FBI and CISA Further Tie ‘Voter Intimidation Emails’ to ‘Iranian Group’
The U.S. Department of Homeland Security has released additional details that it says further prove that an “Iranian group” sent a series of threatening emails to some Democratic voters in the weeks leading up to the 2020 elections. The messages had appeared to originate from a U.S.-based, far-right, fascist group.
The FBI and the Cybersecurity and Infrastructure Security Agency have now published indicators of compromise and IP addresses tied to the campaign, which organizations can use to help proactively block it.
In a joint alert published on Friday, the FBI and CISA say they have “high confidence” that the IOCs and IP addresses investigators have uncovered were used by an Iranian hacking team to send the threatening emails earlier this month as part of the disinformation campaign – designed to sow confusion and doubt with U.S. voters.
“The FBI has high confidence these IP addresses were used by the Iranian group on the corresponding dates,” the alert states. “Please note many of these IP addresses likely correspond to virtual private network services which can be used by individuals all over the world. While this creates the potential for false positives, any activity on the below would likely warrant further investigation.”
In a separate technical analysis also published on Friday, the FBI and CISA detail the scanning techniques the attack group has been using to probe for vulnerabilities in state election websites. Officials say these efforts, which began in September and continued through October, were an attempt to amass voter data.
“Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election,” the joint alert states.
The threatening emails, which started to arrive in email inboxes around the middle of October, were sent to some voters in Florida and Alaska with a Democratic affiliation. The subject line of these emails noted: “You will vote for Trump on Election Day or we will come after you,” according to reports in the Washington Post and other media outlets (see: US Alleges Iran Sent Threatening Emails to Democrats).
The emails originally purported to come from the Proud Boys, a pro-Trump, far-right, fascist group. Some voters in Arizona also received the messages, according to a report in Vice.
Iranian officials have denied any involvement in the effort to send emails to intimidate voters or spread disinformation.
IP Addresses and IOCs
When news of the threatening emails first surfaced on Oct. 21, U.S. Director of National Intelligence John Ratcliffe and FBI Director Christopher Wray held a press conference to accuse an Iranian hacking group of sending the emails as well as disseminating a video that implied that individuals could cast fraudulent ballots, even from overseas.
Security experts have noted that the hacking group appears to have spoofed an email address used by the Proud Boys group and then routed the emails through legitimate companies to hide their origin.
With the Friday release of the IP addresses and the IOCs, the FBI says it’s further attempting to demonstrate show that these were “used as part of an Iran-based campaign to conduct operations aimed at impacting the 2020 U.S. presidential election, to include voter intimidation emails and dissemination of U.S. election-related propaganda.”
The FBI notes that many of the IP addresses listed are from a server list associated with NordVPN. Investigators did note, however, that some of the IP addresses may also correspond to other providers such as CDN77, HQSERV and M247.
Partial list of indicators of compromise released by the FBI (Source: FBI)
Since commercial VPN services were used as part of the alleged attack, the FBI indicates that some of the IP addresses might lead to false positives, but that any activity associated with these addresses should be investigated.
Brandon Hoffman, CISO of security firm Netenrich, noted that the release of the IOCs and IP addresses is a good first step to help organizations protect themselves from further hacking, but that the hacking group itself is likely to have moved on.
“The IOCs are still relevant as being linked to the threat group,” Hoffman tells Information Security Media Group. “Whether they attempt to perform attacks from the noted IP addresses, or disseminate content via the IP addresses, the IOCs should be used for blocking and monitoring purposes. Unfortunately, there is high mutability with IP addresses and especially VPN for hire related infrastructure, making the usefulness of these indicators relatively short-lived.”
Besides the release of the IOCs and the IP addresses, the FBI and CISA released details of how the Iranian group allegedly used legitimate scanning tools to search for vulnerabilities in state websites while looking for voting data.
This includes the use of Acunetix, which is a widely used and legitimate web scanning tool that can also be abused by threat actors, according to Friday’s alert. The hacking group in this case used the scanning tool to search for vulnerabilities to exploit in websites.
Example of a threatening email received by U.S. voters (Source: Proofpoint)
“This includes attempted exploitation of known vulnerabilities, directory traversal, structured query language injection, web shell uploads, and leveraging unique flaws in websites,” according to the alert, referring to what is more commonly known as a SQL injection attack.
In at least one case, the FBI and CISA say the hacking group obtained voter registration data in at least one unnamed state, according to the alert.
“The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records,” according to the alert. “A review of the records that were copied and obtained reveals the information was used in the propaganda video.”
When the FBI and DNI first detailed the alleged Iranian plot, they noted that both Iran and Russia had attempted to gather fresh voting data on U.S. citizens, but did not indicate how this was done. In many cases, this voting information is already public.
In the case of the Iranian hackers, the FBI and CISA found that once the threat actor allegedly gained access to the one state’s website, it sent numerous queries looking for specific voter data.
The FBI and CISA are also monitoring Russian hacker activity and an alert from earlier this month notes that threat actors associated with that country have attempted to hack into state and local systems as well (see: US Officials Blame Data Exfiltration on Russian APT Group).
Managing Editor Scott Ferguson contributed to this report.