As we head into the final inning of what has been a dramatic US presidential election season, it\u2019s clear the country has so far been spared the kind of high-stakes hacking and disinformation campaigns that marred the 2016 election. Still, US intel and cyber defense organizations are on the lookout for last-minute ransomware attacks and have been joined by their private sector counterparts while social media companies appear to be clamping down on disinformation efforts.The most striking evidence that the US \u00a0may be better prepared than it was in 2016\u00a0 is the extraordinary actions taken by US CyberCommand (CyberCom) to meddle with the Russian-language Trickbot botnet network, used to deliver malware, including ransomware, and frequently exploited by Russian military intelligence for plausible deniability. Following a scoop by journalist Brian Krebs that an unknown actor was meddling with Trickbot, news leaked over the weekend that CyberCom was the meddler.CyberCom\u2019s goal was to thwart any possible ransomware attacks on selected or strategically important jurisdictions. The military cyber arm might have also been pushed into action by a Trickbot-enabled ransomware attack on top healthcare provider Universal Health Services (UHS), which was forced to shutter digital operations when 400 of its computer systems were locked up by Ryuk ransomware.CyberCom was not the only party messing with the Trickbot outfit, though. Another parallel but coincidental effort to dismantle Trickbot was underway by an international coalition of telecom providers and tech organizations led by Microsoft. Tom Burt, vice president of consumer security and trust at the software giant, offered details of this Trickbot take-down attempt in a blog post in which he reiterated that \u201cransomware is one of the largest threats to the upcoming elections.\u201dMicrosoft and its partners pursued a legal approach to get at the Trickbot organization, successfully arguing in the US District Court for the Eastern District of Virginia that many of the internet servers used by Trickbot abuse the company\u2019s trademarks. The court granted Microsoft\u2019s requests to shut down those servers.Neither CyberCom nor Microsoft believe they have taken down Trickbot permanently. \u201cWe fully anticipate Trickbot\u2019s operators will make efforts to revive their operations,\u201d Burt wrote. The parallel strikes against the world\u2019s largest botnet likely made a big enough dent to dampen Trickbot\u2019s damage before election day.Swaying voters and sowing doubtWhat kinds of digital or disinformation damage can foreign threat groups inflict at the eleventh hour, if any? The US should look out for two types of threats, FireEye's director of intelligence analysis John Hultquist explained in an industry briefing. The first are \u201clate game\u201d events designed to sway voters.These are \u201cthreats that are dramatic by nature and designed to shift voting patterns and change different perceptions of voters in a way that may actually affect the election,\u201d he said in an online presentation, referring mostly to hack-and-leak operations carried out by Russian, North Korean and other threat actors.The second type of attack that could still strike the US is aimed at creating lingering problems long after election day is over. \u201cThere are sort of these lingering threats that go beyond election day that are really designed to undermine the confidence in our election system,\u201d Hultquist said.He cites the example of the Russian state-backed hacking group APT29, better known as Cozy Bear, gaining access to Ukraine\u2019s election system in 2018 and posting the wrong election results. The intrusion didn\u2019t change the real vote tally but it did sow seeds of doubt about the system.Likewise, Sandworm, Unit 74455 of Russia\u2019s military intelligence arm GRU, targeted Ukraine\u2019s election systems in 2016 and caused no real harm other than to raise doubts about those systems. \u201cWhat we\u2019re concerned with is that somebody will do something noticeable, or noticeable enough that people will start talking about the integrity of the system at large. That\u2019s what really worries us,\u201d Hultquist said. \u201cThese sorts of questions go on for a long time.\u201dBeware last-minute leaksAnother concern Hultquist has is some kind of hack-and-leak operation dropping at the last minute, depriving the opposing party of sufficient time to respond. This tactic was deployed by Russian hackers with the so-called Macron Leaks during the 2017 presidential election in France. In that situation, Russia\u2019s APT28, better known as Fancy Bear, also associated with the GRU, leaked 20,000 emails right before a 24-hour media blackout before voting took place.\u201cThey officially dropped this leak right before the blackout period. The purpose behind that was so the story couldn\u2019t be unwound by the other side,\u201d Hultquist said. \u201cOur concern is that something of that nature could happen.\u201dAnother operation Hultquist has seen that is perfect for last-minute malfeasance entails planting stories on websites that are associates with fake documents and images. \u201cThey\u2019ll forge a fictitious document or they will photoshop an image,\u201d he said. \u201cIn one instance they photoshopped an image of German soldiers desecrating Jewish graves in the Baltics. They wrote an article about it and used the [image] to back up the article and they placed it on a website.\u201dRussia is the main threat actorDespite the administration\u2019s chain-rattling over China and Iran, it\u2019s Russia that most concerns Hultquist. \u201cThey are probably the most aggressive actor [and have] the longest history of successful large-scale cyberattacks of different kinds. Compared to the other actors, we just don\u2019t have the same level of concern.\u201dHultquist acknowledged that ransomware attacks are a concern but doesn\u2019t see the current ransomware operators causing much of a problem. \u201cIt\u2019s certainly possible. These are criminal operations that are hit or miss \u2026 there could be some incidental operations that could have an effect on some operations.\u201dRussia also just happens to be responsible for the largest fake ransomware operation in history, the NotPetya attacks that occurred in 2016. They have repeatedly used fake ransomware as an attack tool, he said, but even fake ransomware is not a top-of-mind concern for Hultquist. \u201cDo we think that some fake ransomware attack will have an effect on the outcome of the election? No, I don\u2019t.\u201dThe best way the US can prepare for last-minute attacks on the election is \u201cto calmly and clearly call out what\u2019s happening when we see it,\u201d he said. \u201cI think we have a responsibility to talk about what\u2019s happening and to make sure that information gets out there. And then we have to discuss the limitations of that activity. \u00a0The biggest limiter is our recognition that somebody on the outside is trying to manipulate us. If we recognize that, we can really inoculate ourselves.\u201dMore on election security:Election security status: Some progress on ballot integrity, but not on Russian interferenceSecurity in the spotlight as the US heads into electionsTime running out to protect US November electionsUS elections remain vulnerable to attacks, despite security improvementsOnline voting is impossible to secure. So why are some governments using it?