On Tuesday, hackers sent thousands of emails urging voters in Florida, Alaska, Arizona, and other states to "Vote for Trump or else!" in messages that included the voters' home addresses. The emails were designed to make it look like they were coming from the Proud Boys, a violent, far-right group that was recently name dropped by Donald Trump during the first presidential debate.
Less than 48 hours after people started receiving the threatening messages, the US government publicly accused Iran of being behind the campaign. In a short and late press conference on Wednesday, the Director of National Intelligence John Ratcliffe called the emails and an accompanying video "desperate attempts by desperate adversaries” that had the goal of "intimidate or attempt to undermine voter confidence."
Since the last minute press conference with the FBI and DNI, other senior officials have said that Iran was responsible for the interference, including those who focus specifically on cybersecurity. Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA), tweeted on Thursday "Iran is behind the emails and video."
"They've been throwing everything at the wall to see what sticks and this has by far been one of the most successful of their tricks so far"
There is still little public evidence Iran did this campaign: Attributing a cyber operation of any kind to a particular government is a meticulous and often complicated endeavour, and the government who points the finger often can't show the evidence right away. In this case, however, experts who have tracked and studied Iranian government hackers, as well as Iran's hacking and disinformation campaigns, have little doubt.
Motherboard is publishing the video sent to voters in order to show readers what disinformation campaigns look like, as well as to explain why cybersecurity experts believe Iran is behind this, and what evidence in the video can be useful for attribution purposes. We have redacted the personal information of unsuspecting victims.
Simin Kargar, a Ph.D student at Johns Hopkins University studying Iranian disinformation, says Iran has been actively attempting to roll out hacking and disinformation campaigns lately, and these emails and video "fits the bill" of their goal of "bullying specific populations and trying to stir up division and chaos."
"They are getting more adventurous in terms of 'let’s try something new, similar to what Russia tried in 2016, and see where it takes us,'" Kargar, who is also a nonresident fellow at Atlantic Council’s DFRLab, told Motherboard in a phone call. "And sure enough they got a lot of media attention and political attention which in the bureaucracy of information operations can be a success."
Amir Rashidi, who has tracked Iranian hackers for around 10 years, said that this operation "totally fits their style."
"Iran always loves to answer, do you remember when the US sent text messages to Iranians inside Iran and told them if they know about Iranian operation for the US election?" Rashidi, who is the director of Digital Rights at the Miaan Group, told Motherboard in an online chat. "This is like that. Sending a message inside the country."
Do you work on election security? Do you do vulnerability reserch on voting machines or ssystems? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire/Wickr @lorenzofb, or email firstname.lastname@example.org. You can contact Joseph Cox on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com
A spokesperson for the Director of National Intelligence said in an emailed statement: “As NCSC Director Bill Evanina said on August 7th, the IC assesses ‘that Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections.’ What the DNI made clear last night is that Iran is executing activities to influence the U.S. election. The IC has not changed our assessment on Iran’s intent.”
Kargar said that the video that accompanied some of the emails was reminiscent of a video ostensibly created by an Iranian domestic group after a series of mysterious explosions in the country, and an attack on a nuclear plant. The group took credit for those explosions, which have been publicly attributed to Israel, although Israeli officials have denied the accusation. According to Kargar, the fake Proud Boys' video echoes that Iranian video because it has a similar goal of spreading disinformation.
"They've been throwing everything at the wall to see what sticks and this has by far been one of the most successful of their tricks so far," Kargar concluded, referring to the fake Proud Boys emails and video.
Both Kargar and Rashidi also stressed that the point of this operation was not necessarily to help Trump, or support his unfounded claims of voter fraud. Trump pulled out of the Iran nuclear deal and has ramped up the rhetoric against the regime in the last four years.
"Iran doesn’t want Trump in the office for another term," Kargar said.
The goal of this campaign was likely to undermine the trust in American democracy in the United States, but also to show Iranians that American democracy isn't so great after all, Kargar believes.
The video, which Motherboard obtained on Wednesday, as well as metadata included in some of the servers used to send the spoofed emails, contains clues that show this was a carefully planned operation. Motherboard obtained and analyzed several emails sent to voters, which included the IP addresses of servers used by the senders, some of which were hosted in Estonia, Saudi Arabia, and the UAE.
For example, one of the allegedly hacked servers shows that the hackers used a mailing script to send out the emails. Data publicly accessible on the server shows that the hackers last modified the mailing script on October 1, 2020.
The video's original file title is "ScreenRecorder-2020-10-07_08.48.19.mp4," and the video's metadata also includes that precise date, indicating that may be when the hackers created the clip, a full two weeks before they sent it to voters. Lastly, within the video, the computer terminal shows that hackers were running commands on Oct. 13.
Of course, these dates could be forged, but it would make sense that the hackers took time to stage the operation and then send it out when they thought it could have the most impact in terms of getting media coverage and attention from politicians.
Motherboard also spoke to multiple people whose voter and personal information was included in the video.
"I am very surprised to have learned about this! Wtf yes the info is correct," Kenneth Wales, one of the people, told Motherboard in an email. "Did the Alaska servers get breached or something?" they added, showing some of the confusion that the video was perhaps designed to spread. "I haven’t received any unsolicited emails on this account other than yours—I even checked my spam and found nothing out of the ordinary. One of my older email accounts was compromised before so I know how annoying this is going to be."
“That is pretty crazy. So, if I understand it correctly, they are sending emails to people telling them to vote for Trump and some of the emails contain a video proving that they have personal information?" Micheal Patterson, another of the people whose data is in the video, told Motherboard in an email. "If some fascists want to show up to my house, I feel bad for them. I am a combat veteran and a communist, it wouldn’t go well for them,” he added.
Some commentators have focused on how the threatening emails were sent to people registered as voters of the Democratic party. But the video itself includes the personal information of people with all sorts of affiliations. It contains independents, non-partisans, and Republicans too. It is not immediately clear which party this will help, if any—Democrats are expected to vote by mail in numbers much larger than Republicans, which would seem to help President Trump. Chaos and disinformation also often serves to prevent people from voting at all, which is a well-known tactic used by Republicans.
Regardless, the seeming goal of this operation was not to scare Democrats away from the polls, but to sow distrust, and more importantly, create chaos.
If that was indeed the goal, Iran may consider its mission accomplished.
(Disclosure: Gavin McInnes founded the Proud Boys in 2016. He was also a co-founder of VICE. He left the company in 2008 and has had no involvement since then.)
This story was updated to include a statement from the DNI.
Would you like to read more stories about hacking, privacy, and surveillance? Subscribe to our pop-up 'zine The Mail. The next issue is about hacking culture.