October 29, 2024 | Memo

Foreign Malign Election Meddling Persists but Struggles to Gain Traction

October 29, 2024 | Memo

Foreign Malign Election Meddling Persists but Struggles to Gain Traction

Introduction 1

In September 2024, FDD published a report documenting Russian, Chinese, and Iranian influence operations targeting the 2024 U.S. elections.2 This follow-up report details the ongoing efforts of U.S. adversaries who seek to undermine voters’ confidence in the electoral process in the weeks leading up to the November election. To raise public awareness and aid efforts by the U.S. government and research community to track these campaigns, this report documents new content from several significant, previously exposed influence operations. It also shows that many of these operations appear to have failed to gain significant traction.

The new content described in this report follows a well-established pattern: Russia continues to criticize Vice President Kamala Harris heavily and promote former President Donald Trump. Iran criticizes both candidates but generally favors Harris while criticizing Trump. China criticizes both candidates, often using antisemitic tropes to allege that Israel controls both candidates.

Both government-affiliated and independent researchers have documented much of the infrastructure of Russian, Iranian, and Chinese campaigns, including domains and social media accounts.3 To date, these researchers have largely exposed foreign malign influence operations before their narratives and posts went viral. Nevertheless, the U.S. government and social media platforms should act more quickly to dismantle the known infrastructure associated with influence operations, including domains and social media accounts.

Americans must avoid either overestimating or underestimating the severity of the threat of foreign influence to U.S. elections. Accordingly, FDD continues to publicize ongoing influence operations while carefully documenting their limited reach. To facilitate balanced appraisals, the U.S. government should similarly provide metrics or estimations of reach and impact whenever it shares information with the public about malign influence operations. Americans must remain vigilant without becoming fearful.

The Kremlin’s Legacy of Malign Influence Lives On

Yevgeny Prigozhin, the notorious Russian leader of the Wagner mercenary group, founded the infamous Internet Research Agency (IRA) troll farm that sought to influence the 2016, 2018, and 2020 U.S. presidential elections.4 These operations raised public awareness of foreign malign influence campaigns. Although Prigozhin died in a plane crash in August 2023, his legacy of malign influence lives on through another organization that he helped found: the Foundation to Battle Injustice (FBI/FBR).5

FBI/FBR is a self-described “independent non-profit organization,” but in the past, it has explicitly acknowledged that it was “founded with the assistance of Russian entrepreneur Yevgeny Prigozhin.”6 A 2022 U.S. Department of the Treasury press release about Russian political influence operations noted that a sanctioned Russian operative “sought to collaborate with Prigozhin’s Foundation for Battling Injustice (FBR) about the feasibility of directly supporting a specific candidate in a 2022 U.S. gubernatorial election.”7 The FBI/FBR’s website has published several articles criticizing Vice President Kamala Harris over the past three months. Many of these articles feature outlandish, conspiratorial claims, and a broader ecosystem of pro-Russian propaganda websites has echoed several of them.

FBI/FBR began publishing articles critical of Harris less than two weeks after President Joe Biden ended his reelection campaign.8 Its first article claimed that her presidential campaign benefits financially from proceeds gained from the cremation and burial of Ukrainian soldiers.9

Several weeks after Harris became the official nominee, the FBI/FBR published an article titled “Kamala Harris’ inner circle is responsible for the legalization of pedophilia in the US, mass trafficking and sexual abuse of Ukrainian children.”10 The article claims that Harris’s running mate, Gov. Tim Walz, “personally manages a pedophile network that sells Ukrainian children to representatives of the American political and financial elite.” This article notably echoes a similar narrative that the FBI/FBR spread before the UK elections earlier this year claiming that the British political elite have trafficked Ukrainian children and other vulnerable groups.11

Figure: Infographic from FBI/FBR visualizing elaborate alleged scheme to funnel funds from child trafficking to the Harris campaign via Tim Walz.

Other FBI/FBR articles allege Harris is involved in human trafficking and is “preparing mass terror against Trump using illegal immigrants and Ukrainian refugees.” The article adds that Harris plans to end free speech and that the “prison lobby” funds Harris.12 While the outlet has consistently attacked Harris, it often discusses President Donald Trump in a sympathetic light, echoing key talking points from Trump’s own supporters that the “Democrats’ hate campaign” led to the first Trump assassination attempt and that “Joe Biden is using the US judicial system as a tool to fight its main opponent.”13

Known Russian influence operations are amplifying the FBI/FBR’s content. At least three websites associated with Portal Kombat, a pro-Russian propaganda network first exposed by French state agency VIGINUM, have shared links to the FBI/FBR’s article alleging that Harris and Walz are involved in trafficking Ukrainian children.14 These three sites (namely, pravda-en[.]com, news-pravda[.]com, and feed-news[.]com) feature nearly identical graphic design.15

In general, Portal Kombat’s English-language domains rapidly generate a high volume of U.S. election-related content, often posting new articles every few minutes, a practice that strongly suggests the use of automation. The content tends to be pro-Trump and anti-Harris. Many of these sites source content from Russian state media, such as Russia Today and RIA Novosti, as well as pro-Kremlin Telegram channels.16 One previously unexposed Portal Kombat domain, pravda-us[.]online, focuses almost exclusively on U.S. issues, with dedicated sections for Trump and Harris, as well as for Biden, Defense Secretary Lloyd Austin, and Secretary of State Antony Blinken.

The Portal Kombat network proves highly responsive to breaking news events. For example, the network posted content related to the October vice presidential debate in real-time, including videos from associated accounts on the Russian social media platform Vkontakte titled “JD Vance on Comrade Kamala’s border policies” and “Is Walz taking over for Biden as chief GAFFE Master?”17

As detailed in FDD’s previous reporting in September 2024, Russian influence operations targeting the U.S. elections often weave criticism of Ukraine and Zelensky into criticism of Harris.18 Portal Kombat is no exception. For example, the network shared many articles framing Zelensky’s trip to the United States in September 2024 as a form of election interference intended to help Harris’s campaign.19

Figure: Article from the Portal Kombat domain framing Zelensky’s trip to a munitions factory in Philadelphia as a form of election interference.

Other previously exposed Russian influence operations also pivoted in September to focusing on the U.S. elections. Foreign influence experts with CheckFirst revealed that a multifaceted Russian influence operation known as Operation Overlord has changed its focus from the Olympics and Ukraine to the U.S. elections.20 The network operatives sent an email to CheckFirst itself claiming Harris’s IQ is only 83, a “very low score!” Another pro-Russian influence operation, CopyCop, first exposed by Recorded Future, created a new website targeting Californians featuring a video in which an actor claimed that Harris had run over a teenager with her car.21 The website was taken down shortly after its exposure.

Fake Iranian Websites Begin Commenting on Local Elections

FDD’s previous report identified 19 Iranian domains posing as U.S. and global media outlets.22 The domains posing as American outfits continue to produce substantial content about the presidential election and have also begun commenting on state elections.

The conservative Savannahtime[.]com published at least 15 election-related articles between August 20 and September 29.23 Several of these articles have focused on state-level issues in order to challenge the integrity of the forthcoming U.S. presidential election. An article from September 29 titled “Preserving Election Integrity: The Mississippi Mail-in Ballot Challenge” discusses a pending court case about whether mail-in ballots should be counted if they are postmarked on election day but received after.24 Another article published on September 29, which falsely identifies its author as former Michigan congressman Mike Rogers, alleges previous “election day shenanigans” but seeks to mobilize readers to “make the election too big to rig.”25

The far-right Teorator[.]com published 14 election-related articles between August 19 and September 29, including one postulating that Ryan Routh, the man charged with attempting to assassinate Trump, was “a pawn in a larger game” and controlled by the “deep state.”26 While the website’s election-related content primarily focuses on federal elections, the site has covered voter registration issues in Arizona and North Carolina, highlighting both states to heighten reader concerns about election integrity.27

Figure: Article from Teorator[.]com casting doubt on the integrity of U.S. elections.

Afromajority[.]com, a progressive site targeting African Americans, published at least a dozen articles related to the 2024 U.S. presidential election between August 20 and September 21. Several of the website’s recent articles encourage readers to vote and campaign for Harris.28 Like several websites that make up this Iranian network, the site has also reported on state elections, including, for example, an article from September 21 condemning North Carolina Republican gubernatorial candidate Mark Robinson.29

Another progressive site, Westlandsun[.]com, published 39 election-related articles between August 20 and September 30, including several articles on state elections in North Carolina, Arizona, and Texas despite the website’s overall focus on Muslims in Michigan.30

Niothinker[.]com published 20 election-related articles between September 11 and 30. EvenPolitics[.]com published at least 15 election-related articles from September 5 to 30.31 Lalinearoja[.]net published seven election-related articles from August 24 to September 30.32 For reasons that are unclear, the Iranian website targeting veterans, NotOurWar[.]com, has not published any election content in the last two months.

The websites continue to demonstrate a deft ability to respond rapidly to major election-related developments, including the Trump campaign’s claims about Haitian immigrants.33 Teorator[.]com published “Haitian Immigrants Feasting on Local Fauna” on September 12 and another article a week and a half later warning that “[t]he American heartland is under siege” from an “influx of migrants” because the Biden administration has created “dubious new pathways for otherwise illegal immigrants to enter and stay in America.”34

Beyond this network of fake news websites, Iran has also continued to utilize websites associated with the International Union of Virtual Media (IUVM), an Iranian influence operation that has created vast networks of domains targeting global audiences since at least 2012. First identified by Reuters and later sanctioned by Treasury for being owned or controlled by the Islamic Revolutionary Guard Corps’ Quds Force (IRGC-QF), IUVM generally produces anti-U.S. and anti-Israel content.35 In the past two months, however, it has also published several articles and political cartoons about the 2024 U.S. presidential election.36 Although formerly critical of Biden, IUVM has recently published content that is markedly pro-Harris.37 IUVM primarily utilizes two domains to disseminate its content, iuvmarchive[.]org and iuvmpress[.]co, although the content overlap between both domains is considerable.38 These websites remain active despite Treasury’s sanctions.

Figure: Anti-Trump political cartoons from iuvmarchive[.]org and iuvmpress[.]co.

China’s Spamouflage Network Amps up Its Attacks Against Harris; Chinese State Media Questions Importance of Elections

FDD continues to track the X activity of the persistent Chinese influence operation Spamouflage. Numerous research institutions, including FDD, have exposed various components of Spamouflage’s U.S. election-related activity,39 but the activity continues.

FDD’s previous election report discussed how Spamouflage increasingly began to criticize Harris after Biden dropped out of the race.40 This continued throughout September.41 One notable post from September presents a Green Party image while claiming that Biden and Harris seek to “stifle democracy, manipulate votes, and deprive voters of their right to choose.”42 Other posts claim that Harris is a puppet, a liar, and pro-war and that she receives disproportionate financial support from Microsoft and Google.43

Figure: Spamouflage post claiming that Biden and Harris seek to undermine the integrity of U.S. democracy, with its text accompanied by an image apparently sourced from the Green Party.

FDD follows one Spamouflage account that posts a high volume of pro-Trump content. This account appears similar to other Spamouflage accounts posing as Trump supporters previously reported by Graphika and the Institute for Strategic Dialogue.44 The Spamouflage accounts that do not pose as Trump supporters often criticize both Trump and Harris for their support of Israel. A Spamouflage account paired a caricature originally created by a pro-Iran Yemeni cartoonist with text saying that no matter who wins the election, “they will not change their stance on Judaism.”45 Another similar post writes “republicans and democrats, one and the same,” and shares a photo of the Israeli, American, and Nazi flags.46

Figure: Post from Spamouflage account sharing cartoon created by Yemeni cartoonist accompanied by antisemitic statement implying Jews control the United States.

In addition to content about Harris and Trump, Spamouflage continues to push content denigrating the U.S. democratic process more broadly.47 One post says, “Political parties only care about votes, never about race or school shootings,”48 while another claims, “The U.S. system is malfunctioning” as “the ‘deep government’ that actually controls power only cares about the interests of the political and business oligarchs.”49

In parallel with covert operations such as Spamouflage that attempt to disguise their connections to Beijing, China also overtly pushes polarizing content about U.S. elections through official channels such as state media and public officials. Chinese state media outlets such as Xinhua News Agency, The Global Times, and China Global TV Network (CGTN) publish articles alleging that regardless of who Americans elect, the winner will precipitate America’s decline. Xinhua News Agency, for instance, produced a short video series called House of Cuts — parodying the Netflix TV series House of Cards — which makes light of political violence in the United States. One video minimizes the significance of the July 13 assassination attempt against Trump by saying, “It’s easier to snag an AR-15 than a box of Sudafed these days” and “Our country is just one bad tweet away from civil war.”50 In another video, fictitious U.S. presidential candidate Frank Upperwood is instructed by an advisor that, in U.S. presidential debates, “Even babbling nonsense is better than silence” and that “Elections aren’t about making America great, but to let people feel they’ve got some say.”51

Figure: Chinese cultural attaché to Islamabad Zhang Heqing reposts an episode from Xinhua News Agency’s “House of Cuts” to X.

Chinese officials also push alarmist statements about the potential for political violence in the United States. Zhang Heqing, the Chinese cultural attaché to Islamabad, has served as one of the chief sources disseminating anti-U.S. and election-related content. Zhang’s X account, which boasts over 400,000 followers, shares content quoting Chinese academics asserting that increased political polarization and economic maladies could drive America into civil war or that the “deep state” seeks to deprive Trump of the presidency.52

Most Foreign Malign Influence Activity Has Limited Traction 

Fortunately, most Iranian, Russian, and Chinese efforts detailed in this report appear to have gained limited traction among American citizens. Most adversarial, influence operation websites received few page visits, and most social media posts garnered relatively little organic engagement.53

According to Similarweb, a website that analyzes web traffic, fewer than 4,500 visits to the FBI/FBR’s website between June and August came from the United States. In this same time period, two Portal Kombat domains, pravda-us[.]online and feed-news[.]com, received less than 1,000 visits, none of which came from the United States. Less than 20 percent of pravda-en[.]com’s 35,000 visits (or fewer than 7,000 visits) and less than 4 percent of news-pravda[.]com’s 175,000 visits (or fewer than 7,000 visits) came from Americans.

Five out of the eight Iranian influence operation websites discussing U.S. elections did not even generate enough traffic to be monitored by Similarweb. Niothinker had the greatest reach with over 4,000 visits from American readers between June and August. Iuvmarchive[.]org and iuvmpress[.]co each garnered fewer than 1,000 visits by American readers, and Teorator received less than 400. China’s Spamouflage campaign also appears to continue to garner relatively little engagement on X.

The adversarial content that FDD has observed gaining the most traction includes two X posts from the head of the FBI/FBR alleging, “Democrats are planning to use an army of illegal immigrant criminals to destroy the MAGA movement.” The posts have collectively garnered over 600,000 views (as of October 17, 2024).54 Amplification of other content described in this report on social media came primarily from known pro-Russian, pro-Iranian, and pro-Chinese accounts or fringe websites and forums.

‘Perception Hacking’ Can Undermine Public Confidence in the Security and Integrity of U.S. Elections

Hacktivists and nation-states masquerading as hacktivists have a history of falsely claiming the success of their cyberattacks or exaggerating the impact of their attacks, a tactic known as “perception hacking.”55 These groups often amplify statements about their attacks via Telegram channels and dedicated websites.56 The intent of the false claims — besides self-aggrandizement — is to create unwarranted fear. The risk with regard to the election is that perception hacking could undermine Americans’ confidence in the process even when hackers have not compromised election systems.57

The U.S. government has warned the public about perception hacking, urging Americans to view incredulously all claims that the U.S. election infrastructure has been compromised. On September 12, 2024, the Cyber and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory warning of possible “attempts to undermine public confidence in the security of U.S. election infrastructure through the spread of disinformation falsely claiming that cyberattacks compromised U.S. voter registration databases.”58 They specifically urged Americans not to mistake the hackers posting voter registration information with a successful corruption of voting machines.

“The reality is that having access to voter registration data is not by itself an indicator of a voter registration database compromise” because “most voter registration information is available to the public,” CISA and the FBI explained.59 Americans should “not accept claims of intrusion at face value,” they continued but should instead “remember that these claims may be meant to influence public opinion and undermine the American people’s confidence in our democratic process.”60

In addition to posting voter registration data, hackers may launch distributed denial of service (DDoS) attacks or website defacement attacks against election-related websites or conduct hack-and-leak operations to reveal otherwise non-public information. Attacking public-facing election-related websites and the websites of political campaigns may give the impression that the perpetrators have the ability to compromise core election infrastructure. Hacktivists may launch ransomware attacks against election infrastructure, yet even previous, successful, and localized ransomware attacks on election infrastructure have had “no impact on the security and accuracy of ballot casting or tabulation,” according to CISA and the FBI.61

False claims of successful influence operations are themselves a form of perception hacking to undermine Americans’ faith in the democratic process. In 2018, the notorious Russian malign influence outfit known as the Internet Research Agency set up USAIRA[.]ru, which claimed that a massive Russian influence operation targeting the midterm elections had gone undetected. Outing itself as a foreign influence operation actually furthered IRA’s goals to undermine faith in the U.S. democratic process. The IRA website asserted, “Whether you vote or not, there is no difference as we control the voting and counting systems. Remember, your vote has zero value.”62

Recent hacktivist activity targeting Austria in the lead-up to its elections in September should serve as an additional warning to Americans about the type of perception hacking that may occur. While it is not clear if the campaign was effective, the tactic is one that hackers may repeat in the United States.

According to cybersecurity firm Radware, a pro-Russian hacktivist group named Noname057(16) partnered with other pro-Russia hacktivist groups to “check on cybersecurity ahead of upcoming elections” in Austria.63 The campaign attacked at least 40 targets, including government sites, airports, and the Vienna stock exchange.64 Multiple Austrian political parties issued notices that DDoS attacks had taken down their websites.65

Despite the lack of evidence that this campaign compromised websites specifically related to Austrian elections, Noname057(16) claimed that it compromised “more than 120 critical infrastructure sites” and caused “incalculable” damage to the Austrian economy. They even uploaded an animated video showcasing targeted Austrian domains to Telegram.

Figure: Telegram post by Noname057(16) exaggerating the impact of its cyberattacks in advance of the Austrian elections.

Recommendations

The U.S. government has stepped up its efforts to combat foreign malign influence targeting the 2024 elections. In addition to CISA and the FBI’s advisories, the Office of the Director of National Intelligence releases regular alerts on the issue. The Justice Department indictments against both the operators of Doppelganger and Americans acting as foreign agents for Russia, the Treasury’s sanctions against Russian state media outlets, and Meta’s decision to ban these outlets, are all major steps in the right direction. Adversaries, however, continue to launch influence operations against the U.S. elections. FDD’s previous report contained five recommendations to thwart and mitigate foreign influence operations. They included sanctioning the financial networks that facilitate illicit cyber activity, conducting more robust investigations, dismantling known infrastructure, working with U.S. allies to hold hosting providers accountable, and providing more technical information about influence operations. In light of the continuing malign operations documented above, this report again emphasizes the need to dismantle the infrastructure on which these operations rely:

  1. Take down known malicious domains and social media networks: FDD’s previous report noted the importance of dismantling the infrastructure of known influence operations. While U.S. law enforcement has seized domains and issued indictments against malign influence actors, many previously exposed influence operations targeting the U.S. elections remain online and active.66 The U.S. government should work with international partners as necessary to seize known malicious websites, and social media companies should take down networks of inauthentic social media entities that foreign influence actors use in their operations.

This report also adds one new recommendation to those FDD made previously:

  1. Add reach and impact assessments to U.S. government malign influence updates: The U.S. government should add an analysis of the reach and impact of foreign malign influence to its regular updates about influence-related threats to the U.S. elections. This would help Americans avoid either overestimating or underestimating the threat. Though measuring the reach and assessing the impact of foreign malign influence are challenging tasks, the U.S. government can provide statistics about visits to websites and social media engagement and use established frameworks to assess impact. One example is Ben Nimmo’s breakout scale that assesses whether a campaign has spread across platforms and communities, reached mainstream media, led to policy changes in response, or led to calls for physical violence.67

Conclusion: Americans Should Remain Vigilant

The decision of reporters across American mainstream media not to publish Trump campaign materials hacked by Iranians demonstrates that American society, at least in some respects, has proven remarkably more resilient to foreign malign influence than in 2016, when reporters readily published compromised materials from the Clinton campaign.68 Indeed, the activity that FDD details in this report appears to have largely failed to gain significant engagement, perhaps further indicating that Americans are less susceptible to foreign influence than media coverage of these campaigns might indicate. Without exaggerating the threat, the United States must remain vigilant.

Download
Foreign Malign Election Meddling Persists but Struggles to Gain Traction

Issues:

Issues:

Cyber Disinformation