Since the 2016 U.S. presidential election, Russia has been singled out for its role in sowing disinformation and discord to boost President Trump’s candidacy. But while the U.S. director of national security recently highlighted Russia’s ongoing attacks on this year’s election, he also noted similar attempts by Iran.
The twist is that Iran’s efforts have been aimed at boosting the candidacy of former vice president Joe Biden. While these attacks are nowhere near the level of Russia’s, they still raise the question of how Biden should respond if he wins the election.
More broadly, Iran’s disinformation operation is another sign of the rise of cyberwarfare around the globe. Countries increasingly see such campaigns as a viable tool for influencing foreign governments that are critical to their security and economic interests.
“I think this election, we’re seeing how Iran is getting into the game,” IntSights cyberthreat intelligence advisor Paul Prudhomme said. “I wonder if they will continue taking pages from the Russian playbook, so to speak, and become more aggressive. They see that the Russians have presumably had some success in manipulating things to their advantage, so why shouldn’t they try to do the same? I think the long-term trend is toward escalation.”
Prudhomme recently wrote a report for IntSights examining Iran’s cyberattack efforts. Based in New York City, IntSights has developed a threat detection platform that uses artificial intelligence and machine learning to scour the deep and dark web for specific keywords in order to alert potential targets. In the case of elections, these attacks target governments and social media platforms, but they are also directed at enterprises that hold potentially valuable consumer data that could be linked to other voting data for more precise targeting.
In the latest report, Prudhomme found patterns confirming that “Iran is one of the most likely state sponsors of cyberattacks designed to influence the outcome of the 2020 U.S. presidential election.”
Iran’s fervent support for Biden is not particularly surprising, as he was vice president when the Obama administration signed a nuclear deal with the country in exchange for removing many tough economic sanctions. Trump threw that deal out the window, cutting Iran off from many trading partners and putting its economy into a tailspin.
Biden has said he would seek to restart diplomacy with Iran if elected, and it seems the country is taking him at his word.
But Iran’s attacks might constitute the kind of election interference critics cite when they call for tougher sanctions and penalties against Russia. Trump has repeatedly ignored these calls and still insists Russia did nothing wrong, despite evidence from U.S. intelligence agencies.
If Biden wins, will he face calls to penalize Iran for meddling in a U.S. election? How would that affect his ability to reach a diplomatic deal with the country? Prudhomme said Iran is willing to risk such a backlash because the state of its economy is so dire.
“I think Iran, in their current economic situation, doesn’t have the luxury of keeping their hands clean,” he said. “They need to feed their people. The economic situation is so bad that the potential side effect from any political backlash is probably worth tolerating.”
Infiltrating elections
In an attempt to understand the threat landscape, Prudhomme said he wanted to look beyond the two most frequently discussed cyberwarfare actors: Russia and China. The example Russia set in 2016 has apparently become a roadmap for others to follow. So Prudhomme decided to focus on Iran to see how a smaller country could mimic such attacks. Iran was also a good subject because of its fight with the Trump administration over sanctions.
“I wanted to get a little different perspective and see if governments other than Russia might be engaged in such activities,” he said. “Iran seemed to be the leading candidate.”
In recent months, Prudhomme and others have noted that Iran does indeed seem to be emulating Russia’s tactics. This includes trying to hack into email accounts and release damaging information against perceived opponents, like the Trump administration. In the past, Iran has also used email phishing campaigns and malware to attempt to access email accounts.
Two months ago, Microsoft’s security researchers disclosed that Iranian hacking group “Phosphorus” continues to attack email accounts of people working on the Trump campaign. Phosphorus has been operating for several years, and Microsoft has been waging a technical and legal battle to block the group.
Prudhomme said Iran seemed to be trying to follow the playbook Russia used when it hacked into Democratic National Committee email accounts and then released them through WikiLeaks in 2016. So far, it doesn’t appear that Iran has been successful.
But Prudhomme predicts that Iran will also try to use a third-party group to make the leaks public if it ever succeeds. He noted that in 2015, an Iran-backed Yemeni group hacked into Saudi Arabia email accounts and released damaging emails through WikiLeaks. Prudhomme said the attribution of the leak to the Yemeni group was a cover for Iranian hackers.
One of the most notable recent incidents attributed to Iran involved thousands of intimidating emails sent to Democratic voters in Florida. The emails appeared to come from the white supremacist group the Proud Boys and threatened recipients if they did not change their party registration and vote for Trump. Some emails included a video of a hacker demonstrating how to access voting information.
It appears that Iranian hackers managed to access Florida voter registration data and used that to target people.
“The desired effect there was to make the Trump campaign and his supporters look like violent thugs,” Prudhomme said.
Facebook separately confirmed that the groups involved in the coordinated email campaign were linked to accounts the social media giant had previously tried to remove from its platform. Facebook suspended one account that tried to share the video from those emails. In August 2018, Facebook, Twitter, and Google took down hundreds of accounts for running coordinated campaigns to promote Iranian propaganda.
Prudhomme said fairly modest security measures — such as two-factor authentication — could have prevented many of the intrusions. As these strategies also target basic human behavior, he recommends training employees on security hygiene and reminding them to be vigilant about not opening fishy emails or clicking on links sent from unknown accounts.
These and other security measures, like fighting disinformation, are going to be even more critical in the future. Prudhomme projects that a growing number of smaller countries are likely to invest in the resources needed to conduct cyberwarfare against election infrastructure.
“I would argue that this becomes a trend,” he said. “All of these methods are now part of a clear repertoire that actors can use to attempt to manipulate an election.”
You can’t solo security
COVID-19 game security report: Learn the latest attack trends in gaming. Access here