US officials are shedding more light on how Iran-linked hackers stole voter info to send intimidating emails to Democrat voters. The FBI and Homeland Security’s CISA have issued an advisory (via Bleeping Computer) explaining the campaign, which ran from September 20th through October 17th. There was plenty of preparation, the agencies said, and poor defenses were at least partly to blame.
The intruders spent several days just scanning sites for vulnerabilities using a security tool from Acunetix. They also spent time researching specific exploits, including ones to spot and bypass web firewalls. They used the know-how to take advantage of election site vulnerabilities, including misconfigured sites. The techniques included SQL injections, web shell uploads and even “unique” site flaws. Scripts made “several hundred thousand” queries to download voter data.
They made at least some attempt to cover their tracks. Many of the linked IP addresses come from NordVPN’s service as well as other VPN providers.
The attackers obtained voter registration info for “at least one” state, officials said, although they unsurprisingly weren’t specific about the nature of that breach or the volume of data taken.
CISA and the FBI made several recommendations that, unfortunately, would be givens for many other organizations. They advised keeping systems updated with security patches, to scan for common web flaws like SQL injections, and to protect against web shells. Administrators should have two-step verification, too. Like it or not, election systems still have basic failings — it may be a long while before your voting info is truly secure.