Coordinated phishing campaign targeted election officials in nine states, according to FBI

An invoice-themed phishing campaign targeted elections officials in at least nine states in October 2021, according to a warning the FBI issued Tuesday.

The attackers sought to steal login credentials and could have had “sustained, undetected” access to election administrators’ systems, the notice said.

The emails — sent in batches on at least three separate days — “shared similar attachment files, used compromised email addresses, and were sent close in time, suggesting a concerted effort to target US election officials,” the notice reads.

It’s unclear whether any of the phishing attacks were successful. The FBI did not immediately respond to a request for comment. “The FBI judges cyber actors will likely continue or increase their targeting of US election officials with phishing campaigns in the lead-up to the 2022 midterm elections,” the notice reads.

Phishing campaigns targeting election administrators through vendors, businesses, or other means was part of the Russian election interference campaign during the 2016 elections. In that case, emails purporting to be from Florida-based elections equipment vendor VR Systems was sent to 122 email addresses “associated with named local government organizations,” according to a National Security Agency assessment of the campaign.

According to the new FBI warning, on Oct. 5, 2021, “unidentified cyber actors” sent emails originating from at least two email addresses to unidentified officials in nine unnamed states and to representatives of the National Association of Secretaries of State (NASS). The emails contained the same attachment titled “INVOICE INQUIRY.PDF,” which would redirect targets to a credential-harvesting website.

One of the emails used in the attack came from a compromised U.S. government official’s email account, according to the notice. Secretaries of state are the top election officials in roughly 40 states.

“This phishing email was reported by NASS staff to the EI-ISAC, which is a standard protocol in this type of situation,” Maria Benson, the director of communication for NASS, told CyberScoop Tuesday in an email. “NASS staff did not click on the email attachment in question and therefore did not experience an ‘incident.’ The EI-ISAC shared with their networks as it is supposed to.”

A representative for the Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) could not immediately be reached for comment. The industry group shares threat intelligence, best practices and coordinates training and awareness among its members.

On Oct. 18, 2021, hackers using two email addresses purporting to be from U.S. businesses targeted unnamed county election employees with Microsoft Word documents posing as invoices. The documents also led targets to online credential harvesting websites.

The next day, Oct. 19, 2021, the attackers sent another phony invoice in an attached Microsoft Word document to an unnamed election official.

The emails are a reminder that election administrators “must remain vigilant,” said Tammy Patrick, a senior advisor on elections for the nonpartisan Democracy Fund and election administration expert.

“Unfortunately, election officials are still inundated with unnecessary and frivolous distractions rehashing previous elections,” she added. “We must focus on the 2022 tasks at hand: implementation of new district lines and the precincting of voters; securing proper resources, poll workers, and facilities for the primaries (and the general) to properly serve voters; and ensure that attempts like this are not successful.”

Corrected 3/30/22: to accurately account for the number of secretaries of state who serve as their state’s chief elections official.