Just So You Know: Foreign Threat Actors Likely to Use a Variety of Tactics to Develop and Spread Disinformation During 2024 U.S. General Election Cycle
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the efforts posed by foreign threat actors to spread disinformation in the lead up to, and likely in the days following, the 2024 U.S. general election. Foreign threat actors are knowingly disseminating false claims and narratives that seek to undermine the American people's confidence in the security and legitimacy of the election process
The FBI and CISA have no information suggesting malicious cyber activity against U.S. election infrastructure has compromised the integrity of voter registration information, prevented an eligible voter from casting a ballot, impacted the integrity of any ballots cast, or disrupted the ability to count votes or transmit unofficial election results in a timely manner. However, foreign adversaries may use false or misleading narratives that indicate otherwise to further their objectives of undermining American public confidence in democratic processes and institutions.
While foreign malign influence operations and disinformation targeting American elections are not new, the proliferation of generative artificial intelligence (AI)-enabled tools is exacerbating pre-existing tactics. Generative AI-enabled tools have lowered the barrier for foreign malicious actors to conduct more sophisticated influence campaigns. We are seeing foreign actors use these tools to develop and distribute more compelling synthetic media messaging campaigns and inauthentic news articles, as well as synthetic pictures and deepfakes (video and audio) at greater speed and scale across numerous US- and foreign-based platforms. These efforts to develop content are designed to undermine voter confidence and to entice unwitting consumers of the information to discuss, share, and amplify the spread of false or misleading narratives.
Foreign threat actors use a variety of methods, often in tandem, to knowingly spread and amplify false or misleading claims about voting processes and results, including false claims that the processes or results have been compromised by malicious cyber activity to cast doubt on the legitimacy or outcome of the vote. These actors use commercial firms, paid influence, witting and unwitting Americans, publicly available and dark web media channels, online journals, messaging applications, spoofed websites, emails, text messages, and fake online personas on U.S. and foreign platforms to spread and amplify these false claims.
In previous public service announcements, the FBI and CISA raised awareness about tactics that could be used in foreign malign influence operations to undermine public confidence in elections. Those announcements highlighted foreign threat actors' use of publicly available voter registration information as "evidence" to falsely claim that a cyber operation compromised voting systems or altered election results. Similarly, foreign threat actors may falsely claim that ransomware or distributed denial of service incidents impacting election offices could impact the security or accuracy of vote casting or counting processes.
Russian Influence Efforts
As part of efforts to combat foreign actors who are seeking to interfere in and influence U.S. elections, the Department of Justice (DOJ), in collaboration with federal partners, has taken a series of actions to degrade Russian threat actors' capabilities to conduct these malign influence campaigns.
In July 2024, the DOJ, in coordination with U.S. and international partners, exposed a covert Russian government-operated, AI-enhanced social media bot farm using specialized software to create fictitious social media personas at scale. In September 2024, the DOJ took steps to disrupt Russian government-directed foreign malign influence campaigns by seizing more than 32 internet domains controlled by Russian government malign influence actors. The DOJ also indicted employees of a Russian state-controlled media outlet who covertly funded and directed a U.S.-based company that deployed nearly $10 million to disseminate pro-Russian narratives to a U.S. audience.
Over the course of these actions, the DOJ seized website domains that Russian malign influence actors created and deliberately designed to look like legitimate mainstream news websites (see below for examples). Many of the seized domains employed "cybersquatting," — a method of registering a domain intended to mimic another person's or company’s domain. The images below are screen captures of articles produced by these Russian government actors. These examples include websites such as "washingtonpost.pm", and "fox-news.in," which are not the real websites of the Washington Post and Fox News
Russian government or proxy-created fake media websites falsely presenting as prominent U.S. news outlets with
propaganda messaging and articles to further the threat actors’ intended messaging and goals.
Russian malign influence actors also created fake social media profiles posing as U.S. citizens to direct users to these fake news websites and purchased social media advertisements to drive traffic to the specific fake articles on the fake news site. The Appendix at the end of this document provides a compilation of websites that the FBI, Department of State, or Department of Treasury have previously publicly attributed to Russian malign influence actors, as well as websites and social media accounts that the Intelligence Community has attributed to Russian malign influence actors.
Iranian Influence Efforts
In addition to Russia, Iran is also undertaking influence operations as it has in past election cycles, including through its cyber apparatus, targeting current and former U.S. government officials, members of the media, nongovernmental organizations, and individuals associated with U.S. political campaigns. Iran is probably using generative AI and inauthentic personas to hide its hand and attempt to sow discord during the 2024 U.S. election cycle. On September 27, 2024, the DOJ charged three Iranian nationals identified as employees of the Islamic Revolutionary Guard Corps (IRGC), for a wide-ranging hacking conspiracy targeting current and former U.S. officials. The three IRGC employees are alleged to have conspired to hack into accounts of current and former U.S. officials, members of the media, nongovernmental organizations, and individuals associated with U.S. political campaigns. That indictment further alleged that in June 2024, the IRGC conspirators engaged in a "hack-and-leak" operation, in which they sought to weaponize campaign material stolen from a U.S. Presidential campaign. Additionally, the FBI, U.S. Cyber Command, the Department of Treasury, and the United Kingdom's National Cyber Security Centre have previously disseminated a Joint Cybersecurity Advisory that includes a list of malicious domains used by cyber actors working on behalf of the IRGC, which is linked below. We have also seen Iranian actors use similar tactics as Russian malign influence actors where they create inauthentic news sites posing as a legitimate media organization (see example below).
Iranian government or proxy-created website presenting as a fake local news organization, which uses
propaganda messaging and articles to further Iran's intended messaging and goals.
Recommendations
We urge the American public to critically evaluate the sources of the information they consume and to seek out reliable and verified information from trusted sources, such as state and local election officials. Specifically, we recommend the American public take the following precautions:
Educate yourself and others on the tactics of foreign malign influence operations, including the use of generative AI and deep-fakes, and their goal to undermine American public confidence in U.S. democratic institutions and processes. Greater public awareness may help limit the spread of foreign malign influence campaigns.
Seek out information from trusted, official sources, such as state and local election officials, and verify
reported claims through trusted, official sources before sharing such information.
To better understand what you are viewing, know the media and social media company policies and citation rules to denote or disclose content created or doctored with generative AI tools. When viewing content, consider who produced it and look for labels that may identify the content as AI-generated.
Consider reporting information concerning suspicious or criminal activity, to include the distribution of knowingly false information regarding the time, place, or manner of elections designed to deprive individuals of their right to vote, to their local FBI field office.
Role of the FBI and CISA in Elections
The FBI and CISA coordinate closely with federal,state, and local election partners and provide services and information to safeguard U.S. voting processes and maintain the resilience of U.S. elections. The FBI, alongside DOJ prosecutors, is responsible for investigating and prosecuting election crimes, foreign malign influence operations, and malicious cyber activity targeting election infrastructure and other U.S. democratic institutions. The FBI does not investigate, collect, or maintain information on U.S. persons solely for the purpose of monitoring activities protected by the First Amendment. CISA, as the Sector Risk Management Agency for Election Infrastructure, is the federal government lead for working with critical infrastructure owners and operators, including the election infrastructure community, to ensure the security and resilience of election infrastructure from physical and cyber threats.
Victim Reporting and Additional Information
We encourage the public to report information concerning suspicious or criminal activity, to include the distribution of knowingly false information regarding the time, place, or manner of elections designed to deprive individuals of their right to vote, to their local FBI field office (www.fbi.gov/contact-us/field).
For additional assistance to include common terms and best practices, such as media literacy, please visit the following websites:
Appendix A: Websites and Accounts Operated by Russian Malign Influence Actors
The following websites the U.S. Government either attributes to or assesses are highly likely to be operated by Russian malign influence actors. Websites denoted with an asterisk have previously publicly attributed to Russian malign influence actors by the FBI, Department of State, or Department of Treasury.
50statesoflie.com*
uschina.online*
washingtonpost.ltd*
50statesoflie.media*
uschina.press*
usareally.com*
acrosstheline.press*
warfareinsider.us*
welt.ltd*
artichoc.io*
waronfakes.com*
welt.ws*
bild.work*
washingtonpost.pm*
welt.media*
electionwatch.io*
delfi.top*
spiegel.work*
electionwatch.live*
afrinz.ru*
nd-aktuell.net*
faz.ltd*
africanstream.media*
nd-aktuell.pro*
forward.pw*
americanfront.info*
nd-aktuell.co*
fox-news.in*
vip-news.org*
obozrevatel.ltd*
grenzezank.com*
begemot.media*
milliyet.com.co*
holylandherald.com*
syncreticstudies.com*
albayan.me*
honeymoney.info*
eramedia.com*
gulfnews.ltd*
honeymoney.press*
fortruss.blogspot.com*
faz.agency*
infobrics.org*
geopolitica.ru*
sueddeutsche.ltd*
lemonde.ltd*
globalresearch.ca*
sueddeutsche.cc*
leparisien.ltd*
inforos.ru*
tagesspiegel.ltd*
levinaigre.net*
anticrisis.cc*
fraiesvolk.com*
lexomnium.com*
webkamerton.ru*
fraiepozition.store*
liesofwallstreet.com*
katehon.com*
fraiepozition.site*
liesofwallstreet.io*
journal-neo.org*
bild.bz*
meisterurian.io*
novaresistencia.org*
lefigaro.me*
mypride.press*
odnarodyna.org*
70-putin-freunde.de*
oneworld.press*
onmedia.io*
freikorps.press*
pravda-ua.com*
openrevolt.info*
jfriecorp.press*
rbk.media*
orientalreview.org*
sieben-fragen-putin.de*
rrn.media*
thered.stream*
tonline.life*
rrn.world*
ritmeurasia.org*
tonline.today*
shadowwatch.us*
rt.com*
t-onlinr.life*
spicyconspiracy.info*
ruptly.tv*
t-onlinr.live*
spicyconspiracy.io*
riafan.ru*
t-onlinr.today*
spiegel.agency*
fznc.world*
delfi.today*
sueddeutsche.co*
strategic-culture.org*
spiegel.fun*
tagesspiegel.co*
unitedworldint.com*
spiegel.today*
tribunalukraine.info*
tsargrad.tv*
winter-is-comming.de*
truthgate.us*
bild.llc*
reuters.cfd*
Ukrlm.info*
bild.ws*
reuters.cyou*
bild.vip*
repubblica.icu*
repubblica.world*
socialharmony.de*
manabalss.li*
musubalss.org*
spiegel.ink*
sueddeutsche.online*
dailymail.cam*
dailymail.cfd*
delfi.life*
repubblica.life*
spiegeli.life*
spiegeli.live*
spiegeli.today*
reuters.sbs*
blld.live*
itcb.life*
dekommnt.live*
ukcommunity.vip*
spiegelr.live*,
spiegelr.today*
spiegelr.life*
50StatesOfLie <X account>
t-onlinl.life*
foxnews.cx*
AcrossTheLine11 <X account>
t-onlinl.live*
inforos.ru*
alhiwar.cc
alhiwar.me
t-onlinl.today*
infosco.org*
bostontimes.org
sueddeutsche.life*
southfront.org
besuchszweck.org
sueddeutsche.today*
allons-y.social
brennende_frage <X account>
sueddeutsche.site*
brennendefrage.com
brennendefrage.cc
atlanta-observer.com
alternativereport.us
carsondispatch.com
atlantabeacon.org
candidat.news
centernewscentral.com
antifashist.com
candidat_news <X account>
centerpointbeacon.com
american-freedom.org
capitolpulse.org
civiccentury.org
civiccommentary.org
conservativecompass.org
conservativecontext.com
civiccorner.org
conservativecorridor.com
democracydive.com
civiccreed.com
conservativecourier.org
daybreakdigest.org
civiccurrent.com
cropmarketchronicles.cc
derrattenfanger.io
civiccurve.com
cropmarketchronicles.us
derrattenfanger.net
conservativecamp.org
dc-free-press.org
DragonflyTimes <X account>
conservativecatch.org
deintelligenz.com
epochpost.org
conservativechannel.org
deintelligenz.io
flagstaffpost.com
conservativecircuit.com
democracydepth.com
flyoverbeacon.com
derglaube.online
democracydrive.org
franceeteu.today
derleitstern.cc
derbayerischelowe.info
franceeteu <X account>
derleitstern.com
derglaube.com
freedomfacade.com
arbeitspause.org
freedomfixture.com
freedomforge.info
freedomfoundry.info
freemediaforum.info
gopguardian.com
governancegaze.com
grunehummel.com
GruneHummel <facebook Name>
hauynescherben.net
hauynescherben.press
hauynescherben <X account>
heartlandharbor.org
heartlandhaven.org
heartlandheadlines.net
heartland-inquirer.org
honestcitizens.org
houstonpost.org
il_corrispondente.com_ <instagram Name>
il-corrispondente.com
rybar <telegram Name>
corrispondente.io
interventionist.cc
interventionist.com
interventionist.us
Intrvntnst <X account>
kaputteampel.cc
kaputteampel.com
KaputteAmpel <X account>
kbsf-tv.com
lansingtribune.org
la-sante.info
laterrasse.io
laterrasse.online
leaderledger.net
lebelligerant.com
lebelligerant.io
lebelligerant <X account>
le-continent.com
lesfrontieres.media
lesfrontieres <X
southfront.press
lavirgule.news
lesifflet.cc
lesifflet.net
LexOmnium <X account>
libertylagoon.org
libertylantern.org
libertylaunch.org
libertylectern.org
libertypressnews.com
libertyvoice.info
lonestarcrier.com
madison-gazette.org
maplechronicles <telegram Name>
meriblood <telegram Name>
miastagebuch.com
nationalcrier.com
nationalmatters.org
nationalnarrative.org
nationnotebook.com
newscenterpress.org
news-front.su
strategic-culture.su
orientalreview.su
journal-neo.su
noticiasbravas.com
notrepays.today
observateurcontinental.Fr
omnam.life
oraclenews.org
partyperspective.com
patrioticpage.com
patrioticparade.com
patrioticpioneer.com
patrioticpulse.info
phoenixpatriot.org
policypaddock.com
policypassage.com
policypatch.com
policypath.org
policypeak.org
policyplatform.info
policyporch.org
politicalpioneer.com
politicalplot.org
politicalporch.com
politicostream.com
politnavigator.news
politnavigator <telegram Name>
politnavigator <X account>
politnavigator <youTube Name>
polskikompas.com
pulsepress.org
purplestatepost.com
raleigh-herald.com
Rattenfangernet <X account>
red-blue-tribune.com
redstategazette.com
redstatereport.net
republicrally.com
republicrange.com
republicregard.com
republicreview.net
republicripple.com
republicroot.com
republicroots.org
republicrundown.com
rightrealm.net
rightresonance.org
rightrevival.org
rightrundown.com
senatesight.com
signaldaily.org
silverstatesignal.org
southfronteng <telegram account>
southfroneng <X account>
SouthFrontEnThree <facebook>
statestage.org
thearizonaobserver.com
tribunetimes.org
unitytrend.com
ULM_Info <X account>
TruthGateOff <X account>
voice-of,europe.eu
ukraine-inc.info
vanguardviews.com
votervista.net
bild.asia
spiegel.pro
TEXASvsUSA <telegram Name>
topicdujour <telegram account>
dailymail.top
TEXASvsUSA <X account>
interventionist.io
SpConspiracy <X Name>
wanderfalke.net
facts.matter.me
faz.life
naebc.com
sueddeutsche.me
scopestory.com
rybar_force <X account>
rightreview.org
Appendix B: Websites Operated by Iranian Malign Influence Actors
The following websites the U.S. Government either attributes to or assesses are highly likely to be operated by Iranian malign influence actors.
