One day after top U.S. officials said Iran and Russiasome voter registration data, which Iran then used to send a recent spate of threatening emails to voters, officials in three states targeted in the email scheme say their voter databases have not been compromised.
Hundreds of Democratic voters in Florida, Alaska and Arizona received threatening emails Tuesday and Wednesday claiming to have come from the far-right group The Proud Boys, which has been designated a hate group by the Southern Poverty Law Center, a civil rights advocacy group.
The emails, which were routed through servers in Saudi Arabia, the United Arab Emirates, Estonia and Moldova to obscure their origin, included threats to "come after" voters unless they voted for President Trump. Some of the emails included the recipients' home addresses and other personal information. Others included a link to a video showing a computer user appearing to access voters' registration information to fraudulently complete absentee ballots used by Americans overseas.
Director of National Intelligence John Ratcliffe said Wednesday that Iran had sent spoof emails "designed to intimidate voters, incite social unrest, and damage President Trump." He did not directly reference the emails spoofing Proud Boys accounts.
While Ratcliffe confirmed Iran and Russia had obtained voter registration information, he did not elaborate on how the two nations were able to acquire the data, raising questions as to whether systems had been breached or if the information was compiled through publicly available means.
"This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos and undermine your confidence in American democracy," Ratcliffe said.
On Thursday, the FBI and Cybersecurity and Infrastructure Agency (CISA) issued a joint advisory stating that Russia had targeted the networks of dozens of state, local and tribal governments since late September, and successfully stole data from at least two of them as of October 1. The agencies warned that some of the networks might house election-related data, but said there is "no evidence to date that integrity of elections data has been compromised."
Officials from elections offices in the three states targeted by the spoofed Proud Boys emails told CBS News there have been no breaches to their voter rolls. Varying degrees of voter registration information is considered public record in all three states.
Mark Ard, a spokesperson for the Florida Department of State, said the emails had targeted voters in multiple counties but there "has been no breach to Florida's Voter Registration database." Gail Fenumiai, Alaska's director of the Division of Elections, said the office "has no evidence from the FBI that the state's voter registration systems have been compromised." Sophia Solis, a spokeswoman for the Arizona Department of State, said Arizona's voter database "is secure and not affected by incidents reported nationally."
Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, an email security company that analyzes billions of emails a day, said the company identified 3,000 emails sent to corporate and organizational clients as it researched the campaign. DeGrippo said the messages were primarily sent on Tuesday and Wednesday, and revealed that Proofpoint found some of the emails had been routed through servers in Moldova, a detail that was not previously known.
DeGrippo said "a large percentage of these emails were sent to .edu addresses," a detail she said is in line with previous Iranian state-sponsored activities.
"Iran is obsessed with higher education and getting access into higher education institutions. They do campaigns constantly, and they have been doing them against higher education in a concerted effort for probably two years," DeGrippo said, citing the so-called "Silent Librarian" campaign that targeted hundreds of universities. A spokesman for the University of Florida told CBS News on Tuesday that the emails were sent to 183 accounts on the university's network.
She said the use of email for voter intimidation, and the scale of the campaign, was unusual for a state-sponsored operation.
"A hundred is considered very big for a state-sponsored actor. A hundred emails out of a state-sponsored actor is crazy, but the difference here is that this is not [a malware] threat. This is social engineering and disinformation," DeGrippo said. "They're not spreading malware with this. They're … trying to get people to take a physical action of some kind out in the world and trying to intimidate."
A spokesperson for Google told CBS News that 25,000 of the emails were sent to Gmail users, and 90% were blocked by the service's automated spam filter. The company said it referred the matter to the FBI.
Iran denied targeting American voters. Alireza Miryousefi, a spokesperson for the Iranian mission to the United Nations, tweeted Wednesday that "Iran does not interfere in other country's elections. The world has been witnessing US' own desperate public attempts to question the outcome of its own elections at the highest level."
Dmitri Alperovitch, the co-founder and former chief technology officer of the cybersecurity company CrowdStrike, told CBS News most voter registration information is public and available online, and added that he has seen no evidence that voter registration databases were compromised.
"My personal sense is that the emails were much more about lashing out at America, trying to influence our election process and have people lose confidence in that process, rather than being about specific candidates," he said.
Alperovitch, now the chairman of the Silverado Policy Accelerator, called the speed with which the intelligence community publicly attributed the email campaign to Iran "unprecedented."
Proud Boys leader Enrique Tarrio said Wednesday that the intelligence community's determination that Iran was behind the campaign left him feeling exposed.
"This is just another news story, a cyberattack, but when this dust settles, the people who are in danger are going to be me and my guys, you know, nobody's going to provide security for us," Tarrio said.
Nina Jankowicz, a disinformation expert at The Wilson Center, said the direct-emailing effort is the first she has seen from any adversary and said it indicates Iran is "stepping up its game." Such campaigns from foreign actors like Russia and Iran, she said, are aimed at destabilizing the U.S. without expending many resources.
"I don't think any disinformation actor is getting into this game thinking they're actually going to change votes," she said. "Chaos and division in America is much more valuable to them in many ways."
The U.S. intelligence community and national security officials have warned that Russia, China and Iran would attempt to use cyber capabilities or foreign influence to interfere in the 2020 presidential election, including by using disinformation to sow chaos and division among U.S. voters.
This month, the Department of Homeland Security warned in a homeland threat assessment Iran would continue "to use online influence operations to increase societal tensions in the" U.S.
"Tehran most likely considers the current U.S. administration a threat to the regime's stability," the department warned. "Iran's critical messaging of the U.S. president almost certainly will continue throughout 2020."
The intelligence community has also made a series of disclosures to the American public about foreign threats to the election, as well as steps voters can take to mitigate those threats.
In August, National Counterintelligence and Security Center Director Bill Evanina detailed the candidate preferences of foreign actors, with Russia trying to "denigrate" Joe Biden and China preferring Mr. Trump wins reelection. Iran, he said, "seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections."
"Iran's efforts along these lines probably will focus on online influence, such as spreading disinformation on social media and recirculating anti-U.S. content," he said. "Tehran's motivation to conduct such activities is, in part, driven by a perception that President Trump's reelection would result in a continuation of U.S. pressure on Iran in an effort to foment regime change."
CISA also this week rolled out a "rumor control" web page designed to educate voters about potential areas of disinformation, and Chris Krebs, the agency's director, urged voters on Twitter on Thursday to remember "your vote is secure and we're on watch."
"The American voter is the last line of defense in election security," he tweeted. "Keep calm and vote on."