1. Introduction: The Evolution of Election Cyber Threats
The landscape of digital election security shifted fundamentally following the 2016 US presidential election, which exposed a significant Russian disinformation campaign. The proliferation of fabricated news and bot-driven polarization catalyzed a global cyber awakening. Today, foreign election interference is no longer an anomaly but a persistent threat to democratic integrity.
While some adversaries operate covertly to avoid detection, others leverage the high-stakes environment of local and national elections to maximize public visibility. Distributed Denial-of-Service (DDoS) attacks fall into this latter category: these attacks aim to disrupt critical digital infrastructure such as websites, applications and servers, by overwhelming them with malicious traffic generated by vast networks of compromised devices.
Technical Classification of DDoS
DDoS methodologies are generally categorized by their point of impact within the Open Systems Interconnection (OSI) model. (Note: Adversaries do not necessarily differentiate between the different attack types and often combine methods through so-called multi-vector attacks.)
Volumetric (Gbps) attacks
- Primary Mechanism: Volumetric flooding of requests to saturate available bandwidth of a server.
- OSI Level: Network Layer (L3)
Protocol (pps) attacks
- Primary Mechanism: Exploiting common internet protocols such as TCP/IP to disrupt online services.
- OSI Level: Network and Transport Layers (L3/L4)
Application (rps) attacks
- Primary Mechanism: Targets applications limitation to responding to requests
- OSI Level: Application Layer (L7)
The Current Context: Sweden’s National Elections
As Sweden approaches its national elections on September 13, the threat of digital disruption remains high. A concerning global trend has emerged where adversaries target domestic digital services during peak voting periods to impact government functions, incite public anxiety, or advance ideological agendas. DDoS has become a preferred tool for these threat actors due to its accessibility, affordability, and potential for high-impact disruption.
2. Defining the Threat: Vulnerable Organizations and Systems
Elections represent a prime window for DDoS attacks due to their time-sensitivity and immense public visibility. By targeting voter information portals, registration systems or websites of political parties, attackers aim to hinder participation, delay results, and incite public confusion.
Potential Targets
The risk extends across the electoral ecosystem but also industry sectors with no evident connection to voting.
Target Domain and Systems Compromised:
- Direct Infrastructure; Websites for voter registration, real-time reporting, and polling logistics.
- Administrative Support: Internal platforms, such as government email systems and staff coordination tools.
- Political Parties and NGOs: Websites belonging to political parties and other non-governmental interest- or lobbying groups
- Peripheral Sectors: A key takeaway from the record-breaking 2024 election year (where over 50 nations went to the polls) is that attackers no longer limit themselves to official systems. Instead, they systematically target financial institutions, municipalities, and media outlets to create a broader sense of instability.
The Swedish Context
In one of the world’s most digitalized nations, securing official systems alone is insufficient. Because the vast majority of pre-election discourse in Sweden occurs via social media, news outlets, and online forums, the entire national digital infrastructure must be considered part of the electoral attack surface.
The Rise of Chained Attacks and Automated Bot Activity
Modern threats rarely occur in isolation. Google’s Threat Intelligence Team identified in 2024 how chained attacks, i.e. strategic layering of DDoS, data leaks, and misinformation, constitute the most potent threat to democratic processes. In this context, the primary danger of a DDoS attack is often psychological. As noted by the FBI, threat actors may use a temporary website outage to falsely claim that the underlying election integrity has been compromised. Even if the voting process remains secure, the perception of a digital failure can be weaponized to undermine public trust.
Automated bots significantly amplify these threats. As far back as 2018, Sweden's Totalförsvarets Forskningsinstitut (FOI) documented a notable pre-election surge in non-human accounts programmed to spread automated, often false, narratives. Modern AI makes it easier to deploy vast, convincing bot networks, increasing the risk of denial-of-service caused by surges in automated traffic floods.
3. Threat Actors and Objectives
Threat actors launching DDoS attacks during election cycles generally fall into three categories, each with distinct motivations and capabilities.
a) State-Aligned Groups
Directly employed- or sponsored by nation-states, these are the most advanced adversaries. They possess the resources to orchestrate persistent, large-scale campaigns designed to align with geopolitical interests.
- Motivation: Destabilizing democratic faith, discrediting the voting process, or retaliating during military/diplomatic conflicts.
- Tactics: Often coordinated together with misinformation and pre-attack reconnaissance to maximize psychological impact. They may use false flag-tactics to misattribute attacks to other nations.
b) Hacktivist Collectives
Unlike state actors, hacktivists are typically opportunistic and publicity-driven. They use DDoS to amplify a specific political agenda or respond to controversial policy changes.
- Motivation: Publicly embarrassing governments or organizations and exerting social pressure.
- Tactics: Rely on crowdsourced participation and widely available tools. While technically less sophisticated, their timing, often during peak political sensitivity, can paralyze public services and make unwanted news headlines.
c) Cybercriminals
Cybercriminals have commoditized disruption through DDoS-for-hire services, lowering the barrier to entry for any motivated individual.
- Motivation: Primarily financial. They leverage the high-stakes nature of elections to demand ransom payments (extortion), knowing that service availability is a top priority for officials.
- Tactics: Sometimes use DDoS as a "smoke screen" to distract security teams while they attempt to breach the target network.
Evolution of Tools: The Botnet Landscape
While the concept of a DDoS attack is decades old, the scale of the threat has evolved through the proliferation of massive IoT botnets.
A recent example is the Aisuru-Kimwolf botnet, which has been linked to an ecosystem of several million IoT devices and launched hyper-volumetric attacks peaking at 31.4 Terabits per second (Tbps) and 14 billion packets per second (Bpps), making it one of the most operationally significant DDoS botnets on record. Earlier this year, it was part of a coordinated effort by multiple law enforcement agencies aiming to disrupt the capabilities of ‘’record breaking’’ botnet infrastructure. According to the U.S Justice Department, Aisuru alone was responsible for issuing more than 200,000 attack commands since its inception.
4. Historical Precedent: Election Interference in the Nordics
The recurring nature of DDoS attacks against Swedish and Nordic electoral infrastructure underscores an urgent need for robust defenses. While these incidents have never compromised the actual vote count, they serve as modern hybrid warfare tactics.
Case Study: Valmyndigheten
The Swedish Election Authority (Valmyndigheten) is a consistent target for symbolic disruption. Past DDoS incidents demonstrate a pattern of timing attacks to coincide with peak public interest:
- May 2024: Targeted one month prior to EU parliamentary elections.
- September 2022: Multiple outages on the eve of the general election made tracking live results difficult for the public.
- September 2018: A major attack took the site offline for five hours on election night.
Geopolitical Triggers: The NATO Factor
Broad geopolitical shifts have directly correlated with a more aggressive threat landscape. Following Sweden’s formal accession to NATO in March 2024, reporting indicated a 466% surge in DDoS attacks against domestic infrastructure, a trend mirrored in Finland during its own accession process.
Regional Context: Denmark (November 2025)
Recent local elections in Denmark provide a blueprint for current threat actor behavior:
- Targeting: The pro-Russian collective NoName057(16) claimed responsibility for knocking political party sites, government portals, and media outlets offline.
- Objective: These attacks were not intended to alter the vote; rather, they targeted reputational integrity. By disrupting the top layers of election coverage, hackers seek to foster public doubt in government competence.
- Assessment: Danish intelligence concluded that such incidents are now a normal feature of the European electoral landscape, especially targeting organizations that lack specialized DDoS mitigation to achieve downtime.
5. Strategic Mitigation: Safeguarding Democratic Integrity
The expanding footprint of internet-connected election infrastructure has significantly heightened the risk of DDoS-induced outages. Because these attacks are frequently combined with misinformation- or extortion campaigns, government authorities at all levels - municipal, regional, and national - must ensure technical resilience.
Why Preparedness is Non-Negotiable
- The Democratic Mandate: Cybersecurity is now a fundamental pillar of democratic integrity.
- Universal Risk: In a highly digitalized society like Sweden, any organization can become a target by merit of its association with domestic online infrastructure.
- Public Trust: DDoS attacks are designed to be visible and incite panic. Maintaining uptime prevents adversaries from manufacturing a sense of chaos or undermining institutional trust.
Recommended Actions
To withstand the surges in malicious traffic expected during election cycles, organizations can implement the following:
- Multi-Layer, Always-On Protection: DDoS mitigation should not be a "break-glass" solution. Much like a physical lock on our doors, it should be permanently active to handle unexpected spikes of attack traffic.
- IP Reputation & Perimeter Filtering: Actively filtering traffic based on real-time threat intelligence stops known malicious actors during the reconnaissance phase, preventing them from identifying deeper vulnerabilities or pre-positioning for future attacks.
- Web Application Security: While DDoS targets availability, Web Application Firewalls (WAF) are essential to prevent concurrent attempts to exploit software vulnerabilities and steal sensitive voter or political data.
Summary: Consequences of DDoS attack campaigns during election periods
What is Compromised & What are the Consequences
- Availability: Temporary outages on election websites and voter portals, preventing citizens from accessing polling information or completing registration at critical deadlines.
- Operations: Election authorities are forced to divert resources toward emergency traffic filtering and mitigation, creating a significant operational burden at precisely the moment when reliability is most critical.
- Visibility: Where services are taken offline as a precaution, reduced visibility into official results creates a vacuum that rumours and unofficial narratives quickly fill.
- Trust: Even when the underlying voting process is entirely unaffected, an outage can be misread as evidence of deeper compromise, eroding public confidence in the integrity of the result.
- Security: DDoS attacks can serve as deliberate cover for other types of malicious activity, including network intrusion attempts and coordinated propaganda campaigns.



