The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory which provides more details on how Iran-linked threat actor was able to steal voter registration information from US state websites, including election sites. The stolen data was later used in a campaign that delivered fake Proud Boys voter intimidation emails that targeted Democratic voters aiming to convince them to vote for President Donald Trump.
“CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election,” the alert says.
The attempts to download the voter registration data took place between September 29 and October 17, 2020. The attacks involved exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and unique flaws in websites.
“CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records,” the two agencies said.
The Iranian APT actors first used the Acunetix vulnerability scanner to detect security flaws affecting the targeted sites which later allowed them to exploit vulnerable servers.
The investigation revealed that the hackers researched the following information to further their efforts to survey and exploit state election websites:
-
YOURLS exploit
-
Bypassing ModSecurity Web Application Firewall
-
Detecting Web Application Firewalls
-
SQLmap tool
The alert also provides protective measures to block further attacks and Indicators of Compromise (IoCs) related to the observed campaign.