This is the mobile-friendly web version of the original article.

29 OCT 2020

Alert Number

ME-000138-TT

1. Summary
2. Technical Details
3. Best Practices for Network Security and Defense:
4. Reporting Notice
5. Administrative Note

The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients in order to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals. This FLASH was coordinated with DHS/CISA.

This FLASH has been released TLP:WHITE : Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

Indicators of Compromise Pertaining to Iranian Interference in the 2020 US Presidential Election

Summary

On 22 October 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (Alert AA20-296B) warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the US elections to sow discord among voters and undermine public confidence in the US electoral process. APT actors are creating fictitious media sites and spoofing legitimate media sites to spread anti-American propaganda and misinformation about voter suppression.

The Cybersecurity Advisory followed a joint press conference from the Director of National Intelligence (DNI) and FBI Director on election security, alerting the American public that Iran had taken specific actions to influence public opinion relating to the 2020 US Presidential Election.

The FBI is now providing a list of indicators of compromise (IOCs) pertaining to a threat group, assessed to be located in Iran, conducting operations aimed at influencing and interfering in the 2020 US Presidential Election.

Technical Details

The FBI is providing the below list of identified IP addresses previously used as part of an Iran-based campaign to conduct operations aimed at impacting the 2020 US Presidential Election, to include voter intimidation emails and dissemination of US election-related propaganda. The FBI has high confidence these IP addresses were used by the Iranian group on the corresponding dates. Please note many of these IP addresses likely correspond to Virtual Private Network (VPN) services which can be used by individuals all over the world. While this creates the potential for false positives, any activity on the below would likely warrant further investigation.

This group has been linked to efforts to disseminate a propaganda video concerning voter fraud and hacking of US voter information. The FBI advises this video is almost certainly intended to make US voter information and the voting process appear insecure and susceptible to fraud. The FBI advises that certain demonstrational activity in the video [e.g., a purported Structured Query Language (SQL) injection to obtain US voter information] may have been fabricated by the actors for psychological effect.

The video shows actors using the SQLmap tool. While the video alone does not necessarily validate whether the actors successfully conducted a SQL injection against US election infrastructure and/or obtained voter information, it should be assumed that this group is familiar with traditional TTPs such as SQL injection and other exploitation methods referenced in AA20-296B. While there is reason to doubt the veracity of the activity portrayed in the video, the FBI advises this group is likely capable of exploiting US Web sites with common vulnerabilities.

The below IOC list includes several Class C ranges (e.g., 212.102.45.X). This is based on the expectation that the group may have used, or may use in the future, IPs in those ranges based on known VPN service usage. Many VPN service IPs linked to the group are from the NordVPN service, and these IPs may not necessarily correspond to VPN services via IP address lookup services. The VPN service IPs may correspond to providers such as:

• Provider name variants including “CDN77”
• Provider name variants including “HQSERV”
• Provider name variants including “M247”

Best Practices for Network Security and Defense:

• Employ regular updates to applications and the host operating system to ensure protection against known vulnerabilities.
• Establish, and backup offline, a “known good” version of the relevant server and a regular changemanagement policy to enable monitoring for alterations to servable content with a file integrity system.
• Employ user input validation to restrict local and remote file inclusion vulnerabilities.
• Implement a least-privileges policy on the Webserver to:
• Reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts.
• Control creation and execution of files in particular directories.
• If not already present, consider deploying a demilitarized zone (DMZ) between the Web-facing systems and corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.
• Ensure a secure configuration of Webservers. All unnecessary services and ports should be disabled or blocked. All necessary services and ports should be restricted where feasible. This can include whitelisting or blocking external access to administration panels and not using default login credentials.
• Use a reverse proxy or alternative service to restrict accessible URL paths to known legitimate ones.
• Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero day attacks, it will highlight possible areas of concern
• Deploy a Web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.

Reporting Notice

The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by email at [email protected]. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s National Press Office at [email protected] or (202) 324-3691.

Administrative Note

This product is marked TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

For comments or questions related to the content or dissemination of this product, contact CyWatch.