2024 General Election Incident Reporting Wrap-up

By: The Center for Internet Security, Inc. (CIS®) Cyber Threat Intelligence (CTI) team

Published December 10, 2024

From October 21 to November 6, 2024, the Center for Internet Security^® (CIS^®) Cyber Threat Intelligence (CTI) team responded to member incident reports and monitored reporting trends for any notable changes in activity levels. On Election Day 2024, the Elections Infrastructure Information Sharing and Analysis Center^® (EI-ISAC^®) Cyber Situational Awareness room stood up for member reporting and coordination hosted over 1,000 participants throughout the day. The CIS CTI team served as a clearing house for 2024 general election incident reporting and distributed regular threat updates to EI-ISAC membership. We are pleased to report that there were no reports of successful compromises of elections infrastructure. Most member reporting prior to and on Election Day 2024 consisted of network-based activity (e.g., scanning), spam and phishing, and threats of violence.

Pre-Election Day 2024 Reported Activity

Prior to Election Day 2024, member reporting consisted primarily of password spraying attempts, scanning activity, and brute force attacks. Password spraying occurs when cyber threat actors (CTAs) attempt to guess passwords for multiple enterprise accounts to gain access. Some members reported these attacks against their virtual private networks (VPNs). The increased volume of reports of password spraying, scanning, and brute force attacks leading up to the election was expected, as there is consistently an overall increase in the volume of member reporting close to Election Day.

The CIS CTI team also monitored reports of CTAs conducting Distributed Denial of Service (DDoS) attacks. In most cases, there appeared to be minimal, if any, disruption to targeted websites. In one example, a hacktivist group claimed responsibility for a DDoS attack; however, when contacted about this activity, the member informed us the website had been down for maintenance.

2024 General Election Day Reported Activity

Member reporting on Election Day 2024 mostly consisted of network-based activity including password spraying attempts, scanning activity, and brute force attacks. The types of incidents reported by members generally matched patterns observed during the 2020 U.S. Presidential Election with some notable exceptions (Figure 1). In both years, reports of scanning activity led member reporting. In 2020, reports of scanning accounted for 50% of all member reports, while it only accounted for 26% of member reports in 2024. Many of the reports in 2024 involved benign or routine scanning activity with no indications that elections infrastructure was specifically targeted. Some cases of routine scanning involved malicious IP addresses with a history of scanning networks; some member reports noted the observed scanning activity looked for open ports on their network. CTAs use scanners to search for unpatched vulnerabilities or weak configurations in networks that they can exploit to gain initial access. Total reports of network-based activity accounted for 64% of member reporting on Election Day 2024 compared to 71% in 2020.

^{Figure 1: Election Day member reporting in 2020 and 2024}

Reports of phishing accounted for 6% of member reports in 2024, compared to 10% in 2020. While reports of phishing typically lead member reporting each quarter, Election Day has historically not seen phishing activity as a top reported incident. This is likely due to the increased member focus on network activity and members engaging each other in conversations on observed activity from various IP addresses.

Bomb Threat Reporting

Reports of threats against election offices surged from 2020 to 2024. In 2020, reported threats made up just 2% of member reporting, compared to 14% in 2024. This increase is due to a wave of bomb threats that were emailed out to election offices on Election Day 2024 as well as some reports of swatting incidents. The CIS CTI team received reports from multiple states about these threats, which originated from email addresses with a “.ru” domain as well as from legitimate email providers including “mailium” and “cyberfear.” All emails sent were deemed non-credible, and no explosive devices were found during law enforcement investigations. While some polling locations did temporarily shut down, overall the bomb threats had a minimal impact on constituents’ ability to cast votes on Election Day 2024.

A second wave of bomb threats targeted election offices between November 8 and November 9, 2024. The emails again originated from “mailium” and “cyberfear” domains, and they contained nearly identical language. Similar to on Election Day 2024, no explosive devices were discovered as a result of these emails, and they were deemed non-credible threats. As of the publication of this blog, it is unclear who sent the bomb threats. Figure 2 below is an example of one of the emails.

^{Figure 2: A bomb threat emailed to an election office on November 8, 2024}

Use Threat Insights to Secure Your Elections Office

The CIS CTI team will continue to work with election offices to communicate lessons learned and best practices from Election Day 2024. The member reporting from Election Day 2024 helps us identify trends in reporting and provide critical support for the safety and security of the electoral process. Thank you to all those who shared information with us on Election Day 2024 and thank you to everyone who helped ensure a safe and secure election.

Want additional insights like these from the CIS CTI team going forward?