Menu
Blog

ZeroFox Assessment: Threats to the Democratic National Convention

by ZeroFox Intelligence
ZeroFox Assessment: Threats to the Democratic National Convention
9 minute read

The most important takeaways from this research are that high profile organizations, particularly in the political realm, are key targets for malicious actors who no longer need to use sophisticated technology or methods to create chaos or cause harm. This was not a new breach by any measure, and the DNC has talented cyber professionals monitoring for exposures every day to prevent large scale attacks. This report serves to augment their efforts, and it is our responsibility as analysts and industry partners to shine a light on potentially harmful situations. We have every confidence that the DNC is taking the appropriate measures to protect themselves and its delegates, especially amid one of the most talked about election years we’ve seen in some time. 

Executive Summary: Threats to the Democratic National Convention

The Democratic National Convention (DNC) will be held at the United Center and McCormick Place convention centers in Chicago, Illinois, from August 19–22, 2024. The two venues are approximately 5.7 miles apart. The United Center will host the event’s official proceedings and primetime speeches, while McCormick Place will be the home for non-televised DNC business. According to party officials, approximately 5,000 delegates, 12,000 volunteers, 20,000 media members, and 50,000 other visitors are expected to enter the city for the event, in addition to thousands of protesters. The recent change in the Democratic nominee for president and the July 13 assassination attempt on former President Trump just days ahead of the Republican National Convention (RNC) have likely shifted the threat landscape significantly. Potential allies, such as international diplomats and business leaders, as well as adversarial protesters and foreign intelligence agencies will likely be using the DNC to learn about a new slate of politicians, some of whom they may know little about. The event is very likely to attract a wide array of foreign interests, which increases the likelihood of espionage attempts to discern the policy positions of the possible new administration and some of its leading actors who will be in attendance at the DNC.

Physical Security Preparations for the DNC

Security ahead of the DNC will very likely be heightened, and movement around the arena will be greatly restricted following the assassination attempt on former President Trump. The assassination attempt was deemed a major security failure that will very likely lead to tighter security and vetting of potential threats to avoid a similar outcome. U.S. security agencies identified no credible threats ahead of the RNC, nor have they found any ahead of the DNC to date, but have warned that broad polarization and deepening societal fissures could drive radicalized domestic threat actors to target the convention. The primary security threat to the DNC likely remains protesters eager to gain access to the event, but security forces are very likely concerned about lone wolf assailants hoping to carry out attacks that are difficult to trace and have relatively little planning. 

  • Days of large gatherings and the presence of high-profile politicians could prove attractive targets for domestic terror groups or lone-wolf assailants.

To reduce the possibility of violent threat actors targeting the DNC, local and federal security forces will establish numerous street closures (as well as pedestrian and vehicular restrictions) in Chicago’s Near West Side and South Loop neighborhoods surrounding the two main venues. These measures will go into effect at 10:00 PM local time on August 16, 2024, for the area around McCormick Place and at 7:00 PM on August 17, 2024, for the United Center.

Sabotage

U.S. political conventions are well-choreographed events designed to keep high-profile individuals and spectators on a strict routine. Therefore, disrupting the logistics of the event may be a goal for threat actors. Ahead of the Olympics, ZeroFox warned that sabotage of public infrastructure was a major concern. Like in Paris, security services protecting the DNC have established a tight security cordon around the event, which could encourage saboteurs to pursue targets further away, like rail lines, bridges, power lines, and power plants.

  • In France, saboteurs targeted rail and internet cables outside of Paris in nine different areas, likely because security forces were concentrated on downtown Paris.
  • While no culprits have been identified, ZeroFox warned before the Olympics that Russian-backed threat actors had been staging sabotage events throughout Europe as part of their hybrid war against Ukraine supporters. Some unnamed French authorities reportedly believe the saboteurs may have also been left-leaning activists, and they arrested dozens of environmental protesters who were reportedly planning “sabotage or radical protest acts.”

Environmental activists could be featured among the protesters, and the event presents a more obvious target for Russian-backed groups as the Biden administration is a stronger supporter of Ukraine than former President Donald Trump or his running mate, JD Vance, both of whom have called for ending aid to Ukraine.

Terrorism

Since the Israel-Hamas war began in October 2023, authorities have issued several security warnings over the heightened risk of a terror attack on large gatherings. Despite the warnings issued, it is very unlikely that the Islamic State (IS) or similar groups have the capability to carry out a large-scale coordinated attack on a high-security event like the DNC. Rather, security forces are more likely concerned about the risk of lone wolves hitting soft targets, such as protesters gathered away from United Center or McCormick Place, or other convention-related events outside of the security zones, like watch parties.

  • IS welcomes and encourages lone-wolf attacks in its name. Unlike larger orchestrated attacks, knife/small arms attacks and vehicular assaults require little instruction. They could include unsophisticated improvised explosive devices (IEDs) that attackers learn to build online.

ZeroFox has not observed any potential threats from other extremist groups—including the domestic White Nationalist groups that have targeted political and pro-choice, LBGTQ+, and civil rights-related gatherings in the recent past. Some have notably led to clashes with counter-protesters and security forces, most of which have been between groups like the Proud Boys and ANTIFA (anti-fascist) in the lead-up to the 2020 presidential election.

Boycott and Protest Activity

Protests by pro-Palestinian activists are very likely but are expected to be less disruptive, given that Vice President and presidential nominee Kamala Harris is known to be less supportive of Israel's operations in Gaza than President Joe Biden.

  • Pro-Palestinian protesters may also attempt to enter the arena as DNC guests and demonstrate solidarity with Palestinians during delegate counting or speeches. 
  • ZeroFox anticipates that the DNC is a more likely target for pro-Palestinian protests—both because the Biden administration is responsible for U.S. policy in support of Israel in its war with Hamas and because there is a higher possibility that pro-Palestinian delegates and guests will be at the DNC.

The majority of the unrest is anticipated on August 19 and 22, 2024, when March on the DNC 2024 (a coalition of left-leaning activist groups) plans to hold large-scale demonstrations from Union Park on Chicago’s Near West Side. Security officials have approved a protest route from there to near the United Center that includes Washington Boulevard and Hermitage Avenue. However, it does not allow protesters closer than several blocks away from the venue and has been rejected by leading activists as “inadequate.” As of August 6, 2024, the exact protest route is unclear as a judge is currently deciding whether the limited protest route violates the freedom to protest.

Groups expected to take part in the protests include:

  • Act Now to Stop War and End Racism (ANSWER)
  • U.S Palestinian Community Network
  • Students for Justice in Palestine
  • Anti-War Committee Chicago
  • Students for a Democratic Society
  • Chicago Alliance Against Racist and Political Repression
  • International League of People’s Struggles
  • Freedom Road Socialist Organization
  • Arab American Action Network
  • Code Pink
  • Bayan USA
  • American Muslims for Palestine

Other politically-motivated protest groups may use the DNC to promote their cause; this could include protests in support of or against aid to Ukraine, abortion, immigration, climate change, or the cost of living.

Cybersecurity Threats to the DNC

In between the RNC and the DNC, the U.S. intelligence community released a briefing to members of the media warning of foreign disinformation and efforts to influence the outcome of the U.S. election. The report highlighted the different motivations China, Russia, and Iran have for influencing the U.S. election and specifically mentioned that Russia and Iran are adjusting their tactics due to President Biden dropping out of the race.

Major conventions (like other gatherings of elected officials) do present concerns regarding cyber espionage, especially as the DNC will feature high-profile elected officials with possible access to future policy decisions or other forms of proprietary information.

  • The RNC attracted a wide array of foreign officials and diplomats, which is rare for a largely domestic political gathering. This was very likely due to foreign officials attempting to influence and gain a better understanding of a possible Trump administration's foreign policy positions.

The change in Democratic candidates has likely increased foreign officials’ desire to obtain knowledge about lesser-known officials who may work with Kamala Harris, like her running mate, Tim Waltz. Unlike President Biden, Vice President Harris’ foreign policy positions are less well-known, and even U.S. allies are likely concerned that the next election could lead to a significant shift in U.S. foreign policy. 

  • Harris is reportedly considering removing key Biden foreign policy officials, including National Security Advisor Jake Sullivan and Secretary of State Anthony Blinkin.  Personalities like Phillip Gordon, a rumored replacement for Sullivan, could be targeted. 
  • Foreign threat actors may attempt to learn about future policies, such as support for Ukraine, via phishing emails or impersonation scams designed to convince individuals to pass on sensitive information.

Convention-specific Targeting

Ahead of the DNC, ZeroFox identified Telegram-based bot service "IntelFetch" aggregating compromised credentials related to the Democratic Party and the DNC.

  • Operatives identified records associated with "demconvention[.]com," including email addresses and records associated with users registered on the DNC website. Some records were previously observed in private threat actor-operated repositories. Additionally, records related to "democrats[.]org" were discovered, as well as those of users registered on the Democratic Party's official site. Domains and email addresses related to the Democratic Party's Washington and Idaho state branches were also observed in the compromised credentials breach.

The exposed data, consisting predominantly of URLs paired with login credentials or login pairs, appears to originate from botnet logs and third-party data breaches. While this exposure does not seem to result from a targeted attack, it poses a risk of unauthorized access to sensitive systems and information within the Democratic Party and the DNC. Compromised credentials belonging to registered individuals and staff members of these entities could be used to infiltrate secure systems, access confidential information, and disrupt operations. This unauthorized access could impact the security and integrity of party activities and the upcoming DNC.

Conclusion: Threats to the DNC

Security forces ensuring the physical safety of the DNC will likely be in a heightened state of alert following the assassination attempt on former President Donald Trump. Heightened movement restrictions and surveillance could see those seeking to disrupt the event, including protesters and potential saboteurs, target locations further away from the DNC. The recent change in the Democratic presidential candidate and overwhelming consensus that the 2024 U.S. presidential election is once again competitive likely increase the possibility that foreign threat actors will attempt to disrupt the DNC or target high-levity attendees hoping to gain information on potential policymakers.

Tags: Dark OpsThreat Intelligence

See ZeroFox in action