Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

US Alleges Iran Sent Threatening Emails to Democrats

Iran Is Attempting to Intimidate Voters and Manipulate Election, US Officials Warn
US Alleges Iran Sent Threatening Emails to Democrats
U.S. officials say Iran is running a campaign involving fake emails and videos (pictured) designed to cast doubt on the integrity of U.S. elections. (Image: Proofpoint)

Iran has obtained Americans' voter registration data and is using it in an attempt to push misinformation before the Nov. 3 presidential election, U.S. officials warn.

In a Wednesday press conference at FBI headquarters in Washington, Director of National Intelligence John Ratcliffe and FBI Director Christopher Wray said active campaigns are targeting U.S. voters and attempting to damage trust in the U.S. election system.

"To that end, we have already seen Iran sending spoofed emails designed to intimidate voters, incite social unrest and damage President Trump," Ratcliffe said. He added that a video being distributed by Iran, which suggests that U.S. ballots can be successfully faked, and any other communications to this effect, "are not true."

Sen. Chuck Schumer of New York, the Democratic leader, was one of multiple senators briefed by intelligence officials on Wednesday. Later, in an appearance on MSNBC's “The Rachel Maddow Show,” Schumer said that the information he received did not suggest that the Iranian effort was designed to damage the Trump campaign. "From the briefing, I had the strong impression it was much rather to undermine confidence in elections and not aimed at any particular figure,” he said.

Threatening Emails

Some Democratic voters have reportedly received the fake, spoofed emails, which threaten physical violence unless recipients vote for Donald Trump.

Ratcliffe said both Iran and Russia have separately obtained fresh U.S. voter registration information. At least so far, however, U.S. intelligence has seen no signs of Russia using it for attempted misinformation, as Moscow did ahead of the 2016 U.S. election. Ratcliffe also emphasized that the FBI and Department of Homeland Security had immediately detected and responded to the new Iranian campaign. "We are on top of this," he said.

U.S. Director of National Intelligence John Ratcliffe details attempts by Iran and Russia to interfere in the election, in a Wednesday press conference.

Iranian officials have denied that Tehran is behind any such campaign. “Unlike the U.S., Iran does not interfere in other countries’ elections,” said Alireza Miryousefi, the spokesman for the Iranian Mission to the United Nations, potentially referencing the CIA's role in a 1953 coup that overthrew his country's democratically elected prime minister.

“Iran has no interest in interfering in the U.S. election and no preference for the outcome," he claimed.

U.S. officials have not suggested that voter data was obtained via hacking or other types of attacks. While the availability of voter registration data varies, many states - such as Florida - make names, party registrations and contact information easily available, and they are widely used by political campaigns.

Of course, such information can be misused. "This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos and undermine your confidence in American democracy," Ratcliffe said.

'Fact: Ballot Secrecy is Guaranteed by Law'

Christopher Krebs, the director of the U.S. Cybersecurity and Infrastructure Security Agency, warns that, from adversaries' standpoint, now is an ideal time for election interference. He has also urged Americans to not believe "threatening emails with misleading info about the secrecy of your vote."

Democratic leaders have emphasized the need for an election free from interference by outside forces. "We cannot allow voter intimidation or interference efforts, either foreign or domestic, to silence voters' voices and take away that right," California Reps. Nancy Pelosi, speaker of the U.S. House of Representatives, and Adam Schiff, who chairs the House Intelligence Committee, say in a joint statement.

In September, the FBI and CISA disputed a report in a Russian newspaper that U.S. voter registration data had been stolen and offered for sale on darknet forums. The agencies said much of the data was already public (see: FBI, CISA Reject Russian Claim That US Voter Data Was Stolen).

'We Will Come After You'

The threatening emails began arriving earlier this week. Some voters in Florida and Alaska with a Democratic affiliation received emails saying: "You will vote for Trump on Election Day or we will come after you," The Washington Post reports. The emails purported to come from the Proud Boys, a pro-Trump, far-right, fascist group. Some voters in Arizona also received the messages, Vice reports.

Example of a threatening email received by U.S. voters (Source: Proofpoint)

The Proud Boys have disputed that they were the source of the emails. Security experts say that the domain name registered by the group - "officialproudboys[dot]com" - was spoofed in the emails. Email security vendor Proofpoint reports that it has also seen a message that used the proudboysusa[.]com domain.

Unnamed intelligence and security officials told The New York Times that the first batch of Iranian emails was routed through a compromised insurance firm's network in Saudi Arabia.

Proofpoint says its monitoring systems had amassed at least 1,000 messages sent to registered Democrats on Tuesday and Wednesday, which had been routed via an Estonian textbook company's network. Some of the emails contained the home addresses of the individuals targeted by the messages, it says.

Example of an email sent to Democratic voters that claims to have come from the proudboysusa[dot]com domain. (Source: Proofpoint)

Metadata in the emails indicates that the messages were sent not just from servers in Saudi Arabia and Estonia, but also Singapore and the United Arab Emirates, the Post reports.

Hacker Video: Fake

Iran is also distributing a video "that implies that individuals could cast fraudulent ballots, even from overseas," DNI Ratcliffe said. "This video and any claims about such allegedly fraudulent ballots are not true."

Interest in and use of mail-in voting, which has been available for decades, has surged this election season due to COVID-19. With the coronavirus pandemic continuing, many states now allow anyone to apply for an absentee ballot, while some states have mailed a ballot, or a form for requesting one, to every voter.

On multiple occasions, however, President Trump has baselessly claimed that voting by mail opens up opportunities for fraud. Before this year, five states mailed ballots to all voters and reported seeing no significant fraud.

The video allegedly being circulated by Iran taps Trump's claims. The video begins with the president saying "I think that mail-in voting is a terrible thing." It shows a logo with the Proud Boys name and then shows what purports to be a hacker scrolling through voter registration data, in part using an automatic SQL injection and database takeover tool called SQLmap.

The purported hacker then conducts a demonstration using a computer running Kali Linux, which is a Debian-based Linux distribution designed for penetration testing and security auditing. The individual in the video accesses the Federal Voting Assistance Program's website and a federal write-in absentee ballot. Federal write-in absentee ballots are intended for people who have not received their absentee ballots or are living overseas, according to the FVAP's website.

The purported hacker then uses data from voter registration rolls to fill out several ballots, purportedly ones that could be mailed in. The end of the video shows folders, each with the name of a state, containing allegedly fraudulent ballots.

A screenshot from the video that purportedly shows the states for which the Iranian group has voter registration data (Source: Proofpoint)

Despite such claims, the National Conference of State Legislatures emphasizes that states have measures for detecting fraudulent ballots and ensuring that people do not vote twice.

Goals: Dismiss, Distort, Distract, Dismay

Security experts warn that attempts to cast doubt on the legitimacy of the U.S. election system remains a top goal of adversaries. Such campaigns need not hack anything, but rather only suggest something has been hacked. The so-called 4D approach perfected by the Kremlin, for example, pursues these four strategies: dismiss, distort, distract and dismay.

Officials continue to warn Americans to not fall for these tricks. "We encourage everyone to seek election and voting information from reliable sources - namely, your state election officials - and to be thoughtful, careful and discerning consumers of information online," FBI Director Wray said at the Wednesday press conference (see: FBI's Elvis Chan on Election Cybersecurity).

FBI Director Christopher Wray speaks at the Wednesday press conference on attempts to interfere in the U.S. election.

"We’ve been working for years as a community to build resilience in our election infrastructure - and today that infrastructure remains resilient," he added. "You should be confident that your vote counts."

Ratcliffe, the director of national intelligence, said there would be consequences for adversaries (see: Analysis: Can Russia's Cyber Destruction Appetite Be Curbed?). "We will not tolerate foreign interference in our elections. Do not allow these efforts to have their intended effect. If you receive an intimidating or manipulative email in your inbox, do not be alarmed, and do not spread it," he said.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.