Connect with us

Hi, what are you looking for?


Malware & Threats

State Election System Hacking Linked to Previous Attacks

Researchers have found links between the recent cyberattacks on U.S. state election systems and previous operations targeting political and government organizations in Turkey, Ukraine and Germany.

Researchers have found links between the recent cyberattacks on U.S. state election systems and previous operations targeting political and government organizations in Turkey, Ukraine and Germany.

A flash alert issued by the FBI last month warned about a couple of attacks targeting board of election systems in two U.S. states. While the agency did not name the states, they are believed to be Illinois and Arizona, both of which shut down their voter registration systems this summer following cyberattacks.

The FBI’s report included a list of IP addresses and penetration testing tools used by the attackers in their operations.

Unnamed U.S. officials told the press that the attacks were conducted by Russia, just like the recent campaigns targeting the U.S. Democratic Party and the World Anti-Doping Agency (WADA).

Researchers at threat intelligence firm ThreatConnect have analyzed the IP addresses disclosed by the FBI and determined that one of them was previously used in spear-phishing campaigns aimed at the Justice and Development (AK) Party in Turkey, the Freedom Party in Germany, and the Ukrainian Parliament.

The phishing campaigns, conducted between March and August 2016, leveraged an open source phishing framework named Phishing Frenzy. Researchers managed to access the attackers’ control panel and discovered a total of 113 emails written in Ukrainian, Turkish, German and English.

Of these emails, 48 were typical phishing emails targeting Gmail accounts, while the rest were specifically designed to capture the attention of the recipient by purporting to come from an affiliate or an organization of interest.

Advertisement. Scroll to continue reading.

Some of the AK Party members targeted with the spear phishing emails also show up in the recent WikiLeaks dump of nearly 300,000 AK Party emails, but experts have not been able to determine if the two incidents are connected.

In addition to links to previous attacks, ThreatConnect discovered some connections to Russia and operations believed to be sponsored by the Russian government. One of the domains hosting the phishing pages was registered with an email address associated with a domain known to be used by the Russian threat actor Fancy Bear, aka APT28, Pawn Storm, Sednit, Sofacy and Tsar Team.

While researchers have not found any direct links to the Russian government or a known Russian state-sponsored actor, circumstantial evidence seems to point at Russia.

First of all, intelligence collected from the targeted organizations could be highly useful for Russia’s diplomatic relations and military efforts. As for more technical evidence, experts discovered that six of the eight IP addresses disclosed by the FBI belong to a Russian hosting service, and one of them had previously hosted a Russian cybercrime market.

Some of the IPs are owned by a company called FortUnix Networks. This firm’s infrastructure was also leveraged in BlackEnergy attacks targeting the Ukrainian power grid last year.

Another piece of evidence is related to the penetration testing tools described in the FBI flash alert. Some of the tools were previously used by Anonymous Poland, a group that recently leaked files from the anti-doping agency WADA. The attackers claim to be hacktivists, but researchers suspect they might be a creation of a Russian APT that wants to hide its tracks.

Related: Pawn Storm Group Targets Turkey

Related: German Spy Service Says Russia Behind Major Cyber Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...