Feds Release More Details on Emails Allegedly Sent By Iran

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Government

FBI, CISA Release IP Addresses And Other Technical Details Linked To Emails

Feds Release More Details on Emails Allegedly Sent By Iran

The FBI and the U.S. Cybersecurity and Infrastructure Security Agency have released additional technical details, including indicators of compromise and IP addresses, which investigators say tie Iranian-backed hackers to a series of threatening emails sent to some Democratic voters in the weeks leading up to the 2020 elections.

See Also: Live Webinar | Mainframe Security For Today’s Crazy World!

In an agency alert published Friday, the FBI says that it has “high confidence” that the IOCs and IP addresses investigators have uncovered were used by an Iranian hacking group to send threatening emails earlier this month as part of a disinformation campaign designed to sow confusion and doubt with U.S. voters.

“The FBI has high confidence these IP addresses were used by the Iranian group on the corresponding dates,” according to Friday’s alert. “Please note many of these IP addresses likely correspond to Virtual Private Network (VPN) services which can be used by individuals all over the world. While this creates the potential for false positives, any activity on the below would likely warrant further investigation.”

The FBI and CISA also published an analysis Friday of the scanning techniques that the hacking group used to look for vulnerabilities in state election websites in an attempt to gather voter data between September and October.

“Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election,” according to the alert.

The threatening emails, which started to arrive in inboxes around the middle of October, were sent to some voters in Florida and Alaska with a Democratic affiliation. The subject line of these emails noted: “You will vote for Trump on Election Day or we will come after you,” according to reports in the Washington Post and other media outlets (see: US Alleges Iran Sent Threatening Emails to Democrats).

The emails originally purported to come from the Proud Boys, a pro-Trump, far-right, fascist group. Some voters in Arizona also received the messages, according to a report in Vice.

Iranian officials have denied any involvement in the effort to send emails to immediate voters or spread disinformation.

IP Addresses and IOCs

When news of the threatening emails first surfaced on Oct. 21, U.S. Director of National Intelligence John Ratcliffe and FBI Director Christopher Wray held a press conference to accuse an Iranian hacking group of sending the emails as well as disseminating a video that implied that individuals could cast fraudulent ballots, even from overseas.

Security experts have noted that the hacking group appears to have spoofed an email address used by the Proud Boys group and then routed the emails through legitimate companies to hide their origin.

With the release Friday of the IP addresses and the IOCs, the FBI is attempting to show that these were “used as part of an Iran-based campaign to conduct operations aimed at impacting the 2020 U.S. Presidential Election, to include voter intimidation emails and dissemination of U.S. election-related propaganda.”

The FBI notes that many of the IP addresses listed are from a server list associated with NordVPN. Investigators did note, however, that some of the IP addresses may also correspond to other providers such as CDN77, HQSERV and M247.

Partial list of indicators of compromise released by the FBI (Source: FBI)

Since commercial VPN services were used as part of the alleged attack, the FBI indicates that some of the IP addresses might lead to false positives, but that any activity associated with these addresses should be investigated.

Brandon Hoffman, CISO of security firm Netenrich, noted that the release of the IOCs and IP addresses is a good first step to help organizations protect themselves from further hacking, but that the hacking group itself is likely to have moved on.

“The IOCs are still relevant as being linked to the threat group,” Hoffman tells Information Security Media Group. “Whether they attempt to perform attacks from the noted IP addresses, or disseminate content via the IP addresses, the IOCs should be used for blocking and monitoring purposes. Unfortunately, there is high mutability with IP addresses and especially VPN for hire related infrastructure, making the usefulness of these indicators relatively short-lived.”

Scanning Techniques

Besides the release of the IOCs and the IP addresses, the FBI and CISA released details of how the Iranian group allegedly used legitimate scanning tools to search for vulnerabilities in state websites while looking for voting data.

This includes the use of Acunetix, which is a widely used and legitimate web scanning tool that can also be abused by threat actors, according to Friday’s alert. The hacking group in this case used the scanning tool to search for vulnerabilities to exploit in websites.

Example of a threatening email received by U.S. voters (Source: Proofpoint)

“This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites,” according to the alert.

In at least one case, the FBI and CISA say the hacking group obtained voter registration data in at least one unnamed state, according to the alert.

“The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records,” according to the alert. “A review of the records that were copied and obtained reveals the information was used in the propaganda video.”

When the FBI and DNI first detailed the alleged Iranian plot, they noted that both Iran and Russia had attempted to gather fresh voting data on U.S. citizens, but did not indicate how this was done. In many cases, this voting information is already public.

In the case of the Iranian hackers, the FBI and CISA found that once the threat actor allegedly gained access to the one state’s website, it sent numerous queries looking for specific voter data.

The FBI and CISA are also monitoring Russian hacker activity and an alert from earlier this month notes that threat actors associated with that country have attempted to hack into state and local systems as well (see: US Officials Blame Data Exfiltration on Russian APT Group).

Managing Editor Scott Ferguson contributed to this report.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips