The email coercing Democrats in Florida to vote for President Donald Trump seemed legitimate at first. It was sent from an apparently official email account, was personally addressed and even included the recipient’s home address. However, less than a day after the email was purportedly sent by far-right group the Proud Boys, U.S. officials revealed it to be part of an Iranian campaign to interfere in the U.S. election.
The influence campaign – which also targeted voters in Alaska, Pennsylvania and Arizona – showed a new level of Iranian sophistication, according to three Israeli cyberexperts who spoke with Haaretz and are knowledgeable about how hackers from the Islamic Republic operate.
They all say the bogus email marks a new type of cyberoffensive by Iran, but add that it raises further questions.
The case also highlights how difficult it is to attribute such cyberattacks nowadays, just as the United States ramps up its efforts to fight attempts by Russia, China and Iran to meddle in the November 3 election.
Last Wednesday, U.S. Director of National Intelligence John Ratcliffe said Russia and Iran have both tried to interfere in next week’s election.
The announcement followed a string of other statements by U.S. intelligence and law enforcement officials in recent weeks, revealing attempts past and present to undermine America’s voting system. These came through cyberattacks on voting networks and infrastructure, and disinformation campaigns. Though officials believe Russia is the bigger threat, both Russia and Iran are acting with what officials say is the clear intent to undermine the integrity of the electoral process.
- ‘Every woman on Instagram is exposed’: New AI software creates nude photos of clothed women
- How an Adelson newspaper's tweet almost made world markets crash
- From Israel to the U.S., deepfake videos are becoming a major threat to democracy
According to Israeli web intelligence expert Dana Segev Moyal, the Proud Boys operation was different and more complex than past campaigns attributed to Iran.
“Most of what we know publicly about previous attacks attributed to Iran is that they were usually either more complex technologically – for example, cyberattacks on infrastructure – or, when they were social influence campaigns, they tended to focus on spreading disinformation on social media.”
Segev Moyal, who focuses on disinformation and has studied Iran’s past activities in this area, says we’re seeing something new this time: “We’ve never seen an email campaign targeting voters of a specific state with a specific message from a very specific organization,” she notes.
“At minimum, this shows a pretty detailed understanding of American politics. I doubt your average Israeli or Iranian knows who the Proud Boys are. You need to do research and follow American politics closely.” The extremist group made headlines after the first presidential debate, when President Trump refused to denounce it.
Boaz Dolev, a cybersecurity expert whose ClearSky firm has revealed Iranian cyberattacks and disinformation campaigns in recent years, agrees. He calls it “a very rare attack.”
What makes the attack so unique, according to both experts, is that it was actually quite simple from a technological perspective, but very complex in strategic terms.
“Contrary to what people think, this attack doesn’t actually require any hacking,” Segev Moyal explains. “Voter registration details are available online if you know how to find them. What’s interesting here is that they fused and corroborated different types of data to mount an influence campaign. That’s just not the type of planning we’ve seen up till now,” she says.
In 2018, Dolev’s ClearSky revealed a massive Iranian disinformation campaign. However, that operation was more in line with what we would term “fake news” and included a network of more than 70 pseudo-media outlets that covertly spread Iranian state propaganda in 15 different countries – a far cry from the complex and hyper-targeted influence campaign now being attributed to them.
Though both experts say it’s hard to draw a direct line between the email campaign and Iran – at least based on the information currently available – they state that, much like Russia, Iran’s capabilities and techniques are always changing, making it that much harder to prove.
Dolev offers one recent example that surprised him: A few weeks ago, his firm revealed an Iranian cyberoperation in Israel that tried to pass itself off as a criminal (as opposed to state) offensive. Operation Quicksand, as it was labeled, also showed new modes of operation that hadn’t previously been linked to Iran.
“There’s a certain chain of attribution people in the world of cybersecurity know how to do,” he explains. “You can link a certain technology or technique to a certain team, and you can link that team back to certain states.
“What I can tell you about the Iranians is that the last time we came out and said it was them [in Operation Quicksand], at first I didn’t think it was them, because technologically it showed they had taken a step forward in terms of their actual capabilities. It was a professional job that I hadn’t seen in this context before. But then you get some more information that allows you to make the attribution.”
In the case of the Proud Boys email campaign, it was Reuters and the United States that made the attribution with the help of information provided by Google and Microsoft. All the experts Haaretz spoke with said that without reviewing the actual information, they couldn’t independently confirm or deny the attribution’s veracity.
As Dolev puts it, experts in his field are constantly updating and revising their assumptions about what certain players can or can’t do. “So now we know Iran is an agent that has better technological capabilities than we had previously thought,” he says, referring to Operation Quicksand.
Nonetheless, he says, when it comes to disinformation campaigns, “most of their capabilities are actually basic – even if their cyberoffensives against organizations have been stepped up and are better than we initially thought.”
In this case, though, as Segev Moyal explains, “the operation was actually complex: In addition to finding all the [voter] emails and cross-referencing all the different data sets, they also had to find a Proud Boys server that was vulnerable and actually produce an email campaign.”
Proud Iranian boys?
The few details made public about how the email campaign was traced back to Iran show how complex such operations can be – both for the perpetrator and those trying to thwart them.
According to Reuters, it was a series of “dumb” mistakes that revealed the attack’s origins. For example, one of the emails sent out (there were a number in the campaign) included a video that purported to show how the hackers managed to obtain voter registration details. A few lines of code viewable in the video, as well as an IP address that was not blurred out, were traced back to websites and techniques previously used by Iran.
However, it’s exactly this type of slapdash error that also prompts questions. For instance, some reports have shown screen captures of the email. “In one of them, there’s a glaring typo in the subject line: ‘Voteing’ with an e,” Segev Moyal says. “It’s strange that someone would make such a big effort but then make such a silly mistake,” she adds.
A third expert, who spoke on condition of anonymity due to the sensitivity of their work and the issue, added that certain aspects of the operation actually look more similar to Russian operations.
This appears to be a scenario also examined by the United States: “Either they made a dumb mistake or wanted to get caught,” said a senior U.S. government official who spoke to Reuters when the story broke last week. But they added: “We’re not concerned about this activity being some kind of false flag due to other supporting evidence. This was Iran.”
Segev Moyal notes that “this is not something we can say is definitely not Iran – they can do that – but there are also others who do such things.” However, both she and Dolev refuse to call into question the American findings, saying that without further information, they simply cannot know for certain.
For Segev Moyal, one possible explanation is that, oftentimes, such campaigns are not really intended to succeed but merely to sow distrust and help create the sense that the U.S. electoral process is exposed to manipulation.
In this case, the video itself was also posted online. Social media analytics firm Graphika told Reuters that two Twitter accounts began posting links to the video last Tuesday evening and attempted to attract the attention of some media and political organizations. One account described itself as “Trump’s Soldier” and shared a link to the video with the comment: “It seems they hacked [the] voting system.”
This also highlights how much the disinformation efforts piggyback statements being pushed out by the U.S. president himself.
“When you look at this as an influence campaign that wants to sway public opinion, this could make sense,” Segev Moyal says. “This was not really a cyberattack on voter infrastructure – no one, for example, is suggesting [the Iranians] or the Russians can alter the election results themselves.”
From this perspective, the true goal of the email campaign was perhaps to fuel the narrative that America’s electoral system is exposed.
For Dolev, one of the most interesting aspects of the attack was the U.S. response and the government’s decision to reveal the operation so quickly.
“This is a new American policy and we’re also seeing it in regards to the Russians,” he says, citing recent indictments against hackers operating for the GRU (the Russian army’s intelligence branch). By revealing the operations, Dolev adds, the United States is in a sense fighting back, as publicity can counter the effectiveness of such influence campaigns.
“During an influence campaign, the target country’s goal can be to respond as publicly as possible,” Segev Moyal says. “It helps restore public confidence, and show that everything is under control and voting systems have not actually been compromised. Like the operation itself, this type of response also aims at hearts and minds.”