Microsoft warns of Russian election threats, disinformation

Microsoft warned that 2024 election threats from Russian threat actors continue to expand with new influence and disinformation efforts.

In a report published on Tuesday, Microsoft outlined recent shifts it observed from advanced persistent threat (APT) actors trying to interfere with the 2024 U.S. presidential election. The tech giant warned that Russian APT groups have pivoted toward Vice President Kamala Harris' campaign and that there's been an increase in cyber proxies and use of generative AI to reach social media users.

Microsoft said Russian APT groups it tracks as Storm-1516, Ruza Flood and Storm-1679 are increasingly focused on disrupting the Harris campaign since President Joe Biden dropped out of the race.

During recent influence campaigns to disrupt the election, the APTs created fake videos, which garnered significant attention and millions of views, and promoted them on forged media outlets. Microsoft attributed the motive to discrediting the Harris campaign.

One video from Storm-1516 shows supposed Harris supporters allegedly attacking a Trump rally attendee. Microsoft said the fake video was designed to inflame racial and political tensions in the U.S.

"The second video used an on-screen actor to fabricate false claims that Harris paralyzed a girl in a 2011 hit-and-run accident. Storm-1516, following its tried-and-true method outlined in Election Report #3, laundered this video through a website masquerading as a local San Francisco media outlet -- which outlet was only created days beforehand," Microsoft wrote in the report.

Additional election threats, according to the report, include cyber proxies and hacktivists. Microsoft said it tracks several Russia-affiliated cyber proxies and hacktivist groups, including RaHdit, Zarya, Beregini, NoName057, Cyber Army of Russia and Solntsepek. The report referred to cyber proxies as "one of Russia's most acute threats to the 2024 election."

"For Russia, cyber proxies offer a method for potentially laundering compromising information garnered from a hack-and-leak operation while maintaining a veil of plausible deniability for the Kremlin," Microsoft said. "Cyber proxies may also be employed for stoking fear of electoral disruption just before or on Election Day in November."

The report stressed that these groups "are capable of driving news cycles, disrupting public-facing election infrastructure, and laundering pro-Russian propaganda." Microsoft also discovered overlaps between Russian intelligence services and Solntsepek, Zarya and Cyber Army of Russia. Operating as hacktivist groups allows them to appear separate from the Kremlin but still benefit Russia.

"Looking ahead to Election Day, a new set of techniques -- Russian cyber proxies and their amplifiers -- present another, perhaps more pressing threat to the election. We expect that all Russian influence actors outlined in MTAC's [Microsoft Threat Analysis Center] previous election reports as well as this report will continue to spread divisive political content, staged videos, and even AI-enhanced propaganda ahead of the 2024 US presidential election in November," the report read.

Microsoft warned that another APT it now tracks as Volga Flood, formerly Storm-1841, is collaborating with cyber proxies to disrupt the election. The threat actor operates social media channels pretending to be a "grassroots military blogger" to spread disinformation that includes fake investigations and promotional hack-and-leak materials. They also use "eye-catching visuals" to target young audiences.

"Volga Flood is among the leading Russian actors leveraging AI to scale its operations beyond the capabilities of its teams that include regional analytics, illustration, mapping, and foreign language expertise," the report read.

In addition to Russia, Microsoft connected a Chinese-linked threat actor it tracks as Storm-1852 to election interference as well. The report noted that the actor prioritizes a "hands-on, interactive approach" that includes reposting content, replying to comments and polling users. While the Russia APTs sought to undermine the Harris campaign, Microsoft said Storm-1852 doesn't appear to support one candidate over the other. However, the threat actor did amplify conspiracy theories following former President Donald Trump's assassination attempt.

"Directly after the first attempted assassination of former President Trump, Storm-1852 accounts began live re-posting content from influencers and commentators alleging Democrats' involvement and released original short-form videos edited from news footage four to five hours later," the report read.

Microsoft said it will release a pre-election report in mid-October.

Last month at Black Hat USA 2024, CISA Director Jen Easterly spoke during a panel on election threats and how the government agency is responding. Russia was discussed during the panel as a persistent threat. But Easterly said CISA has been preparing for the 2024 election by performing more than 900 physical security assessments, nearly 700 cybersecurity assessments and 370 training sessions.

Arielle Waldman is a Boston-based reporter covering enterprise security news.