Russia has been the most active foreign power using AI to influence the upcoming United States presidential election, according to a US intelligence official. Moscow’s efforts have focused on supporting Donald Trump and undermining Kamala Harris and the Democratic Party. Russian influence actors are employing AI-generated content, such as text, images, and videos, to spread pro-Trump narratives and disinformation targeting Harris.
In July, the US Justice Department revealed the disruption of a Russia-backed operation that used AI-enhanced social media accounts to spread pro-Kremlin messages in the US Additionally, Russian actors staged a false hit-and-run video involving Harris, according to Microsoft research. The intelligence official described Russia as a more sophisticated player in comparison to other foreign actors.
China has also been leveraging AI to shape global perceptions, though it is not focused on influencing the US election outcome. Instead, Beijing is using AI to promote divisive political issues in the US, while Iran has employed AI to generate inauthentic news articles and social media posts, targeting polarising topics such as Israel and the Gaza conflict.
Both Russia and Iran have denied interfering in the US election, with China also distancing itself from attempts to influence the voting process. However, US intelligence continues to monitor the use of AI in foreign influence operations as the November 5 election approaches.
In a report released on 19 September, Google-owned Mandiant detailed the activities of a group it identified as UNC1860. The report highlighted the group’s advanced tools and hidden backdoors, which continue to be leveraged by other Iranian hacking operations.
The report notes that an Iranian cyber unit within the Ministry of Intelligence and Security (MOIS) has emerged as a key facilitator for the nation’s hackers, offering persistent access to critical systems in the Middle East, particularly in telecommunications and government sectors.
Mandiant adds that these groups allegedly provided initial access for cyberattacks, including operations in late 2023 against Israel using BABYWIPER malware and in 2022 against Albania with ROADSWEEP. While Mandiant couldn’t verify UNC1860’s direct involvement, they identified software designed to support such handoff operations.
UNC1860’s toolkit includes a variety of utilities that enable initial access and lateral movement within networks. These tools are engineered to bypass security software and provide covert access, which could be used for espionage or network attacks.
Mandiant describes UNC1860 as a highly capable threat actor that likely supports a range of goals, from spying to direct network assaults. The firm also reported UNC1860’s collaboration with other MOIS-associated groups like APT34, known for breaching government systems in countries like Jordan, Israel, and Saudi Arabia. A recent APT34 operation was uncovered targeting Iraqi officials.
In response, Taiwan’s Defense Minister, Wellington Koo, refuted the accusations, stating that China is the primary perpetrator of global cyberattacks. According to Koo, China frequently targets Taiwan and other democracies, and these latest allegations are just another attempt to shift blame. He emphasised that Taiwan’s military remains committed to defending the nation despite Beijing’s accusations.
Taiwan’s Premier Cho Jung-tai echoed these sentiments, labelling China’s claims as fake news aimed at discrediting Taiwan. He stressed the importance of responding strongly to such disinformation, as it is part of Beijing’s ongoing strategy to undermine Taiwan.
Why does it matter?
The tensions between China and Taiwan continue to escalate, with China persistently asserting its claim over the island. Taiwan, however, maintains its independence, with its government repeatedly stating that only its people can determine their future. Relations between the two remain strained, especially with Beijing’s harsh stance toward Taiwan’s president, Lai Ching-te, whom China labels a ‘separatist.’
China’s Ministry of National Security has accused a Taiwan-based hacking group, Anonymous 64, of orchestrating cyberattacks aimed at discrediting China’s political system. According to a blog post from the ministry, the group, allegedly tied to Taiwan’s military cyberwarfare division, has been targeting Chinese websites, outdoor screens, and television stations to broadcast content undermining mainland policies. In response, Taiwan’s defence ministry dismissed the accusations, claiming China is the natural source of cyber harassment, regularly attempting to destabilise the democratic island.
The allegations are the latest chapter in the escalating tensions between China and Taiwan. China, which claims sovereignty over Taiwan, has ramped up military and political pressure on the island in recent years. Taiwan, in turn, accuses Beijing of spreading disinformation and carrying out cyberattacks. Taiwan’s Information, Communications, and Electronic Force Command responded to China’s claims, asserting that the Chinese government’s military forces are instigating regional instability through ongoing harassment efforts.
The hacking group, which surfaced on X (formerly Twitter) in mid-2023, has posted screenshots of their alleged efforts to infiltrate Chinese media. One video shared by Anonymous 64 featured a masked member likening China’s President Xi Jinping to an emperor, along with footage referencing past protests in China, including the Tiananmen Square demonstrations. However, China contends that many websites the group claimed to have hacked were fake or photoshopped, with minimal online traffic.
As part of its crackdown, China has opened investigations into Taiwan’s cyberwarfare tea members. It has called on citizens to report cyberattacks or anti-China propaganda, urging people to avoid spreading unverified information online. Despite the accusations, it remains unclear whether Anonymous 64 has any ties to the international hacking collective Anonymous or if their alleged actions have been as far-reaching as claimed.
The NCSC has collaborated with cybersecurity agencies from the United States, Australia, Canada, and New Zealand to effectively address the global botnet threat. That joint effort underscores the importance of international cooperation in tackling cyber threats that span multiple countries.
By combining their expertise and resources, these agencies have been able to produce a comprehensive advisory that provides detailed information on the botnet’s operation, its impact, and the types of devices it targets. Consequently, this collaboration ensures a robust and unified response to the threat, reflecting the global commitment to enhancing cybersecurity.
Moreover, the advisory issued by these agencies details how the botnet, managed by Integrity Technology Group and used by the cyber actor Flax Typhoon, exploits vulnerabilities in internet-connected devices. It includes technical information on the botnet’s activities, such as malware distribution and Distributed Denial of Service (DDoS) attacks, and offers practical mitigation strategies.
Therefore, it underscores the need for updating and securing devices to prevent them from becoming part of the botnet, providing crucial guidance to individuals and organisations seeking to protect their digital infrastructure. In addition, this international collaboration serves to promote proactive security measures and raise awareness about cybersecurity best practices. The joint advisory encourages users to safeguard their devices and avoid contributing to malicious activities immediately.
The National Security Agency (NSA), in conjunction with the Federal Bureau of Investigation (FBI), United States Cyber Command’s Cyber National Mission Force (CNMF), and international allies, has issued a critical cybersecurity advisory. Titled ‘People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations,’ the advisory reveals the extensive activities of cyber actors affiliated with the People’s Republic of China (PRC).
These actors have breached internet-connected devices worldwide, establishing a massive botnet. To address this threat, the NSA has outlined several key mitigations aimed at helping device vendors, owners, and operators secure their devices and networks. These recommendations include regularly applying patches and updates, turning off unused services and ports, replacing default passwords with strong alternatives, and implementing network segmentation to reduce IoT device risks.
Furthermore, the advisory suggests monitoring network traffic for signs of DDoS attacks, planning device reboots to eliminate non-persistent malware, and upgrading outdated equipment with supported models. Moreover, NSA Cybersecurity Director Dave Luber has emphasised the importance of the advisory, noting that it provides crucial and timely insights into the botnet’s infrastructure, the geographical distribution of the compromised devices, and effective mitigation strategies.
According to the advisory, the botnet encompasses thousands of devices across various sectors, with over 260,000 devices compromised in North America, Europe, Africa, and Southeast Asia as of June 2024. Consequently, this extensive network of affected devices highlights the urgent need for enhanced security measures to protect against such pervasive cyber threats.
Microsoft researchers have uncovered a Russian disinformation operation that falsely accused United States Democratic presidential candidate Kamala Harris of leaving a 13-year-old girl paralysed in a hit-and-run incident in 2011. The operation, led by a Kremlin-linked group called Storm-1516, used actors and fabricated news outlets, including a fake site called ‘KBSF-TV’, to spread the baseless claim. The hoax was widely shared on social media, gaining millions of views.
The disinformation effort is part of a broader Russian campaign to interfere with the upcoming US presidential election. After initial difficulties shifting focus following President Biden’s withdrawal from the 2024 race, Russian actors have targeted Harris and her running mate, Tim Walz, with fabricated conspiracy theories. The false claim against Harris was amplified on social media by pro-Russian figures, including Aussie Cossack, who encouraged MAGA supporters to spread the misinformation.
Microsoft‘s investigation highlights how Storm-1516 produces misleading videos featuring actors impersonating journalists or whistleblowers. The hit-and-run story gained traction online, particularly on X.com, where it was shared by key figures within the pro-Russian ecosystem. The US Justice Department has also recently charged two Russian state media employees with money laundering, linked to efforts to influence the election.
US officials believe Russia’s goal is to deepen political divisions within the country and undermine public support for military aid to Ukraine. Kamala Harris has stated her intention to continue supporting Ukraine’s defence against Russia‘s invasion if elected.
BlackDice and Bin Omran Trading and Telecommunication have launched a strategic partnership to enhance Qatar’s cybersecurity infrastructure significantly. Combining their expertise will deliver state-of-the-art cybersecurity solutions, with BlackDice leveraging its AI-powered security and data intelligence to safeguard critical infrastructure and sensitive information.
Additionally, their collaboration will focus on strengthening the cybersecurity capabilities of major telecom operators in the region, thereby boosting network resilience and protecting extensive personal and financial data. Consequently, this comprehensive approach supports DA2030’s goal of creating a secure and resilient digital environment essential for Qatar’s economic diversification and social development.
By addressing the evolving needs of the digital landscape in Qatar, BlackDice and Bin Omran Trading and Telecommunication contribute to the nation’s ambition of becoming a global leader in technology and connectivity and ensuring robust protection against emerging cyber threats.
The US Federal Bureau of Investigation has disrupted another major Chinese hacking group, dubbed ‘Flax Typhoon,’ which had compromised thousands of devices globally. The FBI and officials from several allied countries accused a Chinese company, the Integrity Technology Group, of running the operation under the guise of an IT firm. FBI Director Christopher Wray revealed that the group was gathering intelligence and conducting surveillance for Chinese security agencies, targeting critical infrastructure as well as corporations, media organisations, and universities.
Cybersecurity officials from the UK, Canada, Australia, and New Zealand also joined the US in condemning the hacking group, noting that over 250,000 devices had been compromised as of June. The operation involved hijacking devices through a botnet—a network of infected cameras and storage devices—and was reportedly part of China’s broader cyber-sabotage efforts. Flax Typhoon’s activities mirrored those of another China-backed group, Volt Typhoon, which has been scrutinised for targeting US infrastructure.
The Chinese Embassy in Washington denied the accusations, claiming that the US had made baseless allegations. Despite China’s dismissal, the FBI remains firm, with Wray emphasising that this takedown is only one part of a longer struggle to counter Chinese cyberattacks. The operation faced some retaliation from the hackers, who launched a cyberattack in response but eventually retreated, leaving the FBI in control of the botnet’s infrastructure.
The American Cybersecurity and Infrastructure Security Agency (CISA) has introduced the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan, a key initiative designed to enhance federal cybersecurity across over 100 FCEB agencies. That plan establishes a framework for coordinated support and services, aiming to reduce cyber risks through a unified defence strategy.
The FOCAL Plan prioritises five key areas to advance operational cybersecurity: Asset Management, which focuses on understanding and managing the cyber environment and interconnected assets; Vulnerability Management, aimed at proactively protecting against threats and assessing defensive capabilities; Defensible Architecture, which emphasises building resilient infrastructure; Cyber Supply Chain Risk Management (C-SCRM), to identify and mitigate risks from third parties; and Incident Detection and Response, designed to enhance Security Operations Centers (SOCs) in managing and limiting the impact of security incidents.
The US Cybersecurity and Infrastructure Security Agency (CISA) also notes that while the FOCAL Plan is tailored for federal agencies, it provides valuable insights for public and private sector organisations. It is a practical guide for developing effective cybersecurity strategies and improving coordination across enterprise security capabilities. Rather than offering an exhaustive checklist, the FOCAL Plan prioritises key actions that will drive significant advancements in cybersecurity and alignment goals within the federal sector.
