Feds: Iran Behind ‘Proud Boys’ Email Attacks on Democratic Voters

election security

Messages that threaten people to ‘vote for Trump or else’ are part of foreign adversaries’ attempts to interfere with the Nov. 3 election, according to feds.

Federal officials claim that Iranian threat actors are behind two separate email campaigns that assailed Democratic voters this week with threats to “vote for Trump or else.” The campaigns claimed to be from violent extremist group Proud Boys.

Two specific email campaigns — one on Tuesday Oct. 20 and one on Wednesday, Oct. 21 — threatened Democratic voters in Alaska, Arizona and Florida that attackers accessed “all of your information.” They warned that there would be dire repercussions if voters didn’t cast their ballot for President Trump in the upcoming election, according to a Wednesday Proofpoint report. The research came on the heels of a report from WUFT in Florida that the FBI was investigating threatening emails sent to Democratic voters in the state.

The emails of both campaigns were sent from addresses linked to the far-right, male-only group Proud Boys — “Proud Boys <info[@]officialproudboys[.]com>” on Oct. 20 messages and “Proud Boys <info[@]proudboysusa[.]com>” on Oct. 21 messages. However, federal officials claimed in a press conference late Wednesday that Iran had obtained some voter registration information and was actually behind the attack.

“We have already seen Iran sending spoofed emails designed to intimidate voters, incite voters and damage President Trump,” Director of National Intelligence John Ratcliffe said in the briefing.

Iran also is distributing other content to mislead voters, including a video that implies that individuals can cast fraudulent ballots, even from overseas, Ratcliffe said. “These videos are not true,” he said, calling the actions of Iran to interfere with the election “desperate attempts by desperate adversaries.”

Of note, Reuters has reported that governments sources say, while U.S. officials suspect the Iranian government was involved, concrete evidence remains inconclusive. Meanwhile, others in the security research community told ZDNet that they could not confirm the attribution to Iran.

Proud Boys Content

The video in question is a Proud Boys-branded video demonstrating a Kali Linux user filling out voter registration and absentee ballots for Alaskan citizens, according to the report from Proofpoint, whose researchers obtained a copy.

“We only observed two intended recipients of these messages, both of whom appear to reside in Florida,” wrote researchers. The video appeared to be taken off the Internet not long after researchers viewed it, they said.

The emails observed by Proofpoint demonstrates that attackers did obtain sensitive personal information of voters and also shows those behind the threats changing up their tactics to avoid detection.

Messages in the Oct. 20 campaign — which Proofpoint separated into two sets — show that the threat actors have the home addresses of some of their victims. Researchers traced messages in set one to a PHPmailer script hosted on a likely compromised Saudi Arabian insurance company website, while set two was routed through the website of an Estonian textbook publisher, as previously reported by Vice.

The email attacks and attempts to spread misinformation are a departure from recent and more typical tactics used by threat actors to interfere in the U.S. elections, such as impersonation of the Democratic National Committee and various fraudulent voter registration portals, researchers said.

“Previous activity used political themes to entice users to click on links or open attachments but did not appear especially politically motivated,” they wrote in the report.

Indeed, this election season has seen a ramp up and variation in methods by state-sponsored actors to interfere with the 2020 U.S. Elections, which has been complicated by the COVID-19 pandemic.

This election will see many more voters choose to vote by mail, increasing the load of votes the postal system will handle. People also have opted to vote early to avoid long lines on election day, a scenario that could invite attacks on voting machines. These various scenarios provide a wider playing field for attackers to target in the run-up to the official election day on Nov. 3, experts observed.

Suggested articles

Discussion

  • Jim S on

    Headline: "Iran did it: Actual text of story: "Saudi Arabia did it" This is why the FBI and their lapdog journos have credibility with the public.
    • Tara Seals on

      Actually, the article noted that one of the malicious scripts was hosted on a "likely compromised Saudi Arabian insurance company website, while set two was routed through the website of an Estonian textbook publisher." It's very common practice in the cybercrime world to hack legitimate websites and use them to host malicious code -- usually in countries other than where the cybercriminals reside. This is a classic tactic to hide their tracks. Nothing here indicates that Saudi Arabia (or Estonia for that matter) was involved in these attacks.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.