Election Interference Exposed: Iranian APT Scans and Exploits U.S. Voter Data
- Actor Motivations: Disinformation,Exfiltration
- Attack Vectors: Security Misconfiguration,SQL injection,Vulnerability Exploitation
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
The joint advisory from CISA and the FBI reveals that an Iranian advanced persistent threat (APT) actor targeted U.S. state websites, specifically election websites, in an attempt to influence the 2020 presidential election. The actor employed methods like scanning with Acunetix, exploiting public-facing applications, and using VPN services to masquerade their operations. The APT also attempted to access and distribute U.S. voter registration data, which was subsequently used in disinformation campaigns misleadingly attributed to domestic sources. The operations spanned from September 20 to October 17, 2020, aiming to compromise election infrastructure and gather sensitive information.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Region | United States | Verified |
Extracted IOCs
- 102[.]129.239.185
- 104[.]206.13.27
- 109[.]202.111.236
- 143[.]244.38.60
- 154[.]16.93.125
- 156[.]146.54.90
- 185[.]191.207.169
- 185[.]191.207.52
- 185[.]77.248.17
- 194[.]127.172.98
- 194[.]35.233.83
- 195[.]181.170.244
- 198[.]147.23.147
- 198[.]16.66.139
- 212[.]102.45.3
- 212[.]102.45.58
- 217[.]138.211.249
- 217[.]146.82.207
- 31[.]168.98.73
- 37[.]120.204.156
- 37[.]235.103.85
- 37[.]235.98.64
- 45[.]139.49.228
- 5[.]160.253.50
- 5[.]253.204.74
- 64[.]44.81.68
- 70[.]32.5.96
- 70[.]32.6.20
- 70[.]32.6.8
- 70[.]32.6.97
- 70[.]32.6.98
- 77[.]243.191.21
- 84[.]17.45.218
- 89[.]187.182.106
- 89[.]187.182.111
- 89[.]34.98.114
- 89[.]44.201.211
- 92[.]223.89.73
Tip: 38 related IOCs (38 IP, 0 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
FAQs
Understanding the Iranian Cyber Operation Targeting U.S. Voter Data
An Iranian cyber group targeted U.S. state election websites in 2020, stealing voter registration data and using it in a propaganda video meant to spread disinformation and intimidate voters.
The U.S. government attributed the operation to an Iranian advanced persistent threat (APT) group known for targeting government and infrastructure systems.
The primary goal was to interfere with the 2020 U.S. presidential election by spreading false information and creating confusion and mistrust among voters.
Voter registration data—including personally identifiable information—was accessed and misused in an attempt to deceive the public.
They exploited website flaws, used automated tools to scan and extract information, and bypassed standard security protections on public election sites.
The attackers likely aimed to influence political outcomes, erode trust in the electoral process, and create societal division.
This was a targeted campaign against specific state election systems, but it underscores broader vulnerabilities in election infrastructure.
Agencies and organizations should strengthen their cybersecurity posture—patching systems, monitoring traffic, and training personnel to spot malicious activity and disinformation.