Elections increasingly attract cyber operations that target politicians, businesses and the public. These activities range from espionage campaigns against political parties targeting operations seeking to shape opinions, sow discontent or undermine democratic processes.

This newsletter, published twice a month, provides an overview of key cyber incidents and emerging threats related to the upcoming October 2026 general elections in Brazil. It offers recommendations on how organizations and individuals can mitigate and protect against these threats.

Key incidents

In this issue we focus on the following:

Likely cyber activist threat actor compromises Brazil’s emergency alert system, broadcasts fake alerts

According to a June 22 article in The Record, Brazil’s National Civil Defence on 20 June disclosed that a threat actor had triggered the organisation’s warning platform and sent false alerts to Brazilian citizens in multiple federal states.

Belarus-linked APT group targets Gmail accounts in phishing campaign against Polish public figures

Poland’s computer emergency response team CERT Polska on 12 June reported on Belarus-linked advanced persistent threat (APT) group Ghostwriter conducting a phishing campaign against Gmail accounts of Polish political and public figures and their relatives. The campaign’s intent is to steal credentials and two-factor authentication (2FA) codes for data theft purposes. 

3.4 billion is the number of phishing emails sent daily, according to researchers at StationX

StationX researchers also claimed that approximately 83% of these daily phishing emails are now AI-generated and that 36% of all data breaches involve phishing, with phishing being the initial vector in 16% of these breaches. It was estimated that annual global phishing losses amount to some $25 billion. 

(Source: StationX, “Phishing Statistics 2026: Latest Attack Data and Trends,” June 2026)

Mitigation advice

  • Strengthen protections against phishing and credential theft by enforcing multi-factor authentication (MFA), implementing advanced email security controls, monitoring for suspicious login activity and conducting targeted awareness training for employees, executives and other high-risk personnel.
  • Enhance monitoring for AI-enabled social engineering by educating staff on increasingly sophisticated phishing techniques, validating unexpected requests through secondary channels and establishing clear reporting mechanisms for suspicious emails and messages.
  • Implement proactive credential monitoring and domain alerting by tracking exposed credentials, monitoring for lookalike domains and spoofed communications and rapidly investigating unauthorized authentication attempts or account compromise indicators.
  • Establish procedures to identify and respond to disinformation and influence activity by monitoring social media and public platforms for false narratives, preparing communications response plans and coordinating escalation processes between communications, legal, security and executive teams.
  • Protect critical communications and notification systems through layered security controls, privileged access management, continuous monitoring and regular testing to reduce the risk of unauthorized messages, system misuse or service disruption.
  • Integrate cyber, communications, business continuity and crisis management teams into a unified election-period preparedness program by conducting joint exercises, reviewing incident response playbooks and validating procedures for cyber incidents.

Threat actor compromises Brazil’s emergency alert system, broadcasts fake alerts

The National Civil Defence said it took the Civil Defence Alert system offline after a likely cyber threat actor broadcast Extreme Alert category notifications that contained the word “misantropia” (misanthropy). The last letter “a” was replaced by the numeral “4” in a practice known as leetspeak, which is typically used as a form of coded language by cyber threat actors. 

The Brazilian Ministry of Integration and Regional Development said the attacker sent ten unauthorized alerts to individual phones in São Paulo, Mato Grosso do Sul, Rio de Janeiro, Paraná and the Federal District. However, it has not been determined how many mobile devices received the notifications. 

Based on the alert’s vague and unusual message, the attack was likely conducted by a cyber activist threat actor. Such threat actors will almost certainly increasingly target national emergency alert systems in the coming years due to such systems’ ability to distribute messages to entire populations. 

Potential impact: As in this case, threat actors may attempt to confuse and disrupt a population (or electorate) using such public messaging systems and more nefarious actors could also potentially target Brazilian election systems to alter election results or to simply sow distrust or suspicions around election results.

Belarus-linked APT group targets Gmail accounts in phishing campaign against Polish political public figures

One of the most active APT groups monitored by CERT Polska, Ghostwriter (also known as UNC1151) has previously targeted Polish email providers such as Intria, Onet and Wirtualna Polska. Therefore, the group targeting Gmail accounts marks an expansion in its targeting. The group typically conducts phishing campaigns to steal sensitive data, including contact lists, confidential documents or linked accounts, for follow-on attacks. Ghostwriter has previously targeted Ukrainian entities using similar phishing tactics. 

CERT Polska said that this campaign has targeted specific professional groups and regions, including court experts and translators, using fraudulent emails spoofing official Gmail administrator communications sent from compromised accounts. The emails typically claim that suspicious activity, unauthorised login attempts or violations of service terms have occurred and urge targets to click links to phishing pages designed to harvest credentials.

Potential impact: High-profile political and public figures (and their families) in Brazil make attractive targets for a variety of threat actors and such actors are now able to create tailored and sophisticated campaigns using AI tooling. Individuals should avoid clicking on unsolicited links and organizations should conduct proactive credential monitoring and domain alerting.

Focus on: Cyber attacks on emergency alert systems

There have been a number of instances of cyber attacks against emergency alert systems in recent years, including those conducted by cyber hacktivists for apparent ideological reasons as well as those by ransomware actors motivated by potential financial gain. 

In late 2025, the OnSolve CodeRED emergency alert platform, used by over 10,000 US municipalities to send severe weather warnings and public safety notifications, was targeted by ransomware actors and temporarily rendered inaccessible. In another 2025 incident, unknown hackers commandeered US radio transmission equipment in Virginia and Texas, broadcasting obscene messages and fake emergency alerts to unsuspecting radio station listeners.

Security considerations: Public emergency alert systems are part of critical national infrastructure and are increasingly becoming attractive targets for threat actors. When done for ideological reasons and limited to defacement, the consequences can be limited to a mere nuisance, although loss of public confidence in such systems remains problematic. In the case of longer-term outages or serious disinformation, however, such incidents could prove catastrophic. It is critical for relevant agencies to prioritize layered security, continuous monitoring and proactive incident response planning.