How Can Activity on the Dark Web Affect Elections?

A big year for elections around the world

The political arena is set for a historic year, with more than two billion people across 50 countries potentially heading to the polls. With the UK general election only days away, the changing international situation may see governments not only defending their parliamentary seats, but defending democracy against cybercrime and politically motivated threats. 

In this blog we provide a quick overview of how the dark web, deep fakes, the spread of misinformation, and technological interference could challenge elections.

Previous electoral interference

While there is no known precedent for an election result being directly changed by a cyberattack against an electoral system, in the past threat actors have targeted government infrastructure and sought to hijack narratives.

The Russian interference in the 2016 US election is perhaps the best documented. This was a three-pronged campaign to influence the outcome of the election: 1. Using social media, 2. Hacking networks to obtain and leak sensitive documents, and 3. A spear phishing campaign designed to put the legitimacy of the election into question if Hilary Clinton won.

While this was the most notable orchestrated campaign, there have been plenty of examples of threat actors targeting election systems and individuals since.

Russian state-backed actors were also accused of carrying out a complex attack on the 2017 presidential campaign in France, which included the breach and leak of Emmanuel Macron’s emails.

In August 2023, the UK elections watchdog revealed it had been the victim of a cyberattack potentially affecting millions of voters. The Electoral Commission said unspecified “hostile actors” had managed to gain access to copies of the electoral registers from August 2021. It was also revealed that hackers had broken into its emails and control systems before the attack was discovered in October 2022.

Although democracy was not brought into disrepute following this cyberattack, data of UK citizens on the electoral register between 2014 and 2022 was accessed. This includes those who opted to keep their details off the open register – which is not accessible to the public but can be purchased, for example by credit reference agencies. The commission couldn’t provide details of how many many people had been affected, but it estimated that the register for each year contains personal details of around 40 million people.

More recently, German security investigators reported a serious cyberattack targeting the EU chief of the Christian Democratic Union Ursula von der Leven, just days before the 2024 European elections. Law enforcement noted that politically motivated cyberattacks have increased ahead of this month’s EU election, with many linked to Russian state-sponsored actors. Juhan Lepassaar, head of the European Union Agency for Cybersecurity (ENISA), last week told the media that attempted attacks doubled from the last quarter of 2023 to the first quarter of this year. “This is part of the Russian war of aggression, which they fight physically in Ukraine but digitally also across Europe,” he said.

German officials said: “The manner in which the attack was carried out points to a very professional actor.” And the German Interior Ministry said it should warn all parties in the German Bundestag about the attack. The Ministry also said “Authorities have ramped up all protective measures against digital and hybrid threats.”

Where will the threat of a cyberattack come from?

A 2023 annual review by the National Cyber Security Centre (NCSC) highlighted how the cyber threat landscape for elections has evolved significantly since the 2019 general elections. A joint parliamentary committee of MPs and peers has warned prime minister Rishi Sunak that the election is an “attractive target for malicious actors trying to destabilize the UK.” This is because of:

• Changing international political situation, especially since the war in Ukraine which has influenced election outcomes in some democracies.
• The rise of new cybercriminal groups and individuals, such as those who are politically motivated and/or state-aligned.
• Advancements in technology, including artificial intelligence which has made it possible for cybercriminals with little or no IT skills to spread false information.
• The change of character of cybercrime, such as proliferation of individuals and criminal organizations selling the likes of ransomware-as-a-service (RaaS).

There’s no doubt that the biggest threat of a cyberattack comes from “hostile states” such as Russia. Professor Anthony Glees, a security and intelligence expert at the University of Buckingham recently pointed to the different aims of hostile countries: “What Russia wants is chaos. I don’t believe Putin gives two hoots about who wins [the UK general election] on July 4th; he simply doesn’t want anyone to win big. What he wants is a disunited United Kingdom, he wants our democracy to be destabilized.” 

Beyond the geo-political aspect, another prominent concern is politicians being personally targeted online, especially among the rise of incidents of violence against politicians. In February we spoke to The i  newspaper in the UK and shared our observations of the extremism that takes place on the dark web. 

Louise Ferrett, Senior Threat Intelligence Analyst at Searchlight Cyber explained that “you find quite a few sites that are hosting extremist propaganda material”, with forums where politicians being discussed mostly attracting “virulently anti-government, anti-authority characters, or extremists that are not happy with the kind of people that are in power.” 

While most of the discussions of violence on these forums are believed to be fantasy based, Louise recommended that monitoring the dark web “can be used to act as an early warning system if there’s a spike in negative sentiment against a particular person.”

What are the motives of a cyberattack during an election?

The motives of cyberattacks come in all shapes and forms, but with attacks based around a general election there are three motives for malicious actors:

• Influence.
• Disrupt.
• Undermine.

Influence

Malicious activity on the dark web such as disinformation campaigns can be designed to influence voters and the public’s opinion. The disinformation they put out is written and comes across  in a way that ultimately favors particular candidates or parties.

Cyberattacks to access personal voter information can help threat actors to target their information operations. Armed with stolen databases and information, attackers can create highly targeted disinformation or misinformation campaigns using social media. Although measuring the true impact of these campaigns is difficult. They can significantly manipulate general public opinion, encouraging or discouraging voter turnout from a certain demographic to influence the result, or using information to manipulate specific social groups.

When it comes to who would undertake this type of attack, foreign nation states who want to affect foreign policy by influencing the victory of their preferred candidate, or conducting a cyberattack  to discover and even leak voting preferences of individuals or groups of interest to support their own agenda.

Disrupt

The second motive is disruption. This can be achieved by attacking election technology and infrastructure, for example delaying electoral processes, or damaging the integrity of critical databases. Impeding the process of voting, such as registration or casting ballots may mean that the voting public are unable to do so. Another disruption tactic is election fraud and voter impersonation, which would cause large-scale disruption. 

Again, nation states will attempt these tactics to ensure a preferred outcome, damage the voting system, want to change the effect of an election result, or hacktivists that want to cause mayhem.

Undermine

If attack and misinformation campaigns are conducted, this can be deeply damaging and undermine public trust and the integrity of the electoral process and results.

The defacement of results and other confusion tactics may also reduce confidence in outcomes at a societal level. Any indication that an election has been tampered with could bring into question its integrity. 

These kinds of tactics may be employed by nation states in an attempt to destroy faith in democratic systems and societies, or by activists who are unhappy with the results of an election.

What type of attacks are we expecting to see?

In terms of the threat posed to the up and coming UK general election, experts are particularly concerned about audio deepfakes that may undermine any results.

With Sir Keir Starmer, and Sadiq Khan falling victim and being targeted by fake audio, Ciaran Martin, the former director of the UK’s National Cyber Security Centre (NCSC) explained that he is particularly worried about deepfake audio. “I’m particularly worried right now about audio, because deepfakes are spectacularly easy to make, disturbingly easy. And if they’re cleverly deployed, they can have an impact.”

Martin went on to explain that “targeted deepfake audio is the biggest threat right now, with no blanket solution.”

MPs taking part in the UK general election have been warned by the NCSC and GCHQ that any of them could be targeted by deepfakes, and candidates and their staff should avoid using their personal mobile phones to post on social media about the campaign. 

Deepfakes have already been used to influence major elections. In 2023, hours before the polls closed in the Slovakian presidential election, an audio fake of one of the candidates claiming to have rigged the election went viral, which resulted in the candidate being heavily defeated.

Video deepfakes have also been observed in the US, for example in a video featuring altered footage of Nancy Pelosi, Alexandria Ocasio-Cortez and Joe Biden in 2023.

Monitoring for disruptive election activity

As billions of people go to the polls around the world, governments and law enforcement agencies will be working hard to ensure elections are fair and to remove any disruptive influence from threat actors. As we’ve established in this blog, the threats are wide and varied, from direct cyberattack on electoral registers and voting systems, to influence campaigns using deep fakes that look to manipulate voters. Part of the solution will be for government and law enforcement agencies to actively monitor the dark web for indications that particular systems or individuals are being targeted, so they can take action to mitigate the impact of voter manipulation, influence, or disruption.