U.S. government concludes Iran was behind threatening emails sent to Democrats
The claim that Iran was behind the email operation, which came into view on Tuesday as Democrats in several states reported receiving emails demanding they vote for President Trump, was leveled without specific evidence. Other U.S. officials, speaking privately, stressed that Russia still remained the major threat to the 2020 election.
On Thursday, Iran summoned the Swiss envoy in Tehran, which handles U.S. affairs there, to condemn the “baseless accusations of meddling in the U.S. election.” Hours after Ratcliffe’s announcement, the spokesman for Iran’s mission at the United Nations also described the allegations as “absurd.”
“These accusations are nothing more than another scenario to undermine voter confidence, & are absurd. Iran has no interest in interfering in the U.S. election & no preference for the outcome,” tweeted Alireza Miryousefi.
The emails claimed to be from a pro-Trump group called the Proud Boys, but evidence had mounted that they in fact were the work of another, hidden actor. U.S. officials said that was Iran, a nation that increasingly has clashed with the president in recent years.
However, officials also stressed that the integrity of the election was intact. “We are not going to tolerate foreign interference in our elections or any criminal activity that threatens the sanctity of your vote or undermines public confidence in the outcome of the election,” said FBI Director Christopher A. Wray, standing next to Ratcliffe. “When we see indications of foreign interference or federal election crimes, we’re going to aggressively investigate and work with our partners to quickly take appropriate action.”
Ratcliffe said the voter data, some of which is public and some of which is commercially available, “can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos and undermine your confidence in American democracy.”
Ratcliffe accused Iran of using the data to send “spoofed emails designed to intimidate voters, incite social unrest and damage President Trump.”
But some officials were skeptical of Ratcliffe’s assertion that the Iranians were trying to damage the president. Senate Minority Leader Charles E. Schumer (D-N.Y.), who receives classified briefings on foreign election threats, told NBC’s Rachel Maddow: “From the briefing, I had the strong impression it was much rather to undermine confidence in elections and not aimed at any particular figure.”
The emails were engineered by someone working at the behest of the Iranian government, according to a U.S. official who spoke on the condition of anonymity because of the matter’s sensitivity. The operation appeared to exploit a vulnerability in the Proud Boys’ online network.
The messages advised that the group was “in possession of all your information” and instructed voters to change their party registration and cast their ballots for Trump.
“You will vote for Trump on Election Day or we will come after you,” warned the emails, which by Tuesday night were said to have reached voters in as many as four states, three of them hotly contested swing states in the coming presidential election.
U.S. officials said privately that the operation was not terribly sophisticated and was disclosed before it could have any major impact. Cybersecurity researchers said little about the operation revealed a capacity for large-scale deception.
First divulged Tuesday by local law enforcement and elections officials in Florida and Alaska, the emails prompted an investigation that quickly escalated to federal authorities, according to U.S. officials. And by Wednesday evening, officials had laid the blame on Iran — the fastest-ever public disclosure of such intelligence by the United States.
In 2016, it took months for the Obama administration to publicly point the finger at Moscow for the hacks and leaks of Democratic emails, despite the intelligence community having determined Russian culpability early on.
Ratcliffe confirmed that Iran was also distributing a video “that implies that individuals could cast fraudulent ballots, even from overseas.” The video, which was reviewed by The Washington Post, shows Trump making disparaging comments about mail-in voting, followed by a logo with the name of the Proud Boys. It then documents what was made to appear as a hack of voting data in an effort to produce a fraudulent ballot. The video was also posted on a Twitter account that has since been suspended.
“This video, and any claims about such allegedly fraudulent ballots, are not true,” Ratcliffe said. “These actions are desperate attempts by desperate adversaries.”
Relations between Tehran and Washington have grown far more tense under the Trump administration, which withdrew from the nuclear deal that Iran reached with the United States and other world powers. The United States has applied escalating pressure on Iran through sanctions and other actions, including the targeted killing in January in Iraq of Iran’s most powerful military commander, Qasem Soleimani.
“It is clear that Iran has an interest in this election because of the administration’s ‘maximum pressure’ campaign,” said Ariane Tabatabai, Middle East Fellow at the Alliance for Securing Democracy. She said it also has a broader objective, similar to that of Russia, “which is to fundamentally undermine trust in democratic institutions and the election, because discrediting democracy allows Iran to show to its own domestic population, for which it hasn’t been able to deliver, that their democratic ambitions are not worth pursuing.”
In August, the U.S. intelligence community’s top counterintelligence official, William Evanina, issued an assessment that “Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections.” Its efforts, he wrote, “probably will focus on online influence, such as spreading disinformation on social media and recirculating anti-U.S. content.”
By suggesting that the group had gained access to privileged data, and also possibly penetrated electronic systems to detect how people were voting, the emails and video content attributed to Iran seemed designed to create the appearance of an election breach. Such a move may serve to undermine confidence in the integrity of the democratic process without posing a genuine risk to the election, said cybersecurity experts.
“In recent years, Iranian information operations have continued to push boundaries using bold and innovative approaches. However, this incident marks a fundamental shift in our understanding of Iran’s willingness to interfere in the democratic process,” said John Hultquist, senior director of analysis for Mandiant Threat Intelligence. “While many of their operations have been focused on promoting propaganda in pursuit of Iran’s interests, this incident is clearly aimed at undermining voter confidence.”
Department of Homeland Security officials warned state and local election administrators on a call Wednesday that a foreign government was responsible for the online barrage, according to U.S. officials and state and local authorities who participated in the call. A DHS official also said authorities had detected holes in state and local election websites and instructed those participating to patch their online services.
Metadata gathered from dozens of the emails pointed to the use of servers in Saudi Arabia, Estonia, Singapore and the United Arab Emirates, according to numerous analysts.
“It’s clearly organized and very much planned,” said Rita Katz, executive director of SITE Intelligence Group.
The domain enlisted for the misleading operation, officialproudboys.com, was recently dropped by a hosting company that uses Google Cloud services, according to Google Cloud spokesman Ted Ladd. Without a secure host, the domain stood vulnerable to exploitation, cybersecurity experts said. Voters using Comcast, Yahoo and Gmail accounts were affected.
In addition to reports from Florida and Alaska, a voter in Pennsylvania told The Washington Post she had received one such email, though she suspected it may have been linked to her previous registration in Alaska. The Pennsylvania attorney general’s office had not received reports about the messages, a spokesman, Mark Shade, said Wednesday.
Kristen Clarke, president and executive director of the national Lawyers’ Committee for Civil Rights Under Law, said her organization had received at least one report that a similar email had reached a voter in Arizona. The Arizona secretary of state’s office was looking into the matter, said a spokeswoman, Sophia Solis.
Clarke said her organization, after putting out a call on social media, had received 104 complaints of emails with the same pattern. One research group, Proofpoint, said its analysis showed one of the batches had nearly 1,500 emails.
Enrique Tarrio, the chairman of the Proud Boys and the Florida state director of Latinos for Trump, denied involvement, saying the group operates two sites and was increasingly migrating away from the domain used in the email campaign.
“Two weeks ago, I believe, we had Google Cloud services drop us from their platform, so then we initiated a URL transfer, which is still in process,” he said in an interview. “We kind of just never used it.”
Democrats in Alachua County, in north-central Florida, began receiving the threatening messages on Tuesday morning, said a spokesman for the sheriff’s office, Art Forgey. So, too, did voters in Alaska, said Casey Steinau, chair of the Alaska Democratic Party.
Even as the president sows doubt about mail balloting, federal law enforcement officials as well as election administrators have underscored the security of the process, which has been routine in some states for years. They also have warned about possible disinformation designed to create the appearance of fraud or to stoke fears of voter intimidation — which itself threatens to keep voters away from the polls.
Tarrio, determined to beat back the perception of involvement by the Proud Boys, said he had spoken to an FBI agent about the episode. Amanda Videll, a spokeswoman for the bureau in Jacksonville, Fla., declined to comment.
Bennett Ragan, campaign manager for a Democratic State House candidate in Gainesville, Fla., said he received two of the threatening messages on his Gmail account and knows of at least 10 other similar emails that had reached friends or associates. He said the home address cited in the emails he received could have come only from a Florida voters’ roll from 2018 because he has moved several times in recent years.
Ragan said he believed the purpose was to intimidate Democratic voters in a swing state with hotly contested races up and down the ballot on Nov. 3.
“When you have people who have a voter roll and then send off emails, they will make a big splash. They will scare people. That is without a doubt the intent,” he said.
The hosting service that previously carried the Proud Boys domain canceled the registration after Google Cloud notified the customer that a nonprofit group had raised concerns about the controversial organization, said Ladd, the Google Cloud spokesman.
Following the action from the hosting service, the domain appears to have been left unsecured, allowing anyone on the Internet to take control of it and use it to send out the menacing messages, said Trevor Davis, CEO of CounterAction, a Washington-based digital intelligence firm.
The lapse, which began on Oct. 8, “likely made them vulnerable to this kind of hijacking,” Davis said. “Bad actors are constantly scanning the Internet for opportunities. Given the public profile of the Proud Boys and the likelihood that whoever’s sending these emails has access to a voter file, this appears to be opportunism.”
An Internet Protocol (IP) address associated with metadata in at least one email had previously been reported, pointing to its likely use in scam or phishing operations, said Cindy Otis, a former CIA analyst and vice president of analysis for Alethea Group, an organization combating online threats and misinformation.
The Proud Boys rose to national prominence last month during the first presidential debate between Trump and his Democratic rival, Joe Biden, when the president passed up an invitation by moderator Chris Wallace of Fox News to denounce white supremacists. When Biden suggested that Trump denounce the Proud Boys, he said they should “stand back and stand by” — a comment that was widely celebrated on social media by the group as a call to action.
Memes circulated online with the words integrated into the Proud Boys logo. One doctored image showed Trump wearing one of the Proud Boys’ signature polo shirts. Another online poster used the moment to advertise T-shirts and hoodies bearing the group’s logo and the words “PROUD BOYS STANDING BY.”
The group’s leaders say they do not support white supremacy, but they had a contingent at 2017’s notorious Unite the Right rally in Charlottesville. The Proud Boys also have been frequent participants in the protests demonstrating against coronavirus shutdowns and, more recently, the protests in Portland, Ore. Facebook has banned the group as a hate group, and the Southern Poverty Law Center classifies it as a hate group and says its leaders “regularly spout white nationalist memes and maintain affiliations with known extremists.”