Some Iranian state-sponsored hacking groups have been attempting to steal voter registration data from various election sites in the U.S. The FBI has shared details about various TTPs used by these hackers.
Hackers spoof Proud Boys
On October 30, the CISA and the FBI shed light on the activities of Iranian state-sponsored hackers and alerted voters in a joint advisory. Hackers were seen using fake Proud Boys-themed emails.
- The advisory stated that the Iranian APT actors are attempting to exploit misconfiguration and known vulnerabilities, such as directory traversal, SQL injection, web shell uploads, and unique flaws in election websites, using the Acunetix vulnerability scanner and advanced open-source queries.
- In addition, the hackers used paid VPN services such as NordVPN, CDN77, HQSERV, and M247, along with curl and FDM in the campaign.
- In mid-October, Proofpoint researchers observed emails purporting to be from a far-right and neo-fascist male-only organization, known as Proud Boys, threatening the recipient (Democratic voters).
- A few weeks ago, in a press conference, Director of National Intelligence (DNI) John Ratcliffe had stated that Iran and Russia have gained access to voter registration information and Iran has been using it to send out threatening emails to Democratic voters.
CISA and FBI advisories
- According to an FBI flash alert, in this fake Proud Boys campaign, the hackers had obtained copies of voter registration data between September 29 and October 17.
- On October 22, CISA and FBI published a joint advisory warning that Iranian APTs are attempting to obtain election data by creating fictitious media sites and spoofing legitimate media sites.
The FBI and the CISA have provided several recommendations including keeping all the applications updated and patched, regularly auditing the networks for any vulnerabilities, and disabling any unused services and ports to minimize exposure to outside networks.