WASHINGTON — Iran and Russia have both obtained American voter registration data, top national security officials announced late Wednesday, providing the first concrete evidence that the countries are stepping in to try to influence the presidential election as it enters its final two weeks.
Iran used the information to send threatening, faked emails to voters, said John Ratcliffe, the director of national intelligence, and Christopher Wray, the FBI director, in an evening announcement from the bureau’s headquarters. Intelligence agencies had collected information that Iran planned to take more steps to influence the vote in coming days, prompting the unusual timing of the briefing as an effort to deter further action by Tehran.
There was no indication that any election result tallies were changed or that information about who is registered to vote was altered, either of which could affect the outcome of voting that has already begun across the United States. The officials also did not claim that either nation hacked into voter registration systems — leaving open the possibility that the data was available to anyone who knew where to look.
The voter data obtained by Iran and Russia was mostly public, according to one intelligence official, and Iran was exploiting it as a political campaign might. Voters’ names, party registrations and some contact information are publicly available. That information may have been merged with other identifying material, like email addresses, obtained from other databases, according to intelligence officials, including some sold by criminal hacking networks on the dark web.
“This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos and undermine your confidence in American democracy,” Ratcliffe said.
The Trump administration’s announcement that a foreign adversary, Iran, had tried to influence the election by sending intimidating emails was both a stark warning and a reminder of how other powers can exploit the vulnerabilities exposed by the Russian interference in 2016. But it may also play into President Donald Trump’s hands. For weeks, he has argued, without evidence, that the vote on Nov. 3 will be “rigged,” that mail-in ballots will lead to widespread fraud and that the only way he can be defeated is if his opponents cheat.
Now, on the eve of the final debate, he has evidence of foreign influence campaigns designed to hurt his reelection chances, even if they did not affect the voting infrastructure.
Some of the spoofed emails, sent to Democratic voters, purported to be from pro-Trump far-right groups, including the Proud Boys. Iranian hackers tried to cover their tracks, intelligence and security officials said, first routing the emails through a compromised Saudi insurance company network. Later, they sent more than 1,500 emails using the website of an Estonian textbook company, according to an analysis by researchers at Proofpoint, a cybersecurity firm.
Until now, some officials had insisted that Russia remains the primary threat to the election. But the new information, both Republican and Democratic officials said, demonstrates that Iran is building upon Russian techniques and trying to make clear that it, too, is capable of being a force in the election.
Since August, intelligence officials have warned that Iran opposed Trump’s reelection, hardly a surprise after he exited the Iran nuclear deal more than two years ago and reimposed crushing economic sanctions on the country. The officials said Iran did not intend to deter voters but rather to hurt Trump and mobilize support for Joe Biden, the Democratic nominee, by angering voters about the president’s apparent embrace of the Proud Boys in the first debate.
Biden has indicated that he would re-enter the nuclear deal and lift many of those sanctions as long as Iran first returns to obeying the limits on its nuclear program that it agreed to five years ago.
Iran sharply denied the accusations, suggesting they were fabricated and calling them an attempt by the U.S. government to undermine its own voters’ confidence in the election.
“Unlike the U.S., Iran does not interfere in other countries’ elections,” Alireza Miryousefi, the spokesman for the Iranian Mission to the United Nations, said in an apparent reference to the CIA’s efforts to depose an Iranian leader in the 1950s.
“Iran has no interest in interfering in the U.S. election and no preference for the outcome,” he added.
But U.S. officials have insisted that Iran has been considering how to influence the election for months. At one time, officials thought that the country’s military and clerical leaders could try to interrupt oil markets or mount some sort of attack in the Middle East intended to hurt Trump. Tehran pulled back from those plans, and Wednesday’s announcement suggested that instead it was following a playbook closer to Russia’s — and one less likely to provoke an American military response.
The fact that Iran — which has stepped up its cyberabilities drastically over the past decade, after its nuclear program was attacked with American and Israeli cyberweapons — was involved demonstrates how fast other nations have learned from Russia’s influence operations in 2016.
“We are under attack, and we are going to be up to Nov. 3 and probably beyond,” said Sen. Angus King, I-Maine, who sits on the Senate Intelligence Committee. “Both the American people have to be skeptical and thoughtful about information they receive, and certainly election officials have to be doubly cautious now that we know again they are targets.”
Ratcliffe has drawn criticism for embracing Trump’s political agenda from what is typically an apolitical post, while Wray has repeatedly been the target of the president’s ire over his refusal to do so, according to people briefed on the president’s private conversations. Trump has discussed firing the FBI director after the election, the people said.
Intelligence officials briefed Senate leaders Wednesday, including Sen. Chuck Schumer of New York, the Democratic leader; Sen. Marco Rubio, R-Fla., and the chairperson of the Intelligence Committee; and Sen. Mark Warner of Virginia, the panel’s top Democrat. Rubio and Warner urged the intelligence agencies to release more information about the threat, but officials said they had to limit what information they made public, according to people briefed on the meeting.
Later, on “The Rachel Maddow Show” on MSNBC, Schumer said the intelligence officials did not tell him that the Iranian activity was meant to hurt the Trump campaign. “From the briefing, I had the strong impression it was much rather to undermine confidence in elections and not aimed at any particular figure,” he said.
Officials have been warning for months about the risk of what are known as perception hacks: efforts to use a mix of easily accessible data to create the impression among voters that foreign powers are actually inside voting infrastructure. That perception alone, officials said, could shake confidence in the integrity of the vote — exactly what Russia has been seeking to do since its interference in 2016, when it scanned the contents of many state election systems and penetrated a few, including Arizona and Illinois, even if it did not change any votes.
“This may be the beginning of a more concerted operation,” King said. “They don’t have to do anything; they just have to make people think they are doing something.”
Iran has tinkered at the edges of U.S. election interference since 2012, but always as a minor actor. Last year, it stepped up its game, private cybersecurity firms have warned. They have caught Iranian operatives occasionally impersonating politicians and journalists around the world, often to spread narratives that are aimed at denigrating Israel or Saudi Arabia, its two major adversaries in the Middle East.
“But they have gone from propaganda to deliberate interference in this election,” John Hultquist, the senior director of FireEye, a Silicon Valley security firm, said after Wednesday’s announcement.
“Their focus here is to prey on existing fears that election infrastructure will be subverted and hacked, as well as fears of voter intimidation,” he said.
Iran may not have had to hack the data it used for the emails; instead it simply may have bought the information. In recent days, Trustwave, a cybersecurity firm, discovered voter databases for sale on the dark web and alerted the FBI. The databases would be “highly desirable to U.S. adversaries,” said Mark Whitehead, a global vice president at the firm. Hackers, he said, are merging public information with material stolen in data breaches and selling the result.
“The consumer and voter databases that we discovered hackers are currently selling significantly lowers the barrier to entry for nation-states to execute sophisticated phishing, disinformation and intimidation campaigns,” Whitehead said.
Ratcliffe and Wray said little about Russia, but until the wave of fake emails, Moscow had been the No. 1 concern of the National Security Agency, the U.S. Cyber Command and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which has responsibility for helping states secure their voting systems.
Two weeks ago, Cyber Command, a part of the military, helped paralyze a complex network developed by Russian-speaking hackers and used in ransomware attacks on cities and towns across the United States, along with on many companies. Microsoft led a team of firms doing the same, armed with court orders that enabled them to take down the command-and-control servers used to distribute the tools, which are called TrickBot. The move was made to disrupt the system so that it could not be used to lock up voter registration systems.
In recent days, another Russian hacking group called Energetic Bear, often linked to the FSB — one of the successors to the Soviet Union’s KGB — appears to have focused its attentions on gaining access to state and local government networks. That has caught the attention of federal investigators because, until now, the group had largely targeted energy firms, including public utilities.
But there is no evidence that the hackers have directly attacked any election infrastructure. The fear among cybersecurity experts is that once inside local government networks, they could try to move laterally, into voter registration databases.
There is no evidence they have tried to do that, but officials said that kind of move would come only in the last days of the election campaign, if at all.
Iran’s efforts appear to focus on voter intimidation and disinformation. Some spoofed emails sent to voters contained links to a false and deceptive video that tried to scare voters into believing the senders were also capable of manipulating the mail-in vote process, playing on fears that Trump has fanned with his insistence that mail-in ballots are subject to fraud.
Although the link was not widely shared on social media, a few users did post it to Twitter. Twitter said in a statement Wednesday night that it had moved “quickly to proactively and permanently suspend a small number of accounts and limit the sharing of media” in the Iran-led campaign, but it gave no specifics.
Twitter said that the link to the video never gained traction on the platform or reached a widespread audience, though its investigation is still open.