US election workers slammed with phishing, malware-stuffed emails

Election workers in US battleground states have been hit by a surge in phishing and malware-laced emails in the run up to their primaries and the upcoming 2022 midterm elections.

That's according to Trellix security researchers, who said malicious emails sent to Arizona county election workers rose 78 percent, from 617 to 1,101, between the first and second quarter of the year, ahead of the state's August 2 primary. Those emails continued ramping, jumping 104 percent to 2,246 messages, by the third quarter of 2022.

In Pennsylvania, Trellix said it detected 1,168 malicious emails targeting county election workers in Q4 of 2021 and 4,460 in the first quarter of 2022 — a 282 percent spike. By the end of the second quarter of this year, the number grew another 69 percent to 7,555. 

Pennsylvania held its primary election on May 17.

County-level workers managing election infrastructure are assumed to be "relatively the least sophisticated" of election organizers when it comes to cybersecurity defenses, hence the need to take a look at the threats and risks they face today, Team Trellix argued.

The security outfit said it has found no evidence of compromised election systems in any US state or county, and it has not yet attributed the phishing emails to a particular cybercrime gang or nation state. 

"Our investigations into 2022 election-related cyber activity are ongoing and we will make more information available when possible,"  Trellix's Patrick Flynn, Fred House, and Rohan Shah said Wednesday.

However, the increase in cyberthreats against county election authorities coincides with a rise in physical threats and harassment against state and county workers as the November midterm elections draw closer.

"Our findings suggest the continuing effort to educate frontline election workers on phishing and other cyberthreats in the digital realm could be as important as security measures required to protect them in the physical realm in 2022 and beyond," the Trellix trio wrote.

The phishing schemes had two goals: stealing election worker credentials or delivering malware, which could allow access to other systems across the network.

Credential crooks

Let's start with the credential-stealing phishes because, as John Podesta can attest to, falling victim to a phishing attack that compromises your email while in a pivotal political role rarely ends well.

According to Trellix, miscreants crafted and sent out phony password expiration alerts to trick election workers into clicking on a malicious link that took them to a website masquerading as an account administration page. Once they're on the bogus webpage, election workers are prompted to enter their work usernames and passwords and then change their passwords, if they want.

The attacker thus has the login credentials and can use them to access whatever election documents or voter records, depending on a particular election worker's access levels.  

"The attacker could send voters incorrect election process information to mislead them into invalidating their votes or create confusion in the lead up to election day that undermines their confidence in the process," the researchers warned.

The login name and passwords could also be used to "identify other officials via organizational contact lists and use them to target individuals who might have higher level access to more critical election and voting tabulation processes."

And if that is all too much trouble, they could always sell the stolen credentials on dark web forums — Russian, Chinese, and Iranian nation-state backed gangs looking to target US midterms may want to bid on that info, if they don't already have it.

Zero trust (in attached files)

A second phishing scam the security shop observed used a trusted email thread — either a compromised message or a forged one — between an election worker and government contractor tasked with distributing absentee ballot applications.

Because the email appears to come from a trusted source, the election worker will be more likely to click on a malicious link or download a malware-laden file. Or at least this is the intended outcome.

Luckily, the scam email was blocked after sensors detected a malicious Microsoft malware download, the security firm said. 

"Ultimately, this phishing scheme plays on the election worker's professional and moral commitment to help a trusted contractor struggling to register people to vote," the Trellix team noted. "It relies on the election officials' willingness to perhaps step outside an established submission process and click on the attacker's poisonous link to access the voter applications."

FBI, CISA weigh in

Trellix's latest research comes just days after two joint alerts from the FBI and Homeland Security's CISA warned of phishing emails targeting election workers [PDF] and said foreign agents will likely try to spread disinformation in the lead up to and after the midterms. 

"As with previous election cycles, foreign actors continue to knowingly spread false narratives about election infrastructure to promote social discord and distrust in US democratic processes and institutions, and may include attempts to incite violence," the Feds noted [PDF].

CISA also provided a free toolkit to state and local election officials that aims to improve their security posture and help them educate their employees and volunteers on how to avoid falling victim to phishing campaigns.

• Foreign spies hijacking US mid-terms? FBI, CISA are cool as cucumbers about it
• Meta busts first Chinese campaign prodding US midterms
• Mandiant 'highly confident' foreign cyberspies will target US midterm elections
• Google, YouTube ban election trolls ahead of US midterms

Trellix, for its part, suggests election workers — and everyone, really — should be on high alert for emails with "urgent calls to action," such as password changes.

As we saw with the recent Oktapus cybercrime spree, these are especially effective at stealing credentials and rarely legitimate.

Also, check the sender's email address and make sure the email domain actually belongs to the sender's organization. And, as always, don't trust files or links from unknown sources.

"The election worker should also be wary of anyone sending mysterious download or website links that really are not necessary given that completed applications can be sent via email or uploaded through the administrators' established websites," the researchers noted.

"Any effort to suggest workers should step out of the established processes to use a download link or go to a random web page should be questioned." ®