A MICROSOFT THREAT INTELLIGENCE REPORT ## Date: August 9, 2024 Foreign malign influence concerning the 2024 US election started off slowly but has steadily picked up pace over the last six months due initially to Russian operations, but more recently from Iranian activity. This third election report from the Microsoft Threat Analysis Center (MTAC) provides an update on what we’ve observed from Russia, Iran, and China since our [second report in April 2024, “Nation-states engage in US-focused influence operations ahead](https://blogs.microsoft.com/on-the-issues/2024/04/17/russia-us-election-interference-deepfakes-ai/) [of US presidential election.”](https://blogs.microsoft.com/on-the-issues/2024/04/17/russia-us-election-interference-deepfakes-ai/) Over the past several months, we have seen the emergence of significant influence activity by Iranian actors. Iranian cyber-enabled influence operations have been a consistent feature of at least the last three US election cycles. Iran’s operations have been notable and distinguishable from Russian campaigns for appearing later in the election season and employing cyberattacks more geared toward election conduct than swaying voters. Recent activity suggests the Iranian regime—along with the Kremlin—may be equally engaged in election 2024. MTAC continues to examine authoritarian content to detect the malicious use of generative AI. This effort supports Microsoft’s commitment to the Tech Accord to Combat Deceptive Use of AI in 2024 Elections. Since our last report in April 2024, MTAC published a [report](https://blogs.microsoft.com/on-the-issues/2024/06/02/russia-cyber-bots-disinformation-2024-paris-olympics/) regarding Russian influence operations to undermine the 2024 Summer Paris Olympics in which Storm-1679 has repeatedly utilized generative AI in its campaigns to little effect. In this installment, MTAC identifies a Russian and a Chinese actor that have employed generative AI—but with limited to no impact. In total, we’ve seen nearly all actors seek to incorporate AI content in their operations, but more recently many actors have pivoted back to techniques that have proven effective in the past—simple digital manipulations, mischaracterization of content, and use of trusted labels or logos atop false information. ## Iran enters the fold with cyber-influence operations starting June 2024 Iranian actors have recently laid the groundwork for influence operations aimed at US audiences and potentially seeking to impact the 2024 US presidential election. This recent cyber-enabled influence activity arises from a combination of actors which are conducting initial cyber reconnaissance and seeding online personas and websites into the information space. Cyber-enabled influence operations aimed at US and other global elections have been a [persistent target for Iran in recent years. As we noted in our first elections report](https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2023/11/MTAC-Report-2024-Election-Threat-Assessment-11082023-2-1.pdf) last November 2023, “during the 2020 US presidential election, Iran launched multiple cyberenabled influence operations that impersonated American extremists, and attempted to sow discord among US voters and incite violence against US government officials. Since 2020, Iran extended its track record of election meddling, amplifying cyberattacks with parallel online influence operations in Bahrain and Israel.” As seen in Figure 1 below, Iran has Mi ft Th t A l i C t (MTAC) 1 ----- employed fabricated media, impersonations and in many cases cyberattacks throughout the last four years targeting the US, Bahrain, and Israel. _Figure 1: Iranian influence actors’ election focused tactics, techniques, and procedures_ Looking forward, we expect Iranian actors will employ cyberattacks against institutions and candidates while simultaneously intensifying their efforts to amplify existing divisive issues within the US, like racial tensions, economic disparities, and gender-related issues. Here’s what we’ve seen thus far in 2024 from Iranian actors with respect to the upcoming US election. _Sefid Flood prepares for possible influence operations_ Sefid Flood, an Iran-linked influence actor, began staging for influence operations in the 2024 US elections following the Iranian New Year in late March. Sefid Flood specializes in impersonating social and political activist groups in a target audience to stoke chaos, undermine trust in authorities, and sow doubt about election integrity. This group’s operations may go as far as intimidation, doxing, or violent incitement targeting political figures or social/political groups. _IRGC threat actors enter preparatory stage for likely cyber-enabled influence_ In June 2024, Mint Sandstorm—a group run by the Islamic Revolutionary Guard Corps (IRGC) intelligence unit—sent a spear-phishing email to a high-ranking official of a presidential [campaign from a compromised email account of a former senior advisor. The phishing email](https://www.wsj.com/public/resources/documents/Stone2.pdf) contained a fake forward with a hyperlink that directs traffic through an actor-controlled domain before redirecting to the listed domain. Mint Sandstorm similarly targeted a Mi ft Th t A l i C t (MTAC) 2 ----- presidential campaign in May and June 2020 five to six months ahead of the last US presidential election. On June 13, Mint Sandstorm also unsuccessfully attempted to log in to an account belonging to a former presidential candidate. Mint Sandstorm’s target selection and timing—days prior to phishing an active presidential campaign and months ahead of the election—suggest their [attempted authentication may also be election-related. Given Mint Sandstorm’s regular](https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/) [targeting](https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/) of senior political officials for intelligence collection unrelated to elections, additional evidence is required to make a determination. Regardless of the intent, this targeting is a reminder that senior policymakers should be cognizant of monitoring and following cybersecurity best practices even for legacy or archived infrastructure, as they can be ripe targets for threat actors seeking to collect intelligence, run cyber-enabled influence operations, or both. In May, Peach Sandstorm (a.k.a. APT-33)—another group with assessed links to the IRGC— compromised a user account with minimal access permissions at a county-level government in a swing state. The compromise was part of a broader password spray operation from the group, and Microsoft Threat Intelligence did not observe any lateral movement or privilege escalation, making it difficult to determine whether it was election-related. While unclear if related, it is worth noting that the targeted county had undergone a race-related controversy that made national news this year. Since early 2023, Peach Sandstorm’s operations have focused on strategic intelligence collection particularly in satellite, defense, and pharmaceutical sectors with some targeting of US government organizations, often in swing states. Mi ft Th t A l i C t (MTAC) 3 ----- _Iran-run covert news sites target US voter groups_ An Iranian network, Storm-2035, comprising four websites masquerading as news outlets is actively engaging US voter groups on opposing ends of the political spectrum with polarizing messaging on issues such as the US presidential candidates, LGBTQ rights, and the Israel-Hamas conflict. This group is part of a broader campaign that has been operating since at least 2020 and includes over a dozen covert news sites targeting French, Spanish, Arabic, and English-speaking audiences with social and political content. [In 2022, Mandiant reported on one of the news](https://cloud.google.com/blog/topics/threat-intelligence/2022-midterm-election-threats) sites, EvenPolitics, noting that the site had published articles discussing the 2022 US midterm _Figure 2: June 7 article criticizing Donald Trump published in_ elections. An inauthentic amplification network _one of the covert network’s outlets, Nio Thinker._ promoting the website was taken down by the X platform in 2022, but the site remains active, publishing around ten articles a week. A more recently created site, Nio Thinker, first began publishing in late October 2023. The site’s early publications focused on the Israel-Hamas conflict, but have increasingly shifted to the US elections in recent months. Its content caters to liberal audiences and includes sarcastic, long-winded articles insulting Trump including calling him an “opioid-pilled elephant in the MAGA china shop” and a “raving mad litigiosaur”[1] (see Figure 2). Another site, Savannah Time, claims to be a “trusted source for conservative news in the vibrant city of Savannah.” The site focuses heavily on Republican politics and LGBTQ issues, particularly gender re-assignment. MTAC has not observed significant social media amplification of these sites as of yet, though it is possible they will begin closer to election day. MTAC found evidence indicating the sites are using AI-enabled services to plagiarize at least some of their content from US publications. Examination of webpage source code and indicators in the articles themselves suggest the sites’ operators are likely using SEO plugins and other generative AI-based tools to create article titles, keywords, and to automatically rephrase stolen content in a way that drives search engine traffic to their sites while obfuscating the content’s original source. 1 archive.is/Mvf3X Mi ft Th t A l i C t (MTAC) 4 ----- ## Russian actors sustain influence operations aimed at US audiences MTAC has observed three Russian influence actors involved in campaigns aimed at the 2024 presidential election. MTAC tracks these as (1) Ruza Flood (a.k.a. Doppelganger[2]), (2) Storm1516, and (3) Storm-1841 (a.k.a. Rybar). Each has produced election influence campaigns to varying degrees of effectiveness. As noted in our April 2024 election update, the most impactful of these actors as of late June 2024 is Storm-1516, which pivoted in late April from Ukraine-focused operations to targeting the US election with its distinctive video forgeries.[3] Storm-1516 consistently launders narratives through videos seeding scandalous claims from fake journalists and nonexistent whistleblowers and amplifying that disinformation via inauthentic news sites. Since April, Storm-1516 has attempted to drive headlines with fake scandals claiming that the US Central Intelligence Agency (CIA) directed a Ukrainian troll farm to disrupt the upcoming US election, the Federal Bureau of Investigation (FBI) wiretapped former US President Donald Trump’s residence, and Ukrainian soldiers burned an effigy of Trump. MTAC anticipates the US election will remain this actor’s top priority as November approaches. Ruza Flood continues _Figure 3: Storm-1516 created fake whistleblower testimony claiming the CIA instructed a Kyiv troll farm_ _to meddle in the US election (left). In May, Storm-1516 staged a video in which fake Ukrainian soldiers_ _burned an effigy of former President Donald Trump (right)._ 2 disinfo.eu/doppelganger-operation/ 3 nytimes.com/2024/05/15/us/politics/russia-disinformation-election.html Mi ft Th t A l i C t (MTAC) 5 ----- its amplification of pro-Kremlin narratives but has not distributed significant US election content since our last report. Meanwhile, actors associated with the prolific Russian military blogging and content creation collective Rybar—which Microsoft refers to as Storm _Figure 4: This image depicts the TexasvsUSA account manager’s efforts to_ 1841—have set their sights on _increase user engagement with a sticker and branding campaign, offering money_ US immigration issues. Rybar, _for user-submitted content._ which until 2022 was associated with the late Russian oligarch Yevgeny Prigozhin’s RIA FAN media empire, also manages USfocused Telegram channels including Topic du Jour (US domestic political news), and Blood Meridian (US southern border immigration news). More recently, in January and February 2024, Rybar created accounts on Telegram and X using the name “TEXASvsUSA.” TEXASvsUSA posts regularly feature inflammatory news updates, invoke racial dog whistles, and call for mobilization and violence. These posts have most notably included a 30-second AI-generated video titled “Hold the Line,” depicting a horde of immigrant zombies amassing on the southern US border. Mi ft Th t A l i C t (MTAC) 6 ----- ## China Chinese Communist Party (CCP)-linked influence actors continue to engage US audiences on divisive political issues, expanding to new platforms and evolving their tactics to engage new audience spaces ahead of November. Beginning in late April through late May, the most prolific of these actors, Taizi Flood (a.k.a. Spamouflage), leveraged hundreds of accounts to stoke outrage around pro-Palestinian protests at US universities. Taizi Flood assets appeared to mimic students involved in the _Figure 5: Taizi Flood asset claims to be_ _a student supporting the pro-_ protests, reacting in real-time _Palestinian protests on US college_ as students clashed with law _campuses._ enforcement across campuses, and lifted text from authentic accounts with directions to demonstration locations. Some of these accounts seeded leftleaning messages into right-wing groups—likely either to further agitate conflict about the protests or misunderstanding which US audiences would be most receptive to their intended message. _Figure 6: Short-form video from Storm-_ Another CCP-linked influence actor, Storm-1852, has begun _1852 sockpuppet receives over 145K_ _views._ pivoting to short-form video content on political topics to garner audience engagement. These original videos criticize the current administration or mock President Biden, suggesting that he is unfit for office. Some of these videos have garnered hundreds of thousands of views—significantly outperforming Taizi Flood campaigns, but still relatively small in overall scale. Mi ft Th t A l i C t (MTAC) 7 _Figure 5: Taizi Flood asset claims to be_ _a student supporting the pro-_ _Palestinian protests on US college_ _campuses._ ----- ## Appendix A: Iranian actors with assessed links to election interference **Actor** **Assessed affiliation** **Notable past activity** **Cotton** IRGC Leans heavily on cyber-enabled influence **Sandstorm** operations to influence elections, but also _a.k.a. Emennet_ makes use of influence-only operations. _Pasargad_ Has targeted US, Bahraini, and Israeli elections. **Lemon** IRGC Iranian threat actor known for ransomware **Sandstorm** hack-and-leak operations, reportedly _Fox Kitten_ gained access to a local US election results website in 2020.[4] The attack was reportedly thwarted by US Cyber Command, but officials predicted that the group may have sought to tamper with the displayed results to undermine trust in the election outcome.[5] **Mint Sandstorm** IRGC Ahead of the 2020 US presidential _Charming Kitten_ elections, they unsuccessfully attempted to log in to accounts of Trump administration officials and Donald J. Trump for President campaign staff.[6] **Peach** IRGC Targeted US state government agencies in **Sandstorm** late September 2022, possibly to gain _APT33_ access ahead of close US Senate elections. While that attempt appeared unsuccessful, it suggests that Peach Sandstorm may be positioned to support elections-related influence operations. **Sefid Flood** Unknown Targeted Israel during its 2022 election and has been prolific in its operations targeting Israeli activist groups more broadly with influence-only operations. There are indications that this actor conducted reconnaissance on US and Bahraini candidates ahead of their respective 2022 elections. **Storm-1660** Unknown Actor that conducts influence-only operations responsible for several personas masquerading as “Black Flags” activists opposed to Israeli Prime Minister 4 washingtonpost.com/technology/2023/04/24/election-2020-iran-hacking/ 5 washingtonpost.com/technology/2023/04/24/election-2020-iran-hacking/ 6 https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/ Mi ft Th t A l i C t (MTAC) 8 |Actor|Assessed affiliation|Notable past activity| |---|---|---| |Cotton Sandstorm a.k.a. Emennet Pasargad|IRGC|Leans heavily on cyber-enabled influence operations to influence elections, but also makes use of influence-only operations. Has targeted US, Bahraini, and Israeli elections.| |Lemon Sandstorm Fox Kitten|IRGC|Iranian threat actor known for ransomware hack-and-leak operations, reportedly gained access to a local US election results website in 2020.4 The attack was reportedly thwarted by US Cyber Command, but officials predicted that the group may have sought to tamper with the displayed results to undermine trust in the election outcome.5| |Mint Sandstorm Charming Kitten|IRGC|Ahead of the 2020 US presidential elections, they unsuccessfully attempted to log in to accounts of Trump administration officials and Donald J. Trump for President campaign staff.6| |Peach Sandstorm APT33|IRGC|Targeted US state government agencies in late September 2022, possibly to gain access ahead of close US Senate elections. While that attempt appeared unsuccessful, it suggests that Peach Sandstorm may be positioned to support elections-related influence operations.| |Sefid Flood|Unknown|Targeted Israel during its 2022 election and has been prolific in its operations targeting Israeli activist groups more broadly with influence-only operations. There are indications that this actor conducted reconnaissance on US and Bahraini candidates ahead of their respective 2022 elections.| |Storm-1660|Unknown|Actor that conducts influence-only operations responsible for several personas masquerading as “Black Flags” activists opposed to Israeli Prime Minister| ----- |Col1|Col2|Benjamin Netanyahu. Meta attributes the group to the Iranian IT company Elya Information Technology Research Center (EITRC).7 This actor may be linked to Sefid Flood.| |---|---|---| 7 about.fb.com/news/2020/11/october-2020-cib-report/ Mi ft Th t A l i C t (MTAC) 9 -----