The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert to warn that an Iranian threat actor recently accessed voter registration data.
The warning comes roughly one week after the United States revealed that the same adversary targeted Democratic voters in multiple states with emails seeking to intimidate them into voting for President Donald Trump.
In the previous alert, CISA and the FBI noted that the Iranian hackers targeted known vulnerabilities in virtual private network (VPN) products and content management systems (CMSs), including CVE-2020-5902 (code execution in F5 BIG-IP) and CVE-2017-9248 (XSS in Telerik UI).
Now, the two agencies reveal that the legitimate vulnerability scanner Acunetix was employed by the hackers in their endeavor, and that stolen data was used to send intimidation emails in at least four different states.
“CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election,” the alert reads.
Between September 29 and October 17, the adversary launched attacks on U.S. state websites, including election websites, to access voter information, CISA and the FBI say.
Observed activity includes exploitation of known vulnerabilities, the use of web shells, and the abuse of web application bugs.
“CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records,” CISA and the FBI say.
The two agencies also note that not all of the observed activity could be attributed to the same Iranian threat actor (which posed as the hate group Proud Boys), but did not share details on other threat groups involved in election targeting.
According to the alert, the Iran-based adversary used open-source queries to access PDF documents from state voter sites and also researched specific information to leverage in their exploitation attempts, namely the YOURLS exploit, bypassing the ModSecurity web application firewall, detecting web application firewalls, and an SQLmap tool.
To stay protected, the two agencies say, organizations should make sure their applications and systems are always up to date, that known vulnerabilities are identified and addressed, firewalls and other protections are implemented, and that two-factor authentication is used.
Related: US Officials Link Iran to Emails Meant to Intimidate Voters
Related: U.S. Voter Data Traded on Hacker Forums: Researchers
Related: Misconfigured Database Exposes Details of 191 Million Voters

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
