Nation/World

U.S. government says Iran was behind threatening emails sent to Democrats in multiple states, including Alaska

WASHINGTON — U.S. officials on Wednesday night accused Iran of targeting American voters with faked but menacing emails and warned that both Iran and Russia had obtained voter data that could be used to endanger the upcoming election.

The disclosure by Director of National Intelligence John Ratcliffe at a hastily called news conference marked the first time Iran has been accused of targeting specific voters in a bid to undermine democratic confidence - just four years after Russian online operations marred the 2016 presidential vote.

The claim that Iran was behind the email operation, which became news Tuesday as Democrats in several swing states and in Alaska reported receiving emails demanding that they vote for President Donald Trump, came without specific evidence, and other U.S. officials, speaking privately, stressed that Russia still remained the major threat to the 2020 election.

The emails claimed to be from a pro-Trump group called the Proud Boys, but evidence had mounted that they in fact were the work of another, hidden actor. U.S. officials said that was Iran, a nation that increasingly had clashed with the president in recent years.

[Authorities alerted after Alaskans receive emails warning them to vote for Trump ‘or we will come after you’]

Officials, however, also stressed that the integrity of the election was intact. “We are not going to tolerate foreign interference in our elections or any criminal activity that threatens the sanctity of your vote or undermines public confidence in the outcome of the election,” said FBI Director Christopher Wray, standing next to Ratcliffe. “When we see indications of foreign interference or federal election crimes, we’re going to aggressively investigate and work with our partners to quickly take appropriate action.”

Ratcliffe said the data “can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos and undermine your confidence in American democracy.”

ADVERTISEMENT

Ratcliffe accused Iran of using the data to send “spoofed emails designed to intimidate voters, incite social unrest and damage President Trump.”

But some U.S. officials were skeptical of Ratcliffe’s assertion that the Iranians were trying to damage the president. Senate Minority Leader Charles Schumer, D-N.Y., who receives classified briefings on foreign election threats, told NBC’s Rachel Maddow: “From the briefing, I had the strong impression it was much rather to undermine confidence in elections and not aimed at any particular figure.”

The emails were engineered by someone working at the behest of the Iranian government, according to a U.S. official who spoke on the condition of anonymity because of the matter’s sensitivity. The operation appeared to exploit a vulnerability in the group’s online network.

The messages advised that the group was “in possession of all your information” and instructed voters to change their party registration and cast their ballots for Trump.

“You will vote for Trump on Election Day or we will come after you,” warned the emails, which by Tuesday night were said to have reached voters in as many as four states, three of them hotly contested swing states in the coming presidential election.

The FBI encouraged Alaskans to report election activity they think is suspicious to the Anchorage field office, at 907-276-4441, or online at tips.fbi.gov.

Analysts said targeting Democratic voters may have been an effort by Iran to prompt complaints about a far-right group associated with Trump. “If it became apparent that the threats were coming from the Trump campaign or his allies, it would reflect poorly on the president himself,” said Ariane Tabatabai, Middle East fellow at the Alliance for Securing Democracy.

John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy, cautioned that divining motive can take time.

“Getting at intent is as hard as understanding the context of people’s minds, and nobody has an easy time of that,” he said.

First divulged on Tuesday by local law enforcement and elections officials in Florida and Alaska, the emails prompted an investigation that quickly escalated to federal authorities, according to U.S. officials.

Ratcliffe confirmed that Iran was also distributing a video “that implies that individuals could cast fraudulent ballots, even from overseas.” The video, which was reviewed by The Washington Post, shows Trump making disparaging comments about mail-in voting, followed by a logo with the name of the Proud Boys. It then documents what was made to appear as a hack of voting data in an effort to produce a fraudulent ballot. The video was also posted on a Twitter account that has since been suspended.

“This video, and any claims about such allegedly fraudulent ballots, are not true,” Ratcliffe said at a Wednesday news conference. “These actions are desperate attempts by desperate adversaries.”

Relations between Tehran and Washington have grown far tenser under the Trump administration, which withdrew from the nuclear deal that Iran reached with the United States and other world powers. The U.S. has applied escalating pressure on Iran through sanctions and other actions, including the targeted killing in January in Iraq of Iran’s most powerful military commander, Qassem Soleimani.

In August, the U.S. intelligence community’s top counterintelligence official, William Evanina, issued an assessment that “Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections.” Its efforts, he wrote, “probably will focus on online influence, such as spreading disinformation on social media and recirculating anti-U.S. content.”

By suggesting the group had gained access to privileged data, and also possibly penetrated electronic systems to detect how people were voting, the emails and video content attributed to Iran seemed designed to create the appearance of an election breach. Such a move may serve to undermine confidence in the integrity of the democratic process without posing a genuine risk to the election, said cybersecurity and disinformation experts.

“In recent years, Iranian information operations have continued to push boundaries using bold and innovative approaches. However, this incident marks a fundamental shift in our understanding of Iran’s willingness to interfere in the democratic process,” said John Hultquist, senior director of analysis for Mandiant Threat Intelligence. “While many of their operations have been focused on promoting propaganda in pursuit of Iran’s interests, this incident is clearly aimed at undermining voter confidence.”

Department of Homeland Security officials warned state and local election administrators on a call Wednesday that a foreign government was responsible for the online barrage, according to U.S. officials and state and local authorities who participated in the call, who all spoke on the condition of anonymity because of the matter’s sensitivity. A DHS official also said authorities had detected holes in state and local election websites and instructed those participating to patch their online services.

ADVERTISEMENT

Metadata gathered from dozens of the emails pointed to the use of servers in Saudi Arabia, Estonia, Singapore and the United Arab Emirates, according to numerous analysts.

“It’s clearly organized and very much planned,” said Rita Katz, executive director of SITE Intelligence Group.

The domain enlisted for the misleading operation, officialproudboys.com, was recently dropped by a hosting company that uses Google Cloud services, according to Google Cloud spokesman Ted Ladd. Without a secure host, the domain stood vulnerable to exploitation, cybersecurity experts said. Voters using Comcast, Yahoo and Gmail accounts were affected.

In addition to reports from Florida and Alaska, a voter in Pennsylvania told The Washington Post she had received one such email, though she suspected it may have been linked to her previous registration in Alaska. The Pennsylvania attorney general’s office had not received reports about the messages, a spokesman, Mark Shade, said Wednesday.

Kristen Clarke, president and executive director of the national Lawyers' Committee for Civil Rights Under Law, said her organization had received at least one report that a similar email had reached a voter in Arizona. The Arizona secretary of state’s office was looking into the matter, said a spokeswoman, Sophia Solis.

Clarke said her organization, after putting out a call on social media, had received 104 complaints of emails with the same pattern. One research group, Proofpoint, said its analysis showed one of the batches had more than 1,500 emails.

Enrique Tarrio, the chairman of the Proud Boys and the Florida state director of Latinos for Trump, denied involvement, saying the group operates two sites, and was increasingly migrating away from the domain used in the email campaign.

“Two weeks ago, I believe, we had Google Cloud services drop us from their platform, so then we initiated a url transfer, which is still in process,” he said in an interview. “We kind of just never used it.”

ADVERTISEMENT

Democrats in Alachua County, in north-central Florida, began receiving the threatening messages on Tuesday morning, said a spokesman for the sheriff’s office, Art Forgey. So, too, did voters in Alaska, said Casey Steinau, chair of the Alaska Democratic Party.

Even as the president sows doubt about mail balloting, federal law enforcement officials as well as election administrators have underscored the security of the process, which has been routine in some states for years. They also have warned about possible disinformation designed to create the appearance of fraud or to stoke fears of voter intimidation - which itself threatens to keep voters away from the polls.

Tarrio, determined to beat back the perception of involvement by the Proud Boys, said he had spoken to an FBI agent about the episode. Amanda Videll, a spokeswoman for the bureau in Jacksonville, Fla., declined to comment.

Bennett Ragan, campaign manager for a Democratic State House candidate in Gainesville, Fla., said he received two of the threatening messages on his Gmail account and knows of at least 10 other similar emails that had reached friends or associates. He said the home address cited in the emails he received could have come only from a Florida voters' roll from 2018 because he has moved several times in recent years.

Ragan said he believed the purpose was to intimidate Democratic voters in a swing state with hotly contested races up and down the ballot on Nov. 3.

“When you have people who have a voter roll and then send off emails, they will make a big splash. They will scare people. That is without a doubt the intent,” he said.

The hosting service that previously carried the Proud Boys domain canceled the registration after Google Cloud notified the customer that a nonprofit group had raised concerns about the controversial organization, said Ladd, the Google Cloud spokesman.

Following the action from the hosting service, the domain appears to have been left unsecured, allowing anyone on the Internet to take control of it and use it to send out the menacing messages, said Trevor Davis, CEO of CounterAction, a Washington-based digital intelligence firm.

The lapse, which began on Oct. 8, “likely made them vulnerable to this kind of hijacking,” Davis said. “Bad actors are constantly scanning the Internet for opportunities. Given the public profile of the Proud Boys and the likelihood that whoever’s sending these emails has access to a voter file, this appears to be opportunism.”

An Internet Protocol (IP) address associated with metadata in at least one email had previously been reported, pointing to its likely use in scam or phishing operations, said Cindy Otis, a former CIA analyst and vice president of analysis for Alethea Group, an organization combating online threats and misinformation.

The Proud Boys rose to national prominence last month during the first presidential debate between Trump and his Democratic rival, Joe Biden, when the president passed up an invitation by moderator Chris Wallace, of Fox News, to denounce White supremacists. When Biden suggested that Trump denounce the Proud Boys, he said they should “stand back and stand by” - a comment that was widely celebrated on social media by the group as a call to action.

Memes circulated online with the words integrated into the Proud Boys logo. One doctored image showed Trump wearing one of the Proud Boys' signature polo shirts. Another online poster used the moment to advertise T-shirts and hoodies bearing the group’s logo and the words “PROUD BOYS STANDING BY.”

The group’s leaders say they do not support White supremacy, but they had a contingent at 2017′s notorious Unite the Right rally in Charlottesville. The Proud Boys also have been frequent participants in the protests demonstrating against coronavirus shutdowns and, more recently, the protests in Portland, Ore. Facebook has banned the group as a hate group, and the Southern Poverty Law Center classifies it as a hate group and says its leaders “regularly spout white nationalist memes and maintain affiliations with known extremists.”

ADVERTISEMENT