A new threat horizon report from Mandiant (part of Google Cloud) has issued a stark warning: AI-powered disinformation campaigns have surpassed traditional hacking as the number one cyber threat to the integrity of the 2028 U.S. elections. The report, "Democracy Under Digital Siege," predicts a massive increase in the scale and sophistication of influence operations. These campaigns will leverage hyper-realistic, AI-generated content (deepfakes) to manipulate public opinion, suppress voter turnout, and erode trust in the democratic process. The report highlights the alarming democratization of these capabilities, with 'Disinformation-as-a-Service' (DaaS) platforms making it easy for a wide range of actors to launch sophisticated campaigns.
Mandiant's report shifts the focus from the security of voting machines to the security of the information ecosystem itself. The core threat is the ability of malicious actors to manipulate reality at scale.
The technological shift is driven by the rapid advancement and accessibility of large language models (LLMs) and diffusion models (for image/video generation). What required a Hollywood-level budget and expertise a few years ago can now be done with a powerful GPU and open-source software. The DaaS platforms are a logical, albeit dangerous, evolution of the cybercrime economy, applying the 'as-a-service' model to influence operations.
T1593 - Search Open Websites/Domains - Scraping social media and public records to build profiles of target demographics.T1585 - Establish Accounts - Creating thousands of fake social media accounts for the AI agents.T1129 - Shared Modules - Using open-source AI models to generate content.T1491 - Defacement, but of public discourse rather than a website.The potential impact of these AI-driven campaigns on the 2028 election is profound:
Detecting and responding to this threat is a complex challenge that goes beyond traditional cybersecurity.
Mandiant's report calls for a whole-of-society approach:

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.