Mandiant Report: AI-Driven Disinformation Poses Greatest Threat to 2028 U.S. Elections

AI-Powered Disinformation is Top Threat to 2028 Elections, Mandiant Warns

INFORMATIONAL
July 1, 2026
5m read
Threat IntelligencePolicy and ComplianceOther

Related Entities

Organizations

Products & Tech

Generative AIDeepfakes

Other

GoogleDisinformation-as-a-Service (DaaS)

Full Report

Executive Summary

A new threat horizon report from Mandiant (part of Google Cloud) has issued a stark warning: AI-powered disinformation campaigns have surpassed traditional hacking as the number one cyber threat to the integrity of the 2028 U.S. elections. The report, "Democracy Under Digital Siege," predicts a massive increase in the scale and sophistication of influence operations. These campaigns will leverage hyper-realistic, AI-generated content (deepfakes) to manipulate public opinion, suppress voter turnout, and erode trust in the democratic process. The report highlights the alarming democratization of these capabilities, with 'Disinformation-as-a-Service' (DaaS) platforms making it easy for a wide range of actors to launch sophisticated campaigns.


Threat Overview

Mandiant's report shifts the focus from the security of voting machines to the security of the information ecosystem itself. The core threat is the ability of malicious actors to manipulate reality at scale.

  • Threat Actors: The threat is no longer limited to a few powerful nation-states. The report notes that the availability of open-source AI models and DaaS platforms allows smaller state actors, domestic extremist groups, and even well-funded individuals to conduct influence operations that were previously impossible.
  • New TTPs: The report details several new and evolving tactics:
    • Hyper-Realistic Content: AI will be used to generate convincing fake videos, audio clips, and text of political candidates, officials, and news events.
    • Disinformation-as-a-Service (DaaS): Emerging dark web platforms allow malicious actors to simply define a target demographic and a narrative, and the service automates the creation and distribution of synthetic content across multiple social media platforms.
    • 'AI-ad-libbing': This refers to AI-powered bots or agents that can engage in real-time, context-aware conversations on social media to push a narrative, making them far more believable and harder to detect than traditional bots.

Technical Analysis

The technological shift is driven by the rapid advancement and accessibility of large language models (LLMs) and diffusion models (for image/video generation). What required a Hollywood-level budget and expertise a few years ago can now be done with a powerful GPU and open-source software. The DaaS platforms are a logical, albeit dangerous, evolution of the cybercrime economy, applying the 'as-a-service' model to influence operations.

MITRE ATT&CK TTPs (Adapted for Influence Operations)

  • Reconnaissance: T1593 - Search Open Websites/Domains - Scraping social media and public records to build profiles of target demographics.
  • Resource Development: T1585 - Establish Accounts - Creating thousands of fake social media accounts for the AI agents.
  • Execution: T1129 - Shared Modules - Using open-source AI models to generate content.
  • Impact: The goal is not technical impact like data encryption, but cognitive impact: to sow discord, change opinions, and undermine trust in institutions. This is a form of T1491 - Defacement, but of public discourse rather than a website.

Impact Assessment

The potential impact of these AI-driven campaigns on the 2028 election is profound:

  • Erosion of Trust: A flood of high-quality fake content can lead to a situation where citizens don't know what to believe, eroding trust in media, government, and the election process itself.
  • Voter Manipulation: Highly targeted and personalized disinformation can effectively manipulate public opinion and voting behavior.
  • Voter Suppression: False information about when, where, and how to vote can be used to suppress turnout in specific demographics.
  • Political Instability: The increased polarization and discord can lead to civil unrest and political instability.

Detection & Response

Detecting and responding to this threat is a complex challenge that goes beyond traditional cybersecurity.

  • Detection:
    • Content Provenance: Developing and adopting standards for digital content provenance (e.g., C2PA) that can certify the origin and history of a piece of media.
    • AI-based Detection: Using AI to detect AI-generated content, looking for subtle artifacts and statistical giveaways.
    • Behavioral Analysis: Social media platforms analyzing account behavior to identify inauthentic, coordinated activity, such as the 'AI-ad-libbing' described in the report.
  • Response:
    • Rapid Fact-Checking: A coordinated effort between government, media, and civil society to rapidly identify and debunk false narratives before they go viral.
    • Platform Action: Social media platforms must be able to quickly label, down-rank, or remove verifiably false and harmful synthetic media.

Mitigation Recommendations

Mandiant's report calls for a whole-of-society approach:

  • For Government: Invest in research for AI detection and content provenance. Work with allies to establish international norms against the malicious use of AI in elections.
  • For Tech Platforms: Continue to invest in and improve detection capabilities. Adopt and promote content provenance standards. Be transparent about influence operations discovered on their platforms.
  • For Media: Educate journalists on how to spot synthetic media. Be cautious in reporting and avoid amplifying disinformation.
  • For the Public: Increase public awareness and media literacy education to help citizens critically evaluate the information they encounter online.

Timeline of Events

1
July 1, 2026
This article was published

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

aidisinformationinfluence operationselection securitydeepfakemandiantthreat intelligence

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.