This operation\r\nwas then amplified by an online campaign that involved thousands of bots linked to the infrastructure of the\r\nRussian widespread disinformation campaign, Doppelganger, publishing content about the controversy on X.\r\nSimilar operations are highly likely in the short term. In fact, another incident is pointing to continuous efforts of\r\nRussian services to sow division. On 1 June, three individuals staged five coffins draped in a French flag and\r\nbearing the inscription “French soldiers of Ukraine” near the Eiffel Tower. Police have arrested the individuals\r\ninvolved in this incident and authorities have reportedly established some connection between this incident and\r\nthe Star of David case.2\r\nHigh Risk of Espionage Operations: Russia is conducting long-term espionage operations in Europe, using both\r\ntraditional means of recruiting agents, including within the European Parliament,3 4 and cyber operations. Russian\r\nservices will likely monitor the electoral process and identify new targets among the new Members of the\r\nEuropean Parliament (MEP) and staff.\r\nChinese State-sponsored Espionage Activity Highly Likely Amid European Parliamentary\r\nElections\r\nThroughout 2024, the EU has taken measures aligned with its new policy to de-risk trade with China, contributing\r\nto tense its relations with Beijing. Coupled with the growing polarization of the global geopolitical landscape, this\r\nincreases the probability of some sort of Chinese interference in the EU’s parliamentary elections. We assess that\r\ndirect cyberattacks conducted by Chinese state-sponsored threat actors are unlikely, while influence operations are\r\nmore probable.\r\nHigh Risk of Espionage Operations: Recently, espionage cases in the European Parliament5 and in the UK6,\r\nhave illustrated the scale of Chinese espionage in European political institutions. Beijing will highly likely\r\ncontinue to engage in such activities before, during, and after the European elections to anticipate the outcome and\r\nthen adapt its strategy accordingly. The groups linked to China’s Ministry of State Security (MSS) are most likely\r\nto engage in such activities during the European elections. The MSS conducts intelligence collection using human\r\nintelligence and cyber operations. The Winnti Group, which includes APT17, APT41, and APT15, is known for\r\nstate-sponsored espionage operations targeting entities in Europe, Asia, and North and South America, with\r\nvictims in governmental institutions and other strategic sectors. In 2023, researchers identified a Chinese\r\nespionage campaign conducted by APT15 which ran for months targeting foreign ministries.7 More recently, in\r\nhttps://quointelligence.eu/2024/06/european-election-at-risk-analysis/\r\nPage 2 of 4\n\nMarch, the US and the UK denounced espionage operations conducted by APT31 targeting high-ranking\r\ngovernment officials and their advisers.8\r\nMedium Risk of Influence Operations: In 2024, reports have already identified Chinese threat actors behind\r\ninfluence operations in the framework of elections. In fact, the Taiwan presidential election, held on 13 January,\r\nillustrated the widespread use of artificial intelligence-generated content as part of an influence campaign that was\r\nlikely orchestrated by Chinese actors. Notably, we observed the spreading of visual and audio deepfakes of pro-independence candidates and public figures, aiming to discredit the pro-independence party, the Democratic\r\nProgressive Party (DPP). Other TTPs used during this campaign included fake opinion polls, fake news websites,\r\nAI-generated news anchors, and AI-generated memes. Our analysis has shown that AI-powered influence\r\noperations have not been effective in changing the outcomes of an election. However, threat actors are likely to\r\ncontinue to experiment with the use of AI, exploiting rumors, bias, defamatory content, or controversial political\r\nquestions to develop online disinformation campaigns.\r\nWe assess that Chinese state-sponsored threat actor Storm-1376 (aka Spamouflage and Dragonbridge) is most\r\nlikely to engage in such activity. In fact, the group was identified behind multiple information operations including\r\nthe discrediting of pro-democracy protests in Hong Kong in 2019,9 attempts to mobilize protesters in the US in\r\nthe context of the Covid-19 crisis,10 and efforts to discourage Americans from voting in the 2022 US midterm\r\nelections.11More recently, Microsoft reported in April the involvement of Storm-1376 in multiple influence\r\noperations targeting Taiwan, the US, Japan, and South Korea.12\r\neCrime activity poses MEDIUM RISK to the EU Parliamentary election security\r\n(medium likelihood, medium impact)\r\nRansomware and supply chain attacks affecting IT providers of the election infrastructure are the most likely\r\nfinancially motivated cyberattacks that election security may face.\r\nElections in almost all EU countries are conducted using paper ballots. As such, influencing the outcome through\r\ncyber means is unlikely. However, an attack can:\r\nDisrupt voter registration,\r\nRender unavailable poll books,\r\nThwart adjacent IT infrastructure used to communicate instruction to the voters or coordinate\r\ngovernment efforts and operations,\r\nImpact the transmission of results from polling stations and therefore delay the communication of\r\nresults at the national level.\r\nSome of these scenarios would contribute to eroding the voters’ trust in the electoral process and could even\r\ndiscourage citizens from voting.\r\nIn October and November 2023, a ransomware attack affected 103 German municipalities after the breach of the\r\nlocal municipal service provider Südwestfalen-IT. Multiple servers were offline for at least 17 days after the\r\nattack. Analysis of the infrastructure of Südwestfalen-IT reveals that it is used for hosting election-related services\r\non behalf of the government administration. A similar attack ahead or during the electoral process could disrupt\r\nservices related to election organization systems, thereby affecting election security.\r\nhttps://quointelligence.eu/2024/06/european-election-at-risk-analysis/\r\nPage 3 of 4\n\nWe assess that eCrime actors are unlikely to willingly target election infrastructure and their IT providers during\r\nthe EU parliamentary election. While monetary gain could be significant, there is little incentive to disrupt\r\nelections. In fact, such attacks would attract the attention of Law Enforcement Agencies (LEA), likely triggering\r\nthreat disruptions operations. Nevertheless, unintended disruptions cannot be ruled out due to the proliferation of\r\nransomware and supply chain attacks.\r\nHacktivism poses MEDIUM RISK to the EU Parliamentary election security (high\r\nlikelihood, low impact)\r\nPro-Russia hacktivist groups will highly likely continue to target European entities before, during, and after the\r\nEuropean parliamentary elections. Their activity will highly likely take the form of short-lived Distributed Denial\r\nof Service (DDoS) attacks on layer 4 and layer 7 to cause resource exhaustion and system failure. Such attacks,\r\neasily mitigated with anti-DDoS solutions, are unlikely to disrupt election security. Less popular forms of attacks\r\namong pro-Russia hacktivist groups include web defacement, data leak, doxing, and social media hijacking.\r\nSome pro-Russia hacktivist groups will possibly collaborate with APT44 (aka Sandworm). In April, Mandiant\r\nunveiled that XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek are linked to APT44. As such, these\r\ngroups could contribute to larger state-sponsored hybrid warfare operations.13\r\nWe assess that other forms of hacktivism are unlikely but cannot be totally ruled out. Radical groups could resort\r\nto some sort of cyberattacks as a means to amplify their messages and influence public opinion amid the electoral\r\nperiod.\r\nSource: https://quointelligence.eu/2024/06/european-election-at-risk-analysis/\r\nhttps://quointelligence.eu/2024/06/european-election-at-risk-analysis/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://quointelligence.eu/2024/06/european-election-at-risk-analysis/" ], "report_names": [ "european-election-at-risk-analysis" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a90ae795-3c01-4419-8365-07b68df72661", "created_at": "2024-07-02T02:00:04.158227Z", "updated_at": "2026-04-10T02:00:03.668289Z", "deleted_at": null, "main_name": "Dragonbridge", "aliases": [ "Spamouflage Dragon" ], "source_name": "MISPGALAXY:Dragonbridge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434137, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b8d7843317f679ebe51e95b3a3a2105d68a227ac.pdf", "text": "https://archive.orkl.eu/b8d7843317f679ebe51e95b3a3a2105d68a227ac.txt", "img": "https://archive.orkl.eu/b8d7843317f679ebe51e95b3a3a2105d68a227ac.jpg" } }