The FBI is warning that U.S. election and other state and local government officials in at least nine states received invoice-themed phishing emails, which in some cases were sent from compromised legitimate email addresses.
The emails, observed in October, shared similar attachment files and were sent close in time, which the FBI said suggested a “concerted effort” to target election officials. The phishing emails led recipients to a website designed to steal their login credentials.
“The FBI judges cyber actors will likely continue or increase their targeting of US election officials with phishing campaigns in the lead-up to the 2022 US midterm elections,” according to the Tuesday private industry notification, an FBI alert that aims to help security professionals and system administrators protect against various threats. “This assessment is based on reports of phishing attacks that occurred in October 2021 and had the characteristics of a coordinated, ongoing effort to target US election officials.”
On Oct. 5, phishing emails were sent to representatives of the National Association of Secretaries of State (NASS), an organization of U.S. public officials including various secretaries of state. The emails came from at least two addresses - including a compromised government official email account - with the same attachment titled “INVOICE INQUIRY.PDF,” which then redirected targets to the phishing landing page. On Oct. 18 and 19, phishing emails from various email addresses purporting to be from U.S. businesses were sent to county election employees and an election official. These contained Microsoft Word document attachments and had the same invoice-themed lure.
An NASS spokesperson said that the phishing email was reported to the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). The NASS staff did not click on the attachment in the phishing email, said the spokesperson.
“The FBI judges cyber actors will likely continue or increase their targeting of US election officials with phishing campaigns in the lead-up to the 2022 US midterm elections."
U.S. election security has been a concern for years, particularly after the 2016 attacks against the Democratic National Committee. In 2020, Microsoft announced it had detected cyberattacks targeting people and organizations associated with both the Trump and Biden campaigns. The threat actors involved included Strontium, a threat group operating from Russia, Zirconium, operating from China, and Phosphorus, operating from Iran.
Nick Biasini, head of outreach with Cisco Talos, said it’s concerning any time election officials are being targeted. The two broad categories of election security threats include attackers going after election-associated organizations - such as the votes and tallies - and those that are looking to sway elections through misinformation or disinformation, he said. However, many organizations have spent years trying to improve their security by evaluating and mitigating any risks.
“At the very least it wasn’t a spear-phishing campaign, so it seems to be a little bit more of a wider net than we would see otherwise,” said Biasini. “One other thing is that these election organizations have been working for a while to deal with this type of threat, and this is one of the reasons why we always talk about multi-factor authentication being so important. In this case they were purely looking to harvest credentials, and if you did have MFA set up… then what they’re able to do with them is far less severe than what they would be able to do otherwise.”
The FBI recommended that network defenders ensure that their employees are trained on how to identify phishing and the best practices for providing sensitive information. Security teams should also implement various email protections, including creating protocols for employees to send suspicious emails to IT departments for confirmation, marking external emails with banners showing if the email is from an external source and enabling spam filters, according to the FBI.
“Proactive monitoring of election infrastructure (including official email accounts) and communication between FBI and its state, local, territorial, and tribal partners about this type of activity will provide opportunities to mitigate instances of credential harvesting and compromise, identify potential targets and information sought by threat actors, and identify threat actors," according to the FBI's alert.