Malicious Emails Surged for Election Workers in 2 Battleground States Ahead of Primaries

County election workers in Arizona and Pennsylvania experienced a surge in malicious emails ahead of the states’ primaries earlier this year, according to research shared on Wednesday by the cybersecurity firm Trellix.

In a blog post outlining their findings, Trellix security researchers said they focused their examination on county election workers “given these election authorities are relatively the least sophisticated actors in terms of cybersecurity postures, but the most critical in actual electoral engagement with voters.” The data, collected by the Trellix Advanced Research Center and the firm’s network of threat sensors, found that county election workers in the battleground states of Arizona and Pennsylvania saw an increase in malicious emails “coinciding with these states’ primary elections.”

Trellix reported a spike in malicious activity, ahead of Arizona’s Aug. 2 primary elections, noting that the number of detected phishing scams targeting county election workers in the state more than tripled from 617 in the first quarter of 2022 to 2,246 by the end of the third quarter. 

The firm’s security researchers also noted a similar escalation in the number of malicious emails targeting county election workers in Pennsylvania, ahead of the state’s May 17 primaries. The number of detected malicious emails rose substantially as the primary approached, increasing from 1,168 in the fourth quarter of 2021 to 7,555 by the end of the second quarter of 2022. 

Trillix identified examples of two malicious email campaigns targeting county election workers, including “a familiar password theft phishing scheme, as well as a newer phishing scheme seeking to prey on the absentee ballot administration process.”

In the password phishing example, officials received emails claiming that their email passwords were about to expire in an attempt “to lure election workers to a bogus administrative webpage where they are prompted to enter their current username and password login credentials.” As Trellix noted in the report, the password phishing scheme is similar to the one that compromised the Gmail account of John Podesta, the chair of Hillary Clinton’s 2016 presidential campaign, and led to the release of thousands of pages of emails to WikiLeaks. 

The second phishing scheme that Trellix identified during its research involved bad actors using “either a compromised email thread or forged email thread dating back to 2018” between a county election worker and a government contractor who distributed and collected absentee ballot applications. The most recent email in the thread—dated February 24, 2022 in one screenshot example shared by Trellix—attempted to get the county election worker to download “required monthly receipts” from a Microsoft OneDrive link, which security researchers found was “poisoned with malware capable of infecting the election employee's system and perhaps gaining access to other systems across his organization’s networks.”

“Ultimately, this phishing scheme plays on the election worker’s professional and moral commitment to help a trusted contractor struggling to register people to vote,” the report said. “It relies on the election officials’ willingness to perhaps step outside an established submission process and click on the attacker’s poisonous link to access the voter applications.”

Patrick Flynn, the head of Trellix’s advanced programs group and one of the blog’s authors, told Nextgov that the actors behind these phishing attempts “are going after not so much the technology, but people’s complacency.” He added that the primary surge of malicious activity indicates that bad actors will also likely increase these types of phishing attacks in the weeks leading up to the midterm elections, necessitating increased vigilance on the part of state and county election administrators. 

“I think everybody should be confident in our voting system, but at the same time these folks are still going to try,” Flynn said, adding that “there have been attempts, but there’s been no indication of compromise whatsoever.” 

Flynn said that Trellix is still internally analyzing the malicious emails to determine their origin, but said he feels it’s “more than likely it’s foreign adversaries” who are behind the attempts. 

The Associated Press previously reported that an unclassified intelligence advisory sent to state and local officials in September warned that the Chinese government is likely looking to influence some races to “hinder candidates perceived to be particularly adversarial to Beijing,” even as Russian state actors continue to amplify mis- and disinformation about U.S. elections. These foreign influence operations come as domestic actors who doubt the validity of the 2020 presidential election continue to spread misinformation about the voting process and have, in some instances, threatened physical violence against election officials and administrators. 

The Cybersecurity and Infrastructure Security Agency and the FBI previously released an Oct. 4-dated joint public service announcement that outlined the security controls in place to protect election infrastructure. The announcement noted that “as of the date of this report, the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast or affected the accuracy of voter registration information.”

A follow-up PSA from the two agencies, released on Oct. 6, noted that foreign actors are likely to use information manipulation tactics to undermine confidence in the midterm elections, including “circulating or amplifying reports of real or alleged malicious cyber activity on election infrastructure.” The joint CISA-FBI announcement noted again, however, that there is no information to suggest that these cyber activities have impacted the accuracy of the voting process.