Behind the 2024 US Election Curtain: Cyberwar’s Silent Sabotage

Behind the 2024 US Election Curtain: Cyberwar’s Silent Sabotage

November 7, 2024 | NSFOCUS

On November 5th, Eastern Standard Time, the United States held its 47th presidential and congressional elections. The 2024 US election process, which began with the Republican Party’s candidate nomination on July 15th, concluded after nearly four months of intense campaigning. Former President Donald Trump and his Republican Party secured a decisive victory, with Trump projected to win the 47th U.S. presidency, and the Republicans securing a majority in Congress.

Elections worldwide have always been prime targets for cyberattacks due to partisan competition and differing values. The 2024 US election was no exception, suffering not only cyberattacks but also unprecedented levels of intensity and frequency.

According to NSFOCUS Security Labs, NSFOCUS Global Threat Hunting System detected a series of sustained DDoS attack activities during the US election, targeting multiple election-related objectives, including websites of presidential candidates, electronic voting systems, election management agencies, and sponsor websites. Notably, these attacks coincided with critical moments in the election period, indicating a meticulously planned campaign by the attackers.

Attack Overview

According to monitoring by NSFOCUS Global Threat Hunting System, since July 2024, during the U.S. election period, election-related websites, as well as sponsor websites like SpaceX and Blackstone, have frequently been targeted by DDoS attacks. Attackers have employed botnets and reflection amplification techniques, using various attack methods such as SYN Flood, UDP Flood, NTP reflection, DNS reflection, and CharGEN reflection. The attack infrastructure is primarily concentrated in North America and Europe, regions rich in network resources that are more easily exploited by attackers.

DDoS Attacks Related to the 2024 U.S. Election

As shown in the figure above, there were five distinct peaks in traffic during this period, which closely align with significant real-world events during the campaign. This suggests that the DDoS attack activities were intentionally timed, raising suspicions about the potential supporters behind the attackers.

The first peak of DDoS attack activities occurred on July 13, when Donald Trump was targeted in a failed assassination attempt during his presidential campaign rally at the Butler Farm Showgrounds in Pennsylvania. This incident led to a significant increase in DDoS attack activities targeting the U.S. election.

The second peak occurred on July 21, following the Democratic Party’s nomination of Kamala Harris as the presidential candidate, officially marking the start of the U.S. presidential election process. This triggered a new wave of DDoS attack activity, primarily consisting of CharGEN and ONVIF reflection attacks. The attack infrastructure was mainly sourced from Europe, with the United Kingdom and France accounting for a significant portion.

The third peak took place from September 10 to September 15, during the first presidential debate between Trump and Harris in Philadelphia, Pennsylvania. During this period, Trump was once again targeted in a failed assassination attempt at his Trump International Golf Club in West Palm Beach, Florida. This seemed to further provoke the attackers, and the peak of DDoS activity reached its highest point. In this phase, botnets were primarily used to launch DDoS attacks, with SYN Flood attacks being the main method, alongside CLDAP and NetAssistant reflection attacks. The attack resources were mainly concentrated in New York and California, with the attack intensity reaching new heights.

The fourth peak occurred on October 5, after SpaceX founder Elon Musk publicly expressed his support for Trump. Following this, websites of Musk’s associated companies were hit by large-scale DDoS attacks. During this phase, DNS and NetAssistant reflection attacks were the primary methods, with attack resources spread across Europe and North America.

As the presidential campaign entered its critical phase, DDoS attack activities became even more intense, with frequent fluctuations in strength. Monitoring data showed a significant increase in the daily average of DDoS activities in October compared to the previous two months. On November 5, the official start of the election, the fifth peak occurred, and DDoS attack activity reached unprecedented levels. According to monitoring data, the primary attack targets during this time were websites related to the election voting process. The sources of the attacks were mainly from the U.S. and Europe, with a mix of SYN Flood, UDP Flood, DNS, and NTP reflection attacks. These attacks included both volumetric and session-based attacks.

Attacks Directly Affecting the Election

Attacks on Pennsylvania’s Election Voting Website

At 20:08:22 Eastern Standard Time on November 5, 2024, as the U.S. election voting was nearing its conclusion, NSFOCUS Global Threat Hunting System detected a DDoS attack on the Pennsylvania election voting website (www.pavoterservices.pa.gov) port 443, lasting 3 hours and 20 minutes. Attackers used various reflection attack methods such as DNS and NTP.

In the 2024 US election, Pennsylvania, as the most critical swing state, has a decisive impact on the outcome of the presidential election. Hackers chose this critical time to launch a DDoS attack on Pennsylvania’s voting website, intending to disrupt the website with a massive influx of traffic, potentially causing delays in the vote-counting process.

Election Voting Website in Pennsylvania, U.S.

Attacks on Wisconsin’s Election Voting Website

Election Voting Website in Wisconsin, U.S.

At 17:31:29 Eastern Standard Time on November 5, 2024, NSFOCUS Global Threat Hunting System detected a DDoS attack on the Wisconsin election voting website (myvote.wi.gov) port 443. In this attack, attackers used a variant of the Mirai botnet, employing TCP SYN Flood to target the website, involving multiple C&C addresses, with 64.xx.xx.140, 37.xx.xx.101, and 139.xx.xx.19 being the main sources of the attack.

As a key swing state in this election, Wisconsin was chosen by attackers to maximize the interference of cyberattacks on the election. Coincidentally, a spokesperson for the state’s largest city, Milwaukee, revealed that due to a “human error,” the voting machines malfunctioned, and approximately 30,000 mail-in ballots needed to be reprocessed through the machines. We speculate that the online voting system may have been subjected to a cyberattack, forcing officials to resort to manual vote counting. This process is more susceptible to regulatory violations, which could potentially lead to disputes over the election results.

Attacks on South Dakota’s Election Voting Website

Election Voting Website in South Dakota, U.S.

On November 5, 2024, at 10:12:12 AM Eastern Standard Time, during the peak voting hours, NSFOCUS Global Threat Hunting System detected a DDoS attack on the South Dakota election voting website (sdsos.gov) port 443, lasting 2 hours and 3 minutes. Attackers used a variety of reflection attack methods such as CLDAP, NTP, and CharGEN.

As a traditionally Republican “red state,” such attacks could potentially impact the political landscape of the state. DDoS attacks can temporarily disrupt voters’ access to election-related information, causing further complications in the voting process and hindering the overall election proceedings.

Attacks Indirectly Affecting the Election

In the 2024 U.S. election, the Republican Party, led by Donald Trump, received strong support from figures such as Elon Musk, founder of SpaceX, and Stephen Allen Schwarzman, CEO of Blackstone. On October 5, Musk even shared a stage with Trump to publicly announce his unconditional support for the Republican Party, encouraging his followers to cast their votes for Trump in pursuit of his personal agenda.

During the election period, NSFOCUS Global Threat Hunting System detected severe DDoS attacks on the websites of companies such as SpaceX and Blackstone. As influential supporters in this election, their founders or CEOs used platforms like X (formerly Twitter) to publicly express their political leanings and frequently engaged in political activities. The attacks on these websites not only harmed their companies’ interests but also indirectly affected the political dynamics of the U.S. election.

Attacks on SpaceX’s Starlink Website

Starlink Website

On October 5, Elon Musk, founder of SpaceX, publicly expressed his support for Trump.

On October 10, 2024, at 1:38:15 AM Eastern Standard Time, NSFOCUS Global Threat Hunting System detected a DDoS attack on SpaceX’s Starlink website (www.starlink.com), using NTP reflective amplification for the attack, lasting 23 minutes.

The Starlink system has over one million users in the United States and is widely used in the field of communication services. Therefore, the DDoS attack not only affected SpaceX’s business operations but also potentially disrupted the normal communication of a large number of users reliant on the Starlink system.

Attacks on the Blackstone Group’s Website

Blackstone Website

At 04:38:15 Eastern Standard Time on August 15, 2024, NSFOCUS Global Threat Hunting System detected a DDoS attack on the Blackstone website (www.blackstone.com) port 443, using NTP reflection and amplification for the attack, lasting 1 hour and 28 minutes.

Another supporter of Trump, Stephen Allen Schwarzman, CEO of Blackstone, served as an economic advisor to Trump’s campaign team. In this context, the DDoS attacks on Blackstone’s company website not only disrupted the company’s normal operations but could also have impacted the Trump campaign’s activities.

Thoughts on the Election-Related Events

The DDoS attack activities during the 2024 U.S. election further highlight the strong correlation between the physical world and the cyber world. Forms of violence in the real world often manifest in similar ways in cyberspace. As a quick and impactful attack method, DDoS attacks are often maliciously used as a form of venting frustration or executing cyber violence.

Since the inception of DDoS attacks, their scale has evolved from single machines or a few dozen bots to large-scale, botnet-controlled attacks that now involve millions or even tens of millions of devices. What began as a form of personal show-off and disruption has gradually evolved into a tool for business competition and, more recently, into a weapon of cyber warfare. During the U.S. election, DDoS attacks were employed in the context of political factionalism. Whether in the real world or cyberspace, any form of violence is unacceptable. DDoS attacks not only damage the legitimate interests of the victims but also disrupt the normal social order.

Looking at various DDoS attack incidents in recent years, it is clear that the application scenarios of DDoS attacks have become diversified, making them a favored tool among attackers. Therefore, there is an urgent need for continuous global tracking of DDoS attack activities, the establishment of a global monitoring system, and collaborative defense mechanisms. This will help to better understand the driving forces behind such attacks, track the current global DDoS threat landscape, and detect and respond to potential threats promptly.