FBI Warns Election Officials of Credential Phishing Attacks
The Federal Bureau of Investigation (FBI) warned US election officials on Tuesday of an ongoing and widespread phishing campaign trying to steal their credentials since at least October 2021.
“If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems,” the FBI said in a private industry notification [PDF].
“As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials.”
This is likely a concerted effort to target US election officials, given that the phishing emails share similar attachment files, use compromised email addresses, and were sent during the same period in time.
As the FBI further revealed, the attackers used various methods to redirect their targets to phishing landing pages designed to trick the recipients into entering their login credentials.
The threat actors used compromised email accounts belonging to US government officials and email addresses spoofing US businesses.
The FBI highlighted three different waves of phishing emails targeting election officials, using various tactics to trick them into handing over their credentials:
- On 5 October 2021, unidentified cyber actors targeted US election officials in at least nine states, and representatives of the National Association of Secretaries of State, with phishing emails. These emails originated from at least two email addresses with the same attachment titled, “INVOICE INQUIRY.PDF,” which redirected users to a credential-harvesting website. One of the email addresses sending the phishing emails was a compromised US government official’s email account.
- On 18 October 2021, cyber actors used two email addresses, purportedly from US businesses, to send phishing emails to county election employees. Both emails contained Microsoft Word document attachments regarding invoices, which redirected users to unidentified online credential harvesting websites.
- On 19 October 2021, cyber actors used an email address, purportedly from a US business, to send a phishing email containing fake invoices to an election official. The emails contained an attached Microsoft Word document titled, “Current Invoice and Payments for report.”
Mitigations to lower the risk of compromise
The US federal law enforcement agency believes the threat actors behind this phishing campaign will likely continue or increase attacks against US election officials with new phishing emails as the 2022 midterm elections are closing in.
Network defenders are advised to educate email users such as the election officials targeted in these attacks on how to identify phishing, social engineering, and spoofing attempts and always confirm requests for sensitive info—including credentials—through secondary channels.
They’re also urged to implement protocols to allow election officials and employees to report suspicious emails and require multi-factor authentication (MFA) on webmail, virtual private networks, and services that can be used to access critical systems.
As CISA previously said, state-sponsored hackers successfully compromised and breached US elections support systems by chaining together VPN and the Windows security flaws.
However, as CISA explained, it found no evidence that the APT actors were able to use their access to compromise the “integrity of elections data.”