Iranian hand behind fake Proud Boy U.S. election emails: sources

By Christopher Bing and Jack Stubbs

Government analysts and private sector investigators were able to rapidly attribute to Iranian hackers a wave of thousands of threatening emails aimed at U.S. voters because of mistakes made in a video attached to some of the messages, according to four people familiar with the matter.

Those failures provided a rare opportunity for the U.S. government to identify and publicly announce blame for a malicious cyber operation in a matter of days, something that usually requires months of technical analysis and supporting intelligence.

"Either they made a dumb mistake or wanted to get caught," said a senior U.S. government official, who asked not to be identified. "We are not concerned about this activity being some kind of false flag due to other supporting evidence. This was Iran."

Attribution to Iranian hackers does not necessarily mean a group is working at the behest of the government there. Iranian officials denied the U.S. allegations.

“These accusations are nothing more than another scenario to undermine voter confidence in the security of the U.S. election, and are absurd," said Alireza Miryousefi, spokesman for Iran’s mission to the United Nations in New York.

On Wednesday, U.S. Director of National Intelligence John Ratcliffe said Russia and Iran have both tried to interfere in the campaign for the Nov 3 election. U.S. intelligence agencies are still analyzing exactly who in Iran commanded the operation and its intent, three of the sources said.

Within hours of the video being circulated this week, which purported to come from a American far-right group known as The Proud Boys, intelligence officials and major email platform providers, such as Alphabet Inc's Google and Microsoft Corp, began closely analyzing computer code that appeared in the hackers' video.

While the emails, which demanded that voters change their party affiliation to the Republican Party and vote for President Donald Trump or “we will come after you,” appeared to come from info, the address was inauthentic, security analysts said. The Proud Boys denied they were behind the messages.

How security analysts used intelligence from the video to attribute the email scheme has not been previously reported.

A Microsoft spokesperson declined to comment on the company's collaboration with law enforcement. A Google statement on Wednesday night said the activity was "linked to Iran." A Google spokesperson said on Thursday the company was in contact with the FBI.

The hackers were unable to obfuscate all of the incriminating information despite their attempts to blur aspects of the video to hide their identity, the sources said.

The video showed the hackers' computer screen as they typed in commands to purportedly hack a voter registration system. Investigators noticed snippets of revealing computer code, including file paths, file names and an internet protocol (IP) address.

Security analysts found that the IP address, hosted through an online service called Worldstream, traced back to previous Iranian hacking activity, the sources said.

Analysts then cross-referenced those clues left in the video with data from other intelligence streams, including communications interceptions, the government official said.

“This public disclosure of attribution to Iran by the government has been done with breakneck speed, compared to the usual process that takes months and often years," said Dmitri Alperovitch, a co-founder of cybersecurity company CrowdStrike.

Earlier this week, the U.S. Justice Department blamed Russia for a host of malicious cyberattacks, some dating back to 2015.

Two cybersecurity experts, who spoke on condition of anonymity, independently said they had seen Iranian hackers use infrastructure from Dutch-based Worldstream to launch cyberattacks in recent months.

Worldstream’s chief legal operations officer Wouter van Zwieten said in a statement that the account associated with the IP in question was suspended after Reuters got in touch and that the Dutch National Cyber Security Center was looking into the matter.

“They’ve just informed us that the particular IP address is now officially registered by them and ready for investigation under Dutch Law,” van Zwieten said. The National Cyber Security Center confirmed that Worldstream had been in touch and that it had logged the case but didn't comment further.

Van Zwieten said the server used by the hackers was only commissioned on Oct. 6 and had not drawn any complaints until now. The company said it had no access to the content on its servers.

In addition to sending thousands of emails to voters in states including Florida, the hackers also attempted to share links to the video via fake accounts on Facebook and Twitter.

"We disrupted an attempt by a single fake account to seed information related to what appears to be an influence operation primarily focused on spreading false claims via email," Facebook said in a statement.

A Twitter spokeswoman said: "We acted quickly to proactively and permanently suspend a small number of accounts and limit the sharing of media specific to this coordinated campaign."

© Thomson Reuters 2020.

©2020 GPlusMedia Inc.

Login to comment

U.S. Director of National Intelligence John Ratcliffe said Russia and Iran have both tried to interfere in the campaign for the Nov 3 election

Ratcliffe says Russia continues to interfere in US elections?

Ratcliffe is a Trump appointee.

Waiting for the Republican Rapid Response team members and others in the pro-Trump, pro-authoritarian, anti-democracy, pro-Putin crowd to once again say Russian meddling's been 'debunked', give their usual 'muh Russia' response.

5 ( +5 / -0 )

So...whas this an effort to help Trump, or work against him?

1 ( +2 / -1 )

Work against him of course.

so that media could claim Trump was involved with threatening Dem voters.

yet it was Iran, likely with John Kerry.

-7 ( +1 / -8 )

yet it was Iran

Iran is Russia's partner.

6 ( +6 / -0 )

Hackers, stand back and stand by.

5 ( +5 / -0 )

Iran is Russia's partner.

And vice versa because of a mutual hatred of Sunni Muslims.

5 ( +5 / -0 )

Whether it's Putin, Xi, Kim, or the Mullahs, it looks like every dictator and tyrant in the world is sending their troll army to support Trump....

Now that's admiration....

Of course, Trump would counter and say Biden has the Area 51 Aliens, Bigfoot, and Elvis on his side...

5 ( +5 / -0 )

Like the claims that the World Trade Center towers were brought down by explosives, the claims these emails were the work of Iran is backed by things that can be called evidence if you don't look at what actually happened. Indeed, even flat earthers have 'evidence' they'll cite.

But people can see past that 'evidence' to the truth if you bother to.

And the simple truth is that nobody outside America thinks they can move Americans to distrust Americans more than they do thanks to people inside America's political parties insisting that the other side can only win if they cheat, while offering only the option of voting for candidates they don't want to elect.

-4 ( +0 / -4 )

senior U.S. government official, who asked not to be identified.

Aren’t officials paid by taxpayers? Why can’t they be identified?

whether this story is true or not, the fact that a bunch of hillbillies could make a video, yet alone know how to hack, is like saying America really walked on the moon.

-6 ( +0 / -6 )

Iranian hand behind fake Proud Boy U.S. election emails: sources

Dems lapping up the Iranians attacks on America’s election.

-5 ( +0 / -5 )

This guy isn't Iranian.

Secret Service investigators and federal prosecutors say James Dale Reed left a handwritten letter on the doorstep of a Frederick residence, threatening to “severely beat” Biden and rape Harris “by my rifle barrel” before executing both candidates on national television. The letter, delivered Oct. 4 about 4:30 a.m., also warned supporters of the Biden-Harris campaign that they would be targeted, according to a federal criminal complaint. “We have a list of homes and addresses by your election signs,” read a letter included in the complaint. “We are the ones with those scary guns."

4 ( +4 / -0 )

yet it was Iran, likely with John Kerry.

All looks a bit too handy, seeing as the hackers were caught so easily. Hard to tell.

What's Kerry got to do with it?

1 ( +2 / -1 )

Login to leave a comment

Facebook users

Use your Facebook account to login or register with JapanToday. By doing so, you will also receive an email inviting you to receive our news alerts.

Facebook Connect

Login with your JapanToday account

User registration

Articles, Offers & Useful Resources

A mix of what's trending on our other sites