Iranian hackers behind fake emails
Government analysts and private sector investigators were able to rapidly attribute to Iranian hackers a wave of thousands of threatening emails aimed at US voters because of mistakes made in a video attached to some of the messages, according to four people familiar with the matter.
Those failures provided a rare opportunity for the US government to identify and publicly announce blame for a malicious cyber operation in a matter of days, something that usually requires months of technical analysis and supporting intelligence.
“Either they made a dumb mistake or wanted to get caught,” said a senior US government official, who asked not to be identified. “We are not concerned about this activity being some kind of false flag due to other supporting evidence. This was Iran.”
Attribution to Iranian hackers does not necessarily mean a group is working at the behest of the government there and Iranian officials denied the US allegations.
“These accusations are nothing more than another scenario to undermine voter confidence in the security of the US election, and are absurd,” said Alireza Miryousefi, spokesman for Iran’s mission to the United Nations in New York.
US Director of National Intelligence, John Ratcliffe, said Russia and Iran had both tried to interfere in the campaign for the Nov 3 election. US intelligence agencies are still analysing exactly who in Iran commanded the operation and its intent, three of the sources said.
Within hours of the video being circulated this week, which purported to come from an American far-right group known as “The Proud Boys”, intelligence officials and major email platform providers, such as Google and Microsoft, began closely analysing computer code that appeared in the hackers’ video.
While the emails, which demanded that voters change their party affiliation to the Republican Party and vote for President Donald Trump or “we will come after you”, appeared to come from an official-looking Proud Boys email address, the address was inauthentic, security analysts said.
The Proud Boys denied they were behind the messages.
How security analysts used intelligence from the video to attribute the email scheme has not been previously reported.
A Microsoft spokesperson declined to comment on the company’s collaboration with law enforcement. Google said the activity was “linked to Iran” and that the company was in contact with the FBI.
Despite attempts to blur aspects of the video to hide their identity, the hackers were unable to obfuscate all of the incriminating information, the sources said.
The video showed the hackers’ computer screen as they typed in commands and pretended to hack a voter registration system.
Investigators noticed snippets of revealing computer code, including file paths, file names and an internet protocol (IP) address.
Security analysts found that the IP address, hosted through an online service called Worldstream, traced back to previous Iranian hacking activity, the sources said.
Analysts then cross-referenced those clues left in the video with data from other intelligence streams, including communications interceptions, the government official said.
“This public disclosure of attribution to Iran by the government has been done with breakneck speed, compared to the usual process that takes months and often years,” said Dmitri Alperovitch, a co-founder and former CTO of cybersecurity company CrowdStrike.
Two cybersecurity experts, who spoke on condition of anonymity because they were not authorised to talk to the press, independently said they had seen Iranian hackers use infrastructure from Dutch-based Worldstream to launch cyberattacks in recent months.
In addition to sending thousands of emails to voters in states including Florida, the hackers also attempted to share links to the video via fake accounts on Facebook and Twitter.